SonarQube Error: Invalid URL: loopback and wildcard addresses are not allowed for webhooks

Last Updated on January 31, 2023

Context

To setup the context, let us consider a scenario where we have a Sonar Analysis being performed by SonarQube which has been triggered by a CI tool like Jenkins. To enable the result of the analysis performed in SonarQube to be passed back to Jenkins, we want to setup a webhook in SonarQube and provide the URL of the Jenkins server in the webhook followed by /sonarqube-webhook

But as we try to setup the URL in SonarQube, we get the error “Invalid URL: loopback and wildcard addresses are not allowed for webhooks”. Let us understand what this message means and it’ resolution.

Learn more about SonarQube:

Guide to configure a webhook in SonarQube

How to handle inprogress status for SonarQube Quality gate

To read other posts regarding SonarQube Click here

What is a loopback and wildcard address

The loopback address means that any attempt to access this address will route to the same host computer. The most common IP addresses used on the loopback network are 127.0.0.1 for IPv4 and ::1 for IPv6. We use a common domain name of localhost for these loopback addresses. The local addresses cannot be used in a webhook by default. Though they used to be allowed in the earlier versions of SonarQube by default. As mentioned in the tool, they are not allowed to prevent exposing the instance to security risks. 

In the case of wildcard address, it uses wilcard masks to allow or deny access to all the traffic from a network IP address.


While these are useful concepts, however, SonarQube does not allow these addresses to be used in the webhook URL by default.


Solution

The solution is to use private or public ip or use a DNS service to use a hostname. 

Webhook in SonarQube

In case, you are in the testing stage and want to be able to use local addresses for your testing, you can use the following option to use the local addresses by temporarily disabling the default option as shown below. Do not forget to reset the option once done with testing on local system. Goto Administration — > Configurations — >  Security

Security Configuration

In Security section, look for the option that says Enable local webhooks validation. This is enabled by default. You just need to disable it. You can enable it again once you are done with your testing.

Let us know if you found this post helpful.

You may also like...

3 Responses

  1. parenting.ra6.org says:
    March 25, 2024 at 12:11 am

    Neat blog! Is your theme custom made or did you download it from somewhere?
    A theme like yours with a few simple tweeks would really
    make my blog stand out. Please let me know where you got your theme.
    Kudos

    Reply
  2. 비아그라 구매 says:
    March 22, 2024 at 4:42 pm

    Hello there, I found your blog via Google while
    searching for a related subject, your web site came up, it looks great.
    I’ve bookmarked it in my google bookmarks.
    Hi there, simply became aware of your weblog through Google, and located that it’s really informative.
    I am going to be careful for brussels. I will be grateful
    should you continue this in future. Lots of other folks
    will be benefited from your writing. Cheers!

    Reply
  3. Chris Grant says:
    March 14, 2024 at 2:02 am

    Reliable facts Many thanks.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *