AgentReadyHomeAgent Listing

← SonarQube MCP Server

SonarQube MCP Server — agentic threat model

8.5AIVSS 8.5 · High

The SonarQube MCP Server connects LLMs directly to code analysis platforms, introducing a high-risk tool-output injection surface where malicious code snippets or poisoned repository metadata can manipulate the agent's behavior.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 0.97Factor sum 3.7/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.30
Goal-Driven Planning
0.20
Self-Modification
0.10
Dynamic Tool Use
0.60
Persistent Memory
0.20
Contextual Awareness
0.70
Dynamic Identity
0.40
Multi-Agent Interactions
0.30
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

The foundation model is highly vulnerable to indirect prompt injection (reprogramming) because the MCP server feeds raw code snippets, security hotspots, and project issues directly back into the model context.

L2 · Data Operations✓ mapped

Data operations rely on SonarQube Server or Cloud integrations. A compromised repository or malicious code snippet acts as poisoned data, which is retrieved and processed by the agent, potentially exfiltrating context via outbound tool calls.

L3 · Agent Frameworks✓ mapped

The agent framework exposes tools to query SonarQube APIs. Insecure tool integration could allow an attacker to craft malicious code that, when analyzed, triggers tool misuse or unauthorized API queries to other projects.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — Deployment requires hosting the MCP server and managing sensitive SonarQube API tokens. If the hosting environment lacks sandboxing, a compromised token could lead to unauthorized access to private codebases.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in guardrails, input sanitization, or anomaly detection to inspect the code snippets and analysis results before they are fed back to the LLM.

L6 · Security & Compliance (cross-cutting)✓ mapped

Security relies heavily on the underlying SonarQube instance's RBAC. If the MCP server uses a highly privileged service token, any user interacting with the agent inherits those broad read/write permissions across projects.

L7 · Agent Ecosystem✓ mapped

In a multi-agent ecosystem, other agents relying on this MCP server's output could be deceived if this agent is fed manipulated code analysis results, leading to cascading trust failures in automated CI/CD pipelines.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).