[2025.1 / ADO 7.1.1] Error fetching component measures during Publish

• SonarQube Server Developer v2025.1 (102418)
• Deployment: zip
• ADO SonarQube Extension 7.1.1
• SonarScanner for MSBuild 9.0.2

We upgraded from 10.3 to 2025.1 and updated the Azure DevOps Extensions to 7.1.1.
When publishing the SQ analysis results we get the following result (focus on line at 08:33:25.7314580Z):

2025-02-17T08:33:16.0139297Z ##[section]Starting: Publish SonarQube analysis results
2025-02-17T08:33:16.0144661Z ==============================================================================
2025-02-17T08:33:16.0144890Z Task         : Publish Quality Gate Result
2025-02-17T08:33:16.0145002Z Description  : Publish SonarQube Server's Quality Gate result on the Azure DevOps build result, to be used after the actual analysis.
2025-02-17T08:33:16.0145243Z Version      : 7.1.1
2025-02-17T08:33:16.0145344Z Author       : sonarsource
2025-02-17T08:33:16.0145436Z Help         : [More Information](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarqube-extension-for-azure-devops/)
2025-02-17T08:33:16.0145698Z ==============================================================================
2025-02-17T08:33:16.3980922Z [INFO]  SonarQube Server: Server version: 2025.1.0.102418
2025-02-17T08:33:25.6913662Z [INFO]  SonarQube Server: Task 892d4c0e-7564-4854-9a1f-8f8e1adf6740 completed
2025-02-17T08:33:25.6914508Z [INFO]  SonarQube Server: Analysis succeeded with warning: Specifying module-relative paths at project level in the property 'sonar.coverage.exclusions' is deprecated. To continue matching files like '*****', update this property so that patterns refer to project-relative paths.
2025-02-17T08:33:25.6915469Z [INFO]  SonarQube Server: Analysis succeeded with warning: Multi-Language analysis is enabled. If this was not intended and you have issues such as hitting your LOC limit or analyzing unwanted files, please set "/d:sonar.scanner.scanAll=false" in the begin step.
2025-02-17T08:33:25.7314580Z [INFO]  SonarQube Server: Error fetching component measures: API GET '/api/measures/component' failed. Error message: Request failed with status code 403.
2025-02-17T08:33:25.7554571Z [INFO]  SonarQube Server: Overall Quality Gate status: failed
2025-02-17T08:33:25.8609817Z ##[section]Finishing: Publish SonarQube analysis results

Sidenote:

• The DevOps Platform Integrations still says Configuration valid.
• no errors in the Prepare Analaysis Configuration task

Hi,

A 403 is a permissions error. I believe this is about the PAT you’ve configured at the project level and unrelated to your SonarQube upgrade. PATs expire, so you may need to generate a new one. Or remove the project-level PAT and let everything fall back to the globally-configured PAT.

 
HTH,
Ann

I’m not the original poster of this question but in our case, we also get this [INFO] warning in our iOS pipeline and I double checked that we use global PAT in our Service connection.

Scanner Info

SonarScanner CLI 6.2.1.4610
Java 17.0.14 Eclipse Adoptium (64-bit)
Mac OS X 13.7.2 x86_64

Logs

==============================================================================
Task         : Publish Quality Gate Result
Description  : Publish SonarQube Server's Quality Gate result on the Azure DevOps build result, to be used after the actual analysis.
Version      : 7.1.1
Author       : sonarsource
Help         : [More Information](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarqube-extension-for-azure-devops/)
==============================================================================
[INFO]  SonarQube Server: Server version: 2025.1.0.102418
[INFO]  SonarQube Server: Task XXX completed
[INFO]  SonarQube Server: Error fetching component measures: API GET '/api/measures/component' failed. Error message: Request failed with status code 403.
[INFO]  SonarQube Server: Overall Quality Gate status: ok

Hi @jbims,

Can you double-check to see if there’s also a PAT configured at the project level?

Additionally, can you take a look at the Sonar token used for analysis? Is it an analysis token? And if the latter, does the user have both Analysis and Browse on the project?

 
Thx,
Ann

Hello Ann,

Here is the PAT screenshot. We only have one PAT that’s added to the service connection on Azure. There is no other PAT configured at the project level.

Also I don’t understand what you mean by sonar token used for analysis. There is no other token we use. We don’t use on the pipeline as the assumption was there that it’s using one from the service connection.

Do we need any more tokens?

Screenshot 2025-02-19 at 9.26.54 AM2938×342 19.8 KB

Hi,

There are two tokens involved here. There’s the Sonar token that you use during analysis so that SonarQube knows you have permission to anlayze and update the project. And there’s the Azure PAT that SonarQube uses after the analysis report is processed to let Azure know it has permission to update the project on that side.

 
Ann

Sorry I’m confused. Where to set those two tokens different tokens? Our both android and iOS pipeline works right now with just service connection (except this fetching component problem)

This is what our pipeline looks like for Android,

  - task: SonarQubePrepare@7
    inputs:
      SonarQube: '<Service Connection Name>'
      scannerMode: 'Other'
      extraProperties: 'sonar.projectKey=KEY'
  - task: Gradle@3
    displayName: 'Lint'
    inputs:
      workingDirectory: ''
      sonarQubeRunAnalysis: true
      sonarQubeGradlePluginVersion: '6.0.1.5171'
      gradleWrapperFile: 'gradlew'
      tasks: 'spotlessCheck lintDebug --no-configuration-cache'
  - task: SonarQubePublish@7
    inputs:
      pollingTimeoutSec: '300'

Azure integration is also done through Sonar Dashboard like this. So you mean that here the PAT that we used for connecting this has some permission issues? What kind of permissions that PAT should need?

Screenshot 2025-02-19 at 12.02.15 PM2596×882 149 KB

Hi,

The PAT is set through the SonarQube UI.

The Sonar token is set on the pipeline side.

Can we go back to this, please?

 
Ann

Yes, token is global analysis token and user is the administrator of the sonar project. Does being administrator mean that user has both analysis and browse on the projects? Or is there a way to specifically check that on sonar dashboard?

Hi,

The permissions are granular. Having Admin does not grant Browse. Can you verify that the user has Browse, please?

 
Thx,
Ann

This link says the browse is only applicable to private project but our project is already public.

On the other side, your granular permission comment made me realize that the administrator has only one of these permissions. Should I check all four for the admins? Would that solve our problem?

Screenshot 2025-02-19 at 2.44.41 PM3248×340 26.3 KB

I just tried again after checking all the four boxes of permissions to admins and again got the same warning in the sonar-publish step.

original poster again (my notification mails went into spam …):

I checked both tokens

• were created mid january, both expire at the end of april
• ADOS token für SQ PR decoration: has Code (Read & write)
• SQ token for publishing analysis is a global analysis token

No info or warning messages during publish on the same day before the upgrade:

Starting: Publish SonarQube analysis results
==============================================================================
Task         : Publish Quality Gate Result
Description  : Publish SonarQube's Quality Gate result on the Azure DevOps build result, to be used after the actual analysis.
Version      : 6.3.2
Author       : sonarsource
Help         : [More Information](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarqube-extension-for-azure-devops/)
==============================================================================
Finishing: Publish SonarQube analysis results

Hi @michha,

Thanks for those details. I’m going to flag this for more expert eyes.

 
Ann