401 during GH workflow of Gradle sonar task with SonarCloud

ascheman · December 13, 2024, 6:27pm

I am running into a 401 running the Gradle sonar task when it comes to accessing the Sonar Cloud API server. The problem occurs with the 6.x relase of the Gradle plugin and only in my GH Action.

Executing it locally or with the latest 5.x release of the plugin is no problem.

In detail

Excecuting the GH Action workflow: ./gradlew sonar
Getting an java.lang.IllegalStateException: Error status returned by url [https://api.sonarcloud.io/analysis/jres?os=linux&arch=x86_64]: 401.

Execution failed for task ':sonar'.
> java.lang.IllegalStateException: Error status returned by url [https://api.sonarcloud.io/analysis/jres?os=linux&arch=x86_64]: 401

Colin · December 15, 2024, 7:28pm

Hey there.

How are you providing authentication to the scanner? With SONAR_TOKEN, or some other way (somehow including the info in a build.gradle file, etc.)

  - name: Build and analyze
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
    run: ./gradlew build sonar --info

It would be useful to see your full GitHub Actions Pipeline YML!

ascheman · December 16, 2024, 3:28pm

Thanks for the fast feedback, @Colin, and sorry for not directly referring to the workflow file.
If I can somehow assist in further testing, please reach out. I guess we should be able to see the behaviour on a fork or perhaps pull-request.

Colin · December 16, 2024, 3:38pm

Hey @ascheman

I’m going to go out on a limb here and say that while you reference SONAR_TOKEN in your workflow file, it might not actually have a value defined.

##[debug]Evaluating: secrets.GITHUB_TOKEN
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'GITHUB_TOKEN'
##[debug]=> '***'
##[debug]Result: '***'
##[debug]Evaluating: secrets.SONAR_TOKEN
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'SONAR_TOKEN'
##[debug]=> null
##[debug]Result: null

I believe you need to set SONAR_TOKEN to a valid token in your repository variables/secrets.

ascheman · December 16, 2024, 3:52pm

Of course, that’s clear. I was also wondering why I do not even see the usual *** for a hidden secret in the output. However, the pipeline works with the Sonar 5.x Gradle plugin, but fails with 6.x without any other change.

ascheman · December 16, 2024, 4:53pm

I have explicitly set a new token as secret SONAR_TOKEN:

But it does not show up in the debug output.
Even if I delete it, the workflow works like a charm with Sonar 5.x.

Perhaps a GH action problem?

But what is even more strange: I have tried to run the sonar analysis locally and didn’t set a SONAR_TOKEN environment variable.

Works fine with Sonar 5, but
Does not work with Sonar 6!

What other means of authentication are there?
Setting a valid SONAR_TOKEN makes no difference.

Colin · December 19, 2024, 12:43pm

@ascheman I think there’s two things going on.

For either your project/organization, you probably have Execute Analysis permissions set to Anyone. This is a very bad idea, because it means that anybody (authenticated to SonarQube or not) could run an analysis against your project. Eventually, we want to get rid of this option altogether.

image1330×331 16.5 KB
So why is it working with v5 of the Scanner for Gradle but not v6? Probably an error on our part. v6 of the Scanner for Gradle calls an API (to support JRE auto-provisioning) that requires authentication, even if you have granted the Execute Analysis permissions to Anyone.

Now, this isn’t great – SonarQube Cloud should do what it says it will do (allow anybody to execute analysis). I’ll raise that as an issue for our team to look at. With that being said, I really don’t recommend that you allow anyone to execute analysis.

Now, I still don’t know why, when you set SONAR_TOKEN, you don’t see it configured correctly. In my runs, I see the *** I expect to see.

2024-12-19T12:36:59.2206554Z ##[debug]..Evaluating String:
2024-12-19T12:36:59.2206679Z ##[debug]..=> 'GITHUB_TOKEN'
2024-12-19T12:36:59.2207163Z ##[debug]=> '***'
2024-12-19T12:36:59.2207380Z ##[debug]Result: '***'
2024-12-19T12:36:59.2208024Z ##[debug]Evaluating: secrets.SONAR_TOKEN
2024-12-19T12:36:59.2208126Z ##[debug]Evaluating Index:
2024-12-19T12:36:59.2208216Z ##[debug]..Evaluating secrets:
2024-12-19T12:36:59.2208328Z ##[debug]..=> Object
2024-12-19T12:36:59.2208433Z ##[debug]..Evaluating String:
2024-12-19T12:36:59.2208527Z ##[debug]..=> 'SONAR_TOKEN'
2024-12-19T12:36:59.2208768Z ##[debug]=> '***'
2024-12-19T12:36:59.2208938Z ##[debug]Result: '***'

If I were you, I’d try setting some other variables and seeing if you get the same results (do they show up as null or ***? Is it specific to the Gradle step or does it happen in other steps as well?)

ascheman · December 19, 2024, 1:41pm

Thanks a lot, @Colin. Will take care of the project permissions in the next days and dig deeper into the secret invisibility as well.

Regarding the debug output you sent: Is it from our project, e.g., from a fork or from something else?

Colin · December 19, 2024, 2:22pm

No, just my own project.