I am running into a 401 running the Gradle sonar task when it comes to accessing the Sonar Cloud API server. The problem occurs with the 6.x relase of the Gradle plugin and only in my GH Action.
Executing it locally or with the latest 5.x release of the plugin is no problem.
Execution failed for task ':sonar'.
> java.lang.IllegalStateException: Error status returned by url [https://api.sonarcloud.io/analysis/jres?os=linux&arch=x86_64]: 401
Thanks for the fast feedback, @Colin, and sorry for not directly referring to the workflow file.
If I can somehow assist in further testing, please reach out. I guess we should be able to see the behaviour on a fork or perhaps pull-request.
Of course, that’s clear. I was also wondering why I do not even see the usual *** for a hidden secret in the output. However, the pipeline works with the Sonar 5.x Gradle plugin, but fails with 6.x without any other change.
For either your project/organization, you probably have Execute Analysis permissions set to Anyone. This is a very bad idea, because it means that anybody (authenticated to SonarQube or not) could run an analysis against your project. Eventually, we want to get rid of this option altogether.
So why is it working with v5 of the Scanner for Gradle but not v6? Probably an error on our part. v6 of the Scanner for Gradle calls an API (to support JRE auto-provisioning) that requires authentication, even if you have granted the Execute Analysis permissions to Anyone.
Now, this isn’t great – SonarQube Cloud should do what it says it will do (allow anybody to execute analysis). I’ll raise that as an issue for our team to look at. With that being said, I really don’t recommend that you allow anyone to execute analysis.
Now, I still don’t know why, when you set SONAR_TOKEN, you don’t see it configured correctly. In my runs, I see the *** I expect to see.
If I were you, I’d try setting some other variables and seeing if you get the same results (do they show up as null or ***? Is it specific to the Gradle step or does it happen in other steps as well?)
Could you elaborate a little more on why you consider allowing anyone to “Execute [the] Analysis” is a bad idea, @Colin?
In this case this is an OSS project. I would like to allow anyone to execute the analysis for their changes. It shouldn’t matter whether they start the Sonar plugin from a PR or from their local machine. We would like to find possible issues as early as possible (and not first merge them).
If anybody can execute an analysis against your project, anybody who points an analysis at your main branch can overwrite it.
That can be by accident (developer who forgets to set sonar.branch.name) or intentional as a nuisance (or worse, imagine somebody who finds a vulnerability in your project and runs an analysis excluding that file from detection so that it goes undiscovered for longer).
Suggesting that developers use SonarQube for IDE to detect issues early, and using Automatic Analysis on your project is preferable if you have a lot of external contributors.
I wonder a little bit, whether those are not separate concerns which could be split up during Analysis execution and therefore also in the permission schema.
As an arbitrary contributor or during the PR execution (from a fork) I would like to check whether my changes violate the quality gates (and thus would break the build on a regular/trunk branch, e.g., main or master). Then the execution of the sonar task should break the build. But the results need not to be published to the Sonar Server (-Cloud).
As a project committer and maintainer I would like to se some report of the status on the public SonarCloud project page for my branches (from a non-forked project).
So what I am missing is an opportunity to read the respective information (configured Quality Gate for example) to analyse the build and make it success or fail. This seems not to be possible when dropping the “Execute Analysis” permission and not authenticating via token (Error Project not found. Please check the 'sonar.projectKey' and 'sonar.organization' properties, the 'SONAR_TOKEN' environment variable, or contact the project administrator to check the permissions of the user the token belongs).
So, is there any way to perform the analysis without a token and without the “Execute Analysis” grant (and of course without upload of results)? If not, would you (SonarQube) implement such an opportunity?
Running analysis without submitting the results to SonarQube (outside of an IDE context with SonarQube for IDE) is just not on our roadmap. We think the experience is best in the SonarQube UI as opposed to a local report, and it makes things like usage-based licensing very difficult to implement.
With all of that being said, we want the experience for open source projects to be a positive one and we know that the experience with external contributors and permissions isn’t always ideal today. I’ll make sure your feedback gets passed along to the right team.