401 error during waitForQualityGate when running sonar-scanner for MSBuild in Jenkins pipeline

jenkins
sonarqube

(Napoleone Piani) #1

Hello,

We are trying to set up a Quality Gate step in our Jenkins pipeline as specified in this link in the SonarQube docs. The analysis runs fine, but as soon as we hit the waitForQualityGate() instruction, we get an error like the following:

org.sonarqube.ws.client.HttpException: Error 401 on https://<SONAR_URL>/api/ce/task?id=AWVDbTfzpzqbN_7rzK2s

I don’t manage our Jenkins server, but I believe the configuration is the following:

  • Jenkins version: 2.107
  • SonarQube plugin: 2.7.1 (not 2.6.1 as the post originally said)
  • Sonar Scanner for MSBuild: 4.2.0.1214

Sample of how we are running the analysis (there is more code outside this to set up a node):

withSonarQubeEnv('Sonar') {
    docker.image('temp-sonarqube:latest').inside() {
        withEnv(['HOME=/app','DOTNET_CLI_TELEMETRY_OPTOUT=1']) {
            sh "cd /app && dotnet /sonar-scanner/SonarScanner.MSBuild.dll begin" +
                " /k:MY_PROJECT_KEY" +
                " /d:sonar.login=${SONAR_TOKEN}" +
                " /d:sonar.verbose=true"

            sh "cd /app && dotnet build -c Release"

            sh "cd /app && dotnet /sonar-scanner/SonarScanner.MSBuild.dll end" +
            " /d:sonar.login=${SONAR_TOKEN}"

            // Used to solve missing task ID issue
            sh "cp /app/.sonarqube/out/.sonar/report-task.txt ."
        }
    }
}

Sample of how we are running our Quality Gate: (step that fails)

stage("Quality Gate") {
    timeout(time: 1, unit: 'HOURS') {
        def qualityGate = waitForQualityGate()
        if (qualityGate.status == 'ERROR') {
            currentBuild.result = 'UNSTABLE'
        }
    }
}

Any help would be appreciated.

Thanks!


(Amaury Levé) #2

Hi @npiani,

May I ask if you have a reason not to update to a newer version of the Jenkins plugin and/or the Scanner for MSBuild? I am asking because you are referencing quite old versions and the issues you are facing might have been fixed in newer versions.


(Napoleone Piani) #3

@Ammo Just edited my question. The MSBuild scanner is actual 4.2, not 1.2 (my bad!)

As for the SonarQube plugin for Jenkins, we are on a shared environment with other teams and the team that manages the setup is concerned about updating the plugin. I might be able to have them update it on their staging environment though.

Thanks!


(Amaury Levé) #4

Regarding the Jenkins plugin, I am mainly asking because I can see a couple of maybe related tickets that have been fixed on some previous versions.

If you could have a test on the staging environment that would be great!


(Napoleone Piani) #6

@Ammo we have updated the Sonar plugin to v2.8 and the sonar-scanner for MSBuild to version 4.3.1.1372 and we got the same error.

The full stack trace of the error is as follows:

org.sonarqube.ws.client.HttpException: Error 401 on https://<SONAR_URL>/api/ce/task?id=AWVZeMJMpzqbN_7rzK4W
	at org.sonarqube.ws.client.BaseResponse.failIfNotSuccessful(BaseResponse.java:34)
	at hudson.plugins.sonar.client.HttpClient.getHttp(HttpClient.java:38)
	at hudson.plugins.sonar.client.WsClient.getCETask(WsClient.java:51)
	at org.sonarsource.scanner.jenkins.pipeline.WaitForQualityGateStep$Execution.checkTaskCompleted(WaitForQualityGateStep.java:183)
	at org.sonarsource.scanner.jenkins.pipeline.WaitForQualityGateStep$Execution.start(WaitForQualityGateStep.java:129)
	at org.jenkinsci.plugins.workflow.cps.DSL.invokeStep(DSL.java:229)
	at org.jenkinsci.plugins.workflow.cps.DSL.invokeMethod(DSL.java:153)
	at org.jenkinsci.plugins.workflow.cps.CpsScript.invokeMethod(CpsScript.java:108)
	at sun.reflect.GeneratedMethodAccessor464.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:93)
	at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325)
	at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1213)
	at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1022)
	at org.codehaus.groovy.runtime.callsite.PogoMetaClassSite.call(PogoMetaClassSite.java:42)
	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48)
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113)
	at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:157)
	at org.kohsuke.groovy.sandbox.GroovyInterceptor.onMethodCall(GroovyInterceptor.java:23)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:133)
	at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:155)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:159)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:129)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:129)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:129)
	at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:17)
	at WorkflowScript.run(WorkflowScript:58)
	at ___cps.transform___(Native Method)
	at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:57)
	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:109)
	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixName(FunctionCallBlock.java:77)
	at sun.reflect.GeneratedMethodAccessor446.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
	at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21)
	at com.cloudbees.groovy.cps.Next.step(Next.java:83)
	at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:174)
	at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:163)
	at org.codehaus.groovy.runtime.GroovyCategorySupport$ThreadCategoryInfo.use(GroovyCategorySupport.java:122)
	at org.codehaus.groovy.runtime.GroovyCategorySupport.use(GroovyCategorySupport.java:261)
	at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:163)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:19)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:35)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:32)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:108)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:32)
	at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:174)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:331)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$200(CpsThreadGroup.java:82)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:243)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:231)
	at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:64)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:131)
	at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)

(Nicolas Bontoux) #7

That HTTP 401 error definitely means a permission problem, so I would surely recommend to double-check the token in use, and whether the user it relates to has sufficient permissions to query the Quality Gate data (you can see the 401 is on api/ce/task, so you can try querying manually to understand what’s going on).

You can also double-check this thread:

Ultimately poking around with user/tokens/permissions should let you understand the root of this error.


(Napoleone Piani) #8

@NicoB Do you know of a way to specify the access token when using the waitForQualityGate() step? I am configuring this with a Jenkins pipeline.

If I query the api/ce/task URL directly while I am logged in I get a JSON result as I expect, but if I query it from an incognito window I also get a 401. Not sure if it’s relevant but Force user authentication is also disabled for the SonarQube server.

Our Jenkins is set up with a default token for the SonarQube instance as shown in the image below (I am using the Staging-Sonarqube instance in my pipeline)

We are trying to figure out if this is an issue on the SonarQube side or the Jenkins side.

Thanks!