401 Unauthorized from Azure DevOps Sonarqube extension

Template for a good bug report, formatted with Markdown:

  • versions used:
    ** Sonarqube 7.9.1 (from Docker Hub), SonarQube Azure DevOps extension 4.8.0, Running Azure pipelines on Microsoft Hosted build agents.
  • Error is: 401 Unauthorized when running ‘Prepare analysis’ task.
  • Extension has been configured with Token, there is no user/password config option for this extension. However, in full output mode, the following shows in the logs:
2019-09-23T14:52:16.4210820Z ##[debug]fdc5fbce-98c2-4698-a491-6966e8c4216f=https://<redacted>/
2019-09-23T14:52:16.4213017Z ##[debug]fdc5fbce-98c2-4698-a491-6966e8c4216f auth param apitoken = null
2019-09-23T14:52:16.4215750Z ##[debug]fdc5fbce-98c2-4698-a491-6966e8c4216f auth param username = ***
2019-09-23T14:52:16.4216973Z ##[debug]fdc5fbce-98c2-4698-a491-6966e8c4216f auth param password = ***

This implies that the token is being ignored, and some unchangeable username/password combination is being used. I’ve removed the extension and re-installed, and also recreated the service connection multiple times, but it continues to fail.

More complete log output:

2019-09-23T14:52:16.4210820Z ##[debug]fdc5fbce-98c2-4698-a491-6966e8c4216f=https://<Removed>/
2019-09-23T14:52:16.4213017Z ##[debug]fdc5fbce-98c2-4698-a491-6966e8c4216f auth param apitoken = null
2019-09-23T14:52:16.4215750Z ##[debug]fdc5fbce-98c2-4698-a491-6966e8c4216f auth param username = ***
2019-09-23T14:52:16.4216973Z ##[debug]fdc5fbce-98c2-4698-a491-6966e8c4216f auth param password = ***
...
2019-09-23T14:52:16.8368357Z ##[debug][SQ] Branch and PR parameters: {"sonar.scanner.metadataFilePath":"d:\\a\\_temp\\sonar\\20190923.23\\cfbb44b9-8498-0941-9a89-6307e0039821\\report-task.txt"}
2019-09-23T14:52:16.8372423Z ##[debug]extraProperties=# Additional properties that will be passed to the scanner, 
2019-09-23T14:52:16.8377096Z ##[debug]set SONARQUBE_SCANNER_MODE=MSBuild
2019-09-23T14:52:16.8395024Z ##[debug]Processed: ##vso[task.setvariable variable=SONARQUBE_SCANNER_MODE;issecret=false;]MSBuild
2019-09-23T14:52:16.8395586Z ##[debug]set SONARQUBE_ENDPOINT=********
2019-09-23T14:52:16.8396741Z ##[debug]Processed: ##vso[task.setvariable variable=SONARQUBE_ENDPOINT;issecret=true;]***
2019-09-23T14:52:16.8397170Z ##[debug]set SONARQUBE_SCANNER_PARAMS={"sonar.host.url":"https://<Removed>/","sonar.login":***,"sonar.password":***,"sonar.projectKey":"Core-API","sonar.projectName":"Core-API","sonar.projectVersion":"1.0","sonar.scanner.metadataFilePath":"d:\\a\\_temp\\sonar\\20190923.23\\cfbb44b9-8498-0941-9a89-6307e0039821\\report-task.txt"}
2019-09-23T14:52:16.8397734Z ##[debug]Processed: ##vso[task.setvariable variable=SONARQUBE_SCANNER_PARAMS;issecret=false;]{"sonar.host.url":"https://<Removed>/","sonar.login":***,"sonar.password":***,"sonar.projectKey":"<Removed>","sonar.projectName":"<Removed>","sonar.projectVersion":"1.0","sonar.scanner.metadataFilePath":"d:\\a\\_temp\\sonar\\20190923.23\\cfbb44b9-8498-0941-9a89-6307e0039821\\report-task.txt"}
2019-09-23T14:52:16.8407723Z ##[debug]Absolute path for pathSegments: d:\a\_tasks\SonarQubePrepare_15b84ca1-b62f-4a2a-a403-89b77a063157\4.8.0,classic-sonar-scanner-msbuild,SonarScanner.MSBuild.exe = d:\a\_tasks\SonarQubePrepare_15b84ca1-b62f-4a2a-a403-89b77a063157\4.8.0\classic-sonar-scanner-msbuild\SonarScanner.MSBuild.exe
2019-09-23T14:52:16.8408199Z ##[debug]Using classic scanner at d:\a\_tasks\SonarQubePrepare_15b84ca1-b62f-4a2a-a403-89b77a063157\4.8.0\classic-sonar-scanner-msbuild\SonarScanner.MSBuild.exe
2019-09-23T14:52:16.8408473Z ##[debug]set SONARQUBE_SCANNER_MSBUILD_EXE=d:\a\_tasks\SonarQubePrepare_15b84ca1-b62f-4a2a-a403-89b77a063157\4.8.0\classic-sonar-scanner-msbuild\SonarScanner.MSBuild.exe
2019-09-23T14:52:16.8408852Z ##[debug]Processed: ##vso[task.setvariable variable=SONARQUBE_SCANNER_MSBUILD_EXE;issecret=false;]d:\a\_tasks\SonarQubePrepare_15b84ca1-b62f-4a2a-a403-89b77a063157\4.8.0\classic-sonar-scanner-msbuild\SonarScanner.MSBuild.exe
2019-09-23T14:52:16.8412528Z ##[debug]which 'd:\a\_tasks\SonarQubePrepare_15b84ca1-b62f-4a2a-a403-89b77a063157\4.8.0\classic-sonar-scanner-msbuild\SonarScanner.MSBuild.exe'
2019-09-23T14:52:16.8419422Z ##[debug]found: 'd:\a\_tasks\SonarQubePrepare_15b84ca1-b62f-4a2a-a403-89b77a063157\4.8.0\classic-sonar-scanner-msbuild\SonarScanner.MSBuild.exe'
2019-09-23T14:52:16.8419814Z ##[debug]which 'd:\a\_tasks\SonarQubePrepare_15b84ca1-b62f-4a2a-a403-89b77a063157\4.8.0\classic-sonar-scanner-msbuild\SonarScanner.MSBuild.exe'
2019-09-23T14:52:16.8420121Z ##[debug]found: 'd:\a\_tasks\SonarQubePrepare_15b84ca1-b62f-4a2a-a403-89b77a063157\4.8.0\classic-sonar-scanner-msbuild\SonarScanner.MSBuild.exe'
2019-09-23T14:52:16.8424541Z ##[debug]d:\a\_tasks\SonarQubePrepare_15b84ca1-b62f-4a2a-a403-89b77a063157\4.8.0\classic-sonar-scanner-msbuild\SonarScanner.MSBuild.exe arg: begin
2019-09-23T14:52:16.8425367Z ##[debug]d:\a\_tasks\SonarQubePrepare_15b84ca1-b62f-4a2a-a403-89b77a063157\4.8.0\classic-sonar-scanner-msbuild\SonarScanner.MSBuild.exe arg: /k:Core-API
2019-09-23T14:52:16.8426574Z ##[debug]system.debug=true
2019-09-23T14:52:16.8426898Z ##[debug]d:\a\_tasks\SonarQubePrepare_15b84ca1-b62f-4a2a-a403-89b77a063157\4.8.0\classic-sonar-scanner-msbuild\SonarScanner.MSBuild.exe arg: /d:sonar.verbose=true
2019-09-23T14:52:16.8432157Z ##[debug]exec tool: d:\a\_tasks\SonarQubePrepare_15b84ca1-b62f-4a2a-a403-89b77a063157\4.8.0\classic-sonar-scanner-msbuild\SonarScanner.MSBuild.exe
2019-09-23T14:52:16.8432649Z ##[debug]arguments:
2019-09-23T14:52:16.8432910Z ##[debug]   begin
2019-09-23T14:52:16.8433197Z ##[debug]   /k:Core-API
2019-09-23T14:52:16.8433459Z ##[debug]   /d:sonar.verbose=true
2019-09-23T14:52:16.8441598Z [command]d:\a\_tasks\SonarQubePrepare_15b84ca1-b62f-4a2a-a403-89b77a063157\4.8.0\classic-sonar-scanner-msbuild\SonarScanner.MSBuild.exe begin /k:Core-API /d:sonar.verbose=true
2019-09-23T14:52:16.8933638Z SonarScanner for MSBuild 4.7.1
2019-09-23T14:52:16.8934147Z Using the .NET Framework version of the Scanner for MSBuild
2019-09-23T14:52:16.9541891Z Default properties file was found at d:\a\_tasks\SonarQubePrepare_15b84ca1-b62f-4a2a-a403-89b77a063157\4.8.0\classic-sonar-scanner-msbuild\SonarQube.Analysis.xml
2019-09-23T14:52:16.9542358Z Loading analysis properties from d:\a\_tasks\SonarQubePrepare_15b84ca1-b62f-4a2a-a403-89b77a063157\4.8.0\classic-sonar-scanner-msbuild\SonarQube.Analysis.xml
2019-09-23T14:52:16.9542637Z sonar.verbose=true was specified - setting the log verbosity to 'Debug'
2019-09-23T14:52:16.9545596Z Pre-processing started.
2019-09-23T14:52:16.9559668Z Preparing working directories...
2019-09-23T14:52:16.9577639Z Using environment variables to determine the download directory...
2019-09-23T14:52:16.9583436Z Using environment variable 'AGENT_BUILDDIRECTORY', value 'd:\a\1'
2019-09-23T14:52:17.0231937Z 14:52:17.016  14:52:17  Loading analysis properties from d:\a\_tasks\SonarQubePrepare_15b84ca1-b62f-4a2a-a403-89b77a063157\4.8.0\classic-sonar-scanner-msbuild\SonarQube.Analysis.xml
2019-09-23T14:52:17.0232435Z 14:52:17.016  14:52:17.016  sonar.verbose=true was specified - setting the log verbosity to 'Debug'
2019-09-23T14:52:17.0354449Z 14:52:17.032  Updating build integration targets...
2019-09-23T14:52:17.0418834Z 14:52:17.032  Installed SonarQube.Integration.ImportBefore.targets to C:\Users\VssAdministrator\AppData\Local\Microsoft\MSBuild\4.0\Microsoft.Common.targets\ImportBefore
2019-09-23T14:52:17.0430149Z 14:52:17.032  Installed SonarQube.Integration.ImportBefore.targets to C:\Users\VssAdministrator\AppData\Local\Microsoft\MSBuild\10.0\Microsoft.Common.targets\ImportBefore
2019-09-23T14:52:17.0440328Z 14:52:17.032  Installed SonarQube.Integration.ImportBefore.targets to C:\Users\VssAdministrator\AppData\Local\Microsoft\MSBuild\11.0\Microsoft.Common.targets\ImportBefore
2019-09-23T14:52:17.0450450Z 14:52:17.032  Installed SonarQube.Integration.ImportBefore.targets to C:\Users\VssAdministrator\AppData\Local\Microsoft\MSBuild\12.0\Microsoft.Common.targets\ImportBefore
2019-09-23T14:52:17.0462213Z 14:52:17.032  Installed SonarQube.Integration.ImportBefore.targets to C:\Users\VssAdministrator\AppData\Local\Microsoft\MSBuild\14.0\Microsoft.Common.targets\ImportBefore
2019-09-23T14:52:17.0472351Z 14:52:17.032  Installed SonarQube.Integration.ImportBefore.targets to C:\Users\VssAdministrator\AppData\Local\Microsoft\MSBuild\15.0\Microsoft.Common.targets\ImportBefore
2019-09-23T14:52:17.0515485Z 14:52:17.047  Installed SonarQube.Integration.ImportBefore.targets to C:\Users\VssAdministrator\AppData\Local\Microsoft\MSBuild\Current\Microsoft.Common.targets\ImportBefore
2019-09-23T14:52:17.0561180Z 14:52:17.047  Installed SonarQube.Integration.targets to d:\a\1\.sonarqube\bin\targets
2019-09-23T14:52:17.0574186Z 14:52:17.047  Creating config and output folders...
2019-09-23T14:52:17.0586754Z 14:52:17.047  Creating directory: d:\a\1\.sonarqube\conf
2019-09-23T14:52:17.0588348Z 14:52:17.047  Creating directory: d:\a\1\.sonarqube\out
2019-09-23T14:52:17.0763452Z 14:52:17.063  Fetching analysis configuration settings...
2019-09-23T14:52:17.0796151Z 14:52:17.079  Downloading from https://<Removed>/api/server/version...
2019-09-23T14:52:17.1424307Z 14:52:17.141  Fetching properties for project '<Removed>' from https://<Removed>/api/settings/values?component=<Removed>...
2019-09-23T14:52:17.1428416Z 14:52:17.141  Downloading from https://<Removed>/api/settings/values?component=<Removed>...
2019-09-23T14:52:17.1844890Z ##[error]14:52:17.172  Failed to request and parse 'https://<Removed>/api/settings/values?component=<Removed>': The remote server returned an error: (401) Unauthorized.
2019-09-23T14:52:17.1853683Z ##[debug]Processed: ##vso[task.logissue type=error;]14:52:17.172  Failed to request and parse 'https://<Removed>/api/settings/values?component=<Removed>': The remote server returned an error: (401) Unauthorized.
2019-09-23T14:52:17.1853973Z 14:52:17.172  Failed to request and parse 'https://<Removed>/api/settings/values?component=<Removed>': The remote server returned an error: (401) Unauthorized.
2019-09-23T14:52:17.1854545Z ##[error]14:52:17.172  Could not authorize while connecting to the SonarQube server. Check your credentials and try again.
2019-09-23T14:52:17.1854764Z ##[debug]Processed: ##vso[task.logissue type=error;]14:52:17.172  Could not authorize while connecting to the SonarQube server. Check your credentials and try again.
2019-09-23T14:52:17.1854879Z 14:52:17.172  Could not authorize while connecting to the SonarQube server. Check your credentials and try again.
2019-09-23T14:52:17.1855048Z ##[error]14:52:17.172  Pre-processing failed. Exit code: 1

Any help would be greatly appreciated!

Workaround:
If I set sonar.login and sonar.password in the Additional Properties config on the Azure DevOps Task, then it works! But it’s using explicit login, and not the token.

Removing the values puts it back to a failing state.

I’m starting to wonder if this relates to an old plugin holding on to some old values somewhere. We previously used a self hosted TFS instance, which had an old SonarQube extension. This was all migrated to Azure DevOps. I would expect that removing the extension and then reinstalling it should rule that out… but maybe it didn’t remove all the old config?

1 Like

Thanks.I have the same problem with you.Use your method,it is passed.
I hope the official can fix it as soon as possible.

Hi,

Using the token, it should show something like this :

##[debug]3ca699d4-ad7c-49b1-984d-702eaba37356 auth param apitoken = null
##[debug]3ca699d4-ad7c-49b1-984d-702eaba37356 auth param username = ***
##[debug]3ca699d4-ad7c-49b1-984d-702eaba37356 auth param password = null

Is that the case on your side ? Do you have “Execute analysis” permission on the targeted project ?

Thanks.

We are having the same issue with Azure DevOps 2019 Server. It works with the token for the first project and then it stopped. Specifying the sonar.login and sonar.password in the Additional Properties works but not with the token.

The output I see when there is no username/password configured is:

2019-09-23T14:52:16.4213017Z ##[debug]fdc5fbce-98c2-4698-a491-6966e8c4216f auth param apitoken = null
2019-09-23T14:52:16.4215750Z ##[debug]fdc5fbce-98c2-4698-a491-6966e8c4216f auth param username = ***
2019-09-23T14:52:16.4216973Z ##[debug]fdc5fbce-98c2-4698-a491-6966e8c4216f auth param password = ***

Note that the password is not null.
I can confirm that execute analysis permission was set.

Could you please check if you don’t have any variable that might have been set in your pipeline directly ? When you go to “Edit pipeline”, then “Variables” tab.

Thanks.

There aren’t any variables set that could reasonably interfere. There are no variable groups linked to this pipeline.

Any progress in this case?
I have the same problem. I´m using the devops generator with the sonarqube template.
I have SonarQube 7.9.1.
I dumped the traffic and I can see that it sends a password for some reason.
This is the basic credentials it sent: 96438xxxxxxxxxxxxxxxxxxxxxxc4e22:3fae98392xxxxxxxxxxxxx0ff2cb9ef3ad
The username is my token but I have no idea where the password comes from.

Do you have any sonar project properties files in your source code, or maybe environement variables that could lead to this behavior ?

I have the same problem in all projects. In this particular case I use a demo project just to see if I can get it to work.
It is from the sonarqube template here: https://azuredevopsdemogenerator.azurewebsites.net/
I can´t find sonar.properties or any variables. The only change I have done to the project was to add a sonarqube service connection and refer to it in the prepare task.

I exported the SONARQUBE_SCANNER_PARAMS variable after the prepare task and it have sonar.password set

This is expected if it has been set indeed, but we need to find why it has been.

Can you try query your service endpoint by issuing a rest api call against this route :

https://dev.azure.com/{organization}/{project}/_apis/serviceendpoint/endpoints/{endpointId}?api-version=5.1-preview.2

Documentation : here

And see if a password is returned ?

Thank you.

Here is the result of the query:
{
“data”:{

},
“id”:"[ removed]",
“name”:“SonarQube”,
“type”:“sonarqube”,
“url”:"[ removed]",
“createdBy”:{[ removed]},
“description”:"",
“authorization”:{
“parameters”:{
“username”:null,
“password”:null
},
“scheme”:“UsernamePassword”
},
“isShared”:false,
“isReady”:true,
“owner”:“Library”,
“serviceEndpointProjectReferences”:null
}

@mickaelcaro Any ideas?

I got it to work. I reinstalled the plugin (don´t think it matters) but more importantly configured service connections via Edge instead of Chrome. I suppose Chrome does some autofill.

Thank you for your feedback. I tried to reproduce the issue but without success. That’s kind of weird, i’m using Chrome on my side, and no problem so far. But my guess was that service connection to be honest.

@pwilford could you please try the same on your side ? Or at least re-create the service connection with a new name, just to make sure that there’s no cache on Azure’s side ?

Thanks.

We are experiencing the same behaviour:
Azure DevOps Pipeline with Sonar “addon”.
The Token from the specified service connection is not used, but when providing the real credentials in “extraProperties” in “task: SonarQubePrepare@4”, the authorization passes through.

# Example prepare step - working:
- task: SonarQubePrepare@4
  inputs:
    SonarQube: "MySonarQube"
    scannerMode: "CLI"
    configMode: "file"
    extraProperties: |
       # Put one key=value per line, example:
       #sonar.branch.name=$(fullbranchname)
       sonar.verbose=true
       sonar.login=$(myuser)
       sonar.password=$(mypass)
        
# and the sonar-project.properties: 
        sonar.projectKey=com:my:test
        sonar.projectName=MYTest
        sonar.projectVersion=0.1
        # Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows.
        # This property is optional if sonar.modules is set
        sonar.sources=Application/
        # Enable the Sonar-CXX plugin
        sonar.cxx.suffixes.sources=.cpp,.cxx,.cc
        sonar.cxx.suffixes.headers=.hpp,.hxx,.h

        # Set the language explicitly
        sonar.language=c++

Please note, that also providing the sonar.login=${mytoken} with the empty password (“sonar.password=”) does also not work?

Edit:
adding the output of the ServiceEndpoint inspection:
{
“data”: {

	},
	"id": "...",
	"name": "Sonarqube",
	"type": "sonarqube",
	"url": "https://mysonerqubeurl.com/",
	"createdBy": {
		"displayName": "...",
		"url": "...",
		"_links": {
			"avatar": {
				"href": "....."
			}
		},
		"id": "....",
		"uniqueName": "...",
		"imageUrl": "..",
		"descriptor": ".."
	},
	"description": "",
	"authorization": {
		"parameters": {
			"username": null,
			"password": null
		},
		"scheme": "UsernamePassword"
	},
	"isShared": false,
	"isReady": true,
	"owner": "Library",
	"serviceEndpointProjectReferences": null
}

After removing the login and password extraProperties from the task, and after setting up a new service connection, auth was working and the SONARQUBE_SCANNER_PARAMS are looking like this:

{"sonar.host.url":"https://mysonar/","sonar.login":***,"project.settings":"/home/myusert/agent/_work/1/s/sonar-project.properties"}

Hi,

Thanks for your feedback. I believe that something has changed (some cache or something else) on service connections (they do have updated the UI recently, so probably under the hood too). I think that it’s worth to delete it completely and recreate it in case of this kind of issue.

Mickaël