403 errors on Sonar Scanner CLI since V6 upgrade

Since upgrading from 5.0.1.3006 to 6.0.0.4432 I can no longer run sonar-scanner CLI against SonarCloud. I get a 403 error calling the API (same API Token as before - I’ve even regenerated it to be sure).

The token is set via SONAR_TOKEN environment variable

This is running GH Actions .NET8 SDK Dev Container, with Java 17 manually installed.

Logs:

2024-05-31T10:10:07.4064593Z Getting latest release of sonar scanner from https://github.com/Sonarsource/sonar-scanner-cli/releases/latest...
2024-05-31T10:10:07.4066272Z 
2024-05-31T10:10:07.9939637Z Found https://github.com/Sonarsource/sonar-scanner-cli/releases/tag/6.0.0.4432...
2024-05-31T10:10:07.9940580Z 
2024-05-31T10:10:07.9948983Z Determined version as 6.0.0.4432
2024-05-31T10:10:07.9949605Z 
2024-05-31T10:10:07.9957873Z Downloading installer from https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.0.0.4432.zip to /workspaces/my-project/artifacts/sonarscanner/install.zip...
2024-05-31T10:10:07.9959775Z 
2024-05-31T10:10:08.0019246Z   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
2024-05-31T10:10:08.0020343Z                                  Dload  Upload   Total   Spent    Left  Speed
2024-05-31T10:10:08.0020843Z 
2024-05-31T10:10:08.0021182Z   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
2024-05-31T10:10:08.4087051Z 
2024-05-31T10:10:08.4088507Z 100 4268k  100 4268k    0     0  10.2M      0 --:--:-- --:--:-- --:--:-- 10.2M
2024-05-31T10:10:08.4089452Z 
2024-05-31T10:10:08.4107155Z Unzipping /workspaces/my-project/artifacts/sonarscanner/install.zip to /workspaces/my-project/artifacts/sonarscanner...
2024-05-31T10:10:08.4108463Z 
2024-05-31T10:10:08.4144240Z Archive:  /workspaces/my-project/artifacts/sonarscanner/install.zip
2024-05-31T10:10:08.4145769Z    creating: /workspaces/my-project/artifacts/sonarscanner/sonar-scanner-6.0.0.4432/
2024-05-31T10:10:08.4147086Z    creating: /workspaces/my-project/artifacts/sonarscanner/sonar-scanner-6.0.0.4432/bin/
2024-05-31T10:10:08.4148063Z 
2024-05-31T10:10:08.4150573Z    creating: /workspaces/my-project/artifacts/sonarscanner/sonar-scanner-6.0.0.4432/conf/
2024-05-31T10:10:08.4152274Z    creating: /workspaces/my-project/artifacts/sonarscanner/sonar-scanner-6.0.0.4432/lib/
2024-05-31T10:10:08.4153949Z   inflating: /workspaces/my-project/artifacts/sonarscanner/sonar-scanner-6.0.0.4432/bin/sonar-scanner-debug.bat  
2024-05-31T10:10:08.4155768Z   inflating: /workspaces/my-project/artifacts/sonarscanner/sonar-scanner-6.0.0.4432/bin/sonar-scanner.bat  
2024-05-31T10:10:08.4157606Z   inflating: /workspaces/my-project/artifacts/sonarscanner/sonar-scanner-6.0.0.4432/bin/sonar-scanner  
2024-05-31T10:10:08.4159595Z   inflating: /workspaces/my-project/artifacts/sonarscanner/sonar-scanner-6.0.0.4432/bin/sonar-scanner-debug  
2024-05-31T10:10:08.4161429Z   inflating: /workspaces/my-project/artifacts/sonarscanner/sonar-scanner-6.0.0.4432/conf/sonar-scanner.properties  
2024-05-31T10:10:08.4163424Z   inflating: /workspaces/my-project/artifacts/sonarscanner/sonar-scanner-6.0.0.4432/lib/sonar-scanner-cli-6.0.0.4432.jar  
2024-05-31T10:10:08.4490692Z 
2024-05-31T10:10:08.4490914Z 
2024-05-31T10:10:08.4496230Z /workspaces/my-project/artifacts/sonarscanner/sonar-scanner-6.0.0.4432 /workspaces/my-project
2024-05-31T10:10:08.4498030Z Calling Sonar Scanner...
2024-05-31T10:10:08.4498674Z 
2024-05-31T10:10:08.4498758Z 
2024-05-31T10:10:08.7616149Z 10:10:08.758 INFO  Scanner configuration file: /workspaces/my-project/artifacts/sonarscanner/sonar-scanner-6.0.0.4432/conf/sonar-scanner.properties
2024-05-31T10:10:08.7617501Z 
2024-05-31T10:10:08.7634140Z 10:10:08.762 INFO  Project root configuration file: NONE
2024-05-31T10:10:08.7634725Z 
2024-05-31T10:10:08.7832251Z 10:10:08.782 INFO  SonarScanner CLI 6.0.0.4432
2024-05-31T10:10:08.7832758Z 
2024-05-31T10:10:08.7859007Z 10:10:08.784 INFO  Java 17.0.11 Debian (64-bit)
2024-05-31T10:10:08.7859507Z 
2024-05-31T10:10:08.7871466Z 10:10:08.786 INFO  Linux 6.5.0-1021-azure amd64
2024-05-31T10:10:08.7871955Z 
2024-05-31T10:10:08.8165445Z 10:10:08.815 INFO  User cache: /home/vscode/.sonar/cache
2024-05-31T10:10:08.8166052Z 
2024-05-31T10:10:09.5010949Z 10:10:09.500 INFO  JRE provisioning: os[linux], arch[x86_64]
2024-05-31T10:10:09.5012112Z 
2024-05-31T10:10:11.5085952Z 10:10:11.507 INFO  EXECUTION FAILURE
2024-05-31T10:10:11.5086663Z 
2024-05-31T10:10:11.5093620Z 10:10:11.508 INFO  Total time: 2.752s
2024-05-31T10:10:11.5094219Z 
2024-05-31T10:10:11.5110801Z 10:10:11.509 ERROR Error during SonarScanner CLI execution
2024-05-31T10:10:11.5113156Z java.lang.IllegalStateException: Error status returned by url [https://api.sonarcloud.io/analysis/jres?os=linux&arch=x86_64]: 403
2024-05-31T10:10:11.5115460Z 	at org.sonarsource.scanner.lib.internal.http.ServerConnection.callUrl(ServerConnection.java:176)
2024-05-31T10:10:11.5118308Z 	at org.sonarsource.scanner.lib.internal.http.ServerConnection.callApi(ServerConnection.java:143)
2024-05-31T10:10:11.5120049Z 	at org.sonarsource.scanner.lib.internal.http.ServerConnection.callRestApi(ServerConnection.java:121)
2024-05-31T10:10:11.5121843Z 	at org.sonarsource.scanner.lib.internal.JavaRunnerFactory.getJreMetadata(JavaRunnerFactory.java:159)
2024-05-31T10:10:11.5122928Z 	at org.sonarsource.scanner.lib.internal.JavaRunnerFactory.getJreFromServer(JavaRunnerFactory.java:138)
2024-05-31T10:10:11.5123937Z 	at org.sonarsource.scanner.lib.internal.JavaRunnerFactory.createRunner(JavaRunnerFactory.java:85)
2024-05-31T10:10:11.5125041Z 	at org.sonarsource.scanner.lib.internal.ScannerEngineLauncherFactory.createLauncher(ScannerEngineLauncherFactory.java:53)
2024-05-31T10:10:11.5126155Z 	at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:117)
2024-05-31T10:10:11.5126921Z 	at org.sonarsource.scanner.cli.Main.analyze(Main.java:75)
2024-05-31T10:10:11.5127439Z 	at org.sonarsource.scanner.cli.Main.main(Main.java:63)
2024-05-31T10:10:11.5127838Z 10:10:11.510 ERROR 

Confirmed downgrading to V5 works, but V6 still failed.

Nobody told me we released anything :innocent: :angry: :laughing:

What caused you to upgrade, if I can ask? It hasn’t been announced, although the binaries were indeed released. Do you have something (custom?) automatically downloading the latest version?

And, for the record, we are aware of the issue and going to release a 6.0.1. This only effects SonarCloud.

2 Likes

Yeah, I have a script that just pulls the latest release from GH releases and installs it.

Living on the edge :sunglasses:

Sorry for the disruption. I’ll update here when the bugfix release is done.

1 Like

I have the same problem, installed sonar scanner CLI via homebrew (macOS). It looks like this version also got released there.

Thanks @Patrick_Steiner. We don’t maintain that so we had no control :confused:

Hi, I have the same problem, my pipeline download the latest version of of sonar scanner CLI via homebrew (macOS) and with version 6 failed in 403 error.

Same issue here.

We are installing sonar-scanner from maven:

https://search.maven.org/remote_content?g=org.sonarsource.scanner.cli&a=sonar-scanner-cli&v=LATEST&c=linux&e=zip

I found this to be necessary after dealing with our SonarCloud scans failing due to scanner being “too old”, and I don’t want to keep babysitting the sonar-scanner-cli version in our pipelines.

Additionally I see the same binaries at SonarSource Downloads-CDN

Regarding the “we don’t maintain that” comment, what sources does SonarSource maintain, and what justifies “a release”? How can we make ensure we get a valid build of sonar-scanner-cli?

Project Info:

Issue:
We started to get the below error on multiple native swift mobile projects from CircleCI since Sunday (June 2nd, 2024). We have made no configuration changes and everything was working well on May 30th, Thursday.

  • Error observed below:
[01:59:02]: ▸ 01:59:02.233 INFO  Scanner configuration file: /opt/homebrew/Cellar/sonar-scanner/6.0.0.4432/libexec/conf/sonar-scanner.properties
[01:59:02]: ▸ 01:59:02.235 INFO  Project root configuration file: /Users/distiller/project/sonar-project.properties
[01:59:02]: ▸ 01:59:02.245 INFO  SonarScanner CLI 6.0.0.4432
[01:59:02]: ▸ 01:59:02.246 INFO  Java 21.0.3 Homebrew (64-bit)
[01:59:02]: ▸ 01:59:02.248 INFO  Mac OS X 14.3.1 aarch64
[01:59:02]: ▸ 01:59:02.276 INFO  User cache: /Users/distiller/.sonar/cache
[01:59:02]: ▸ 01:59:02.613 INFO  JRE provisioning: os[macos], arch[arm64]
[01:59:03]: ▸ 01:59:03.818 INFO  EXECUTION FAILURE
[01:59:03]: ▸ 01:59:03.818 INFO  Total time: 1.587s
[01:59:03]: ▸ 01:59:03.818 ERROR Error during SonarScanner CLI execution
[01:59:03]: ▸ java.lang.IllegalStateException: Error status returned by url [https://api.sonarcloud.io/analysis/jres?os=macos&arch=arm64]: 403
[01:59:03]: ▸ at org.sonarsource.scanner.lib.internal.http.ServerConnection.callUrl(ServerConnection.java:176)
[01:59:03]: ▸ at org.sonarsource.scanner.lib.internal.http.ServerConnection.callApi(ServerConnection.java:143)
[01:59:03]: ▸ at org.sonarsource.scanner.lib.internal.http.ServerConnection.callRestApi(ServerConnection.java:121)
[01:59:03]: ▸ at org.sonarsource.scanner.lib.internal.JavaRunnerFactory.getJreMetadata(JavaRunnerFactory.java:159)
[01:59:03]: ▸ at org.sonarsource.scanner.lib.internal.JavaRunnerFactory.getJreFromServer(JavaRunnerFactory.java:138)
[01:59:03]: ▸ at org.sonarsource.scanner.lib.internal.JavaRunnerFactory.createRunner(JavaRunnerFactory.java:85)
[01:59:03]: ▸ at org.sonarsource.scanner.lib.internal.ScannerEngineLauncherFactory.createLauncher(ScannerEngineLauncherFactory.java:53)
[01:59:03]: ▸ at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:117)
[01:59:03]: ▸ at org.sonarsource.scanner.cli.Main.analyze(Main.java:75)
[01:59:03]: ▸ at org.sonarsource.scanner.cli.Main.main(Main.java:63)
[01:59:03]: ▸ 01:59:03.820 ERROR
[01:59:03]: ▸ 01:59:03.820 ERROR Re-run SonarScanner CLI using the -X switch to enable full debug logging.

After some more digging, this is looking like an issue introduced by Sonar. A new version 6 was released over the weekend when we starting noticing the outage. Specifically the issue is related to API authentication via terminal. Workaround is to use a previous version of Sonar either locally or on your cloud machines

Hey Matthew

Sonar maintains SonarSource/sonar-scanner-cli, and other related repos like SonarSource/sonar-scanner-cli-docker. And, we certainly can’t stop other projects from using versions of our scanner that haven’t been officially released (v6.0 for example, has had its technical release, but hasn’t been announced yet, and we probably won’t announce it until we fix this bug)

I saw the same issue during the weekend and yesterday.
This morning when I tried it again it works, looks like the issue seems to be fixed now.

1 Like

Sonar maintains SonarSource/sonar-scanner-cli , and other related repos like SonarSource/sonar-scanner-cli-docker . And, we certainly can’t stop other projects from using versions of our scanner that haven’t been officially released (v6.0 for example, has had its technical release, but hasn’t been announced yet, and we probably won’t announce it until we fix this bug)

Sonar may view releasing to GitHub as a “technical” and not an “official” release … but that’s not something the rest of the industry will agree with. Releasing to the Sonar maintained GitHub repos is doing a public release, which is why many have been using it and running into these problems with it. Releasing to GitHub and doing a marketing announcement should be controlled a bit tighter if you don’t want people to be picking up these “technical” releases and using them before they are ready for consumption.

Going back to the original issue, we’re seeing Sonar results in our PRs now so the API problem does seem to be addressed - even though there hasn’t been an official announcement of the fix in this thread. :wink:

1 Like

Well… it seems that even the official Jenkins plugin displays these releases :innocent:

(I know the reason, but I’m just nitpicking :smile:)

Anyway, I don’t recall seeing any posts announcing a new SonarScanner release here. This forum only has a “Release” category for SonarQube and SonarLint. The only way to check if a new version has been released is by opening the documentation, even though it’s not explicitly announced on this forum, right?

1 Like

I can also confirm - I re-ran my failed sonar-scanner stages this morning and they are now completing successfully. Issue seems to have been resolved upstream.

Also works for me again, didn’t change anything on my side.

Touché. I typically consider “official release” what we have listed as the public version here.

I can also confirm the fix was in SonarCloud, which was deployed yesterday. So it should be in good shape now.

1 Like

We recently retagged the latest version of the SonarQube CLI about 6 hours ago.

  • SonarQube Server: Version 10.6 Community Edition
  • Previous CLI Version: SonarQube CLI 5.0 was working properly before the update.

After upgrading to the latest version of the SonarQube CLI Docker (which matches the server version), we are encountering the following error:

This issue did not occur with the previous CLI version (5.0) and only started after the upgrade. The SonarQube server remains at version 10.6 without any changes.

Hi Marco,
I have the some problem.
Do you find a solution ?