Since upgrading from 5.0.1.3006 to 6.0.0.4432 I can no longer run sonar-scanner CLI against SonarCloud. I get a 403 error calling the API (same API Token as before - I’ve even regenerated it to be sure).
The token is set via SONAR_TOKEN environment variable
This is running GH Actions .NET8 SDK Dev Container, with Java 17 manually installed.
Logs:
2024-05-31T10:10:07.4064593Z Getting latest release of sonar scanner from https://github.com/Sonarsource/sonar-scanner-cli/releases/latest...
2024-05-31T10:10:07.4066272Z
2024-05-31T10:10:07.9939637Z Found https://github.com/Sonarsource/sonar-scanner-cli/releases/tag/6.0.0.4432...
2024-05-31T10:10:07.9940580Z
2024-05-31T10:10:07.9948983Z Determined version as 6.0.0.4432
2024-05-31T10:10:07.9949605Z
2024-05-31T10:10:07.9957873Z Downloading installer from https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.0.0.4432.zip to /workspaces/my-project/artifacts/sonarscanner/install.zip...
2024-05-31T10:10:07.9959775Z
2024-05-31T10:10:08.0019246Z % Total % Received % Xferd Average Speed Time Time Time Current
2024-05-31T10:10:08.0020343Z Dload Upload Total Spent Left Speed
2024-05-31T10:10:08.0020843Z
2024-05-31T10:10:08.0021182Z 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
2024-05-31T10:10:08.4087051Z
2024-05-31T10:10:08.4088507Z 100 4268k 100 4268k 0 0 10.2M 0 --:--:-- --:--:-- --:--:-- 10.2M
2024-05-31T10:10:08.4089452Z
2024-05-31T10:10:08.4107155Z Unzipping /workspaces/my-project/artifacts/sonarscanner/install.zip to /workspaces/my-project/artifacts/sonarscanner...
2024-05-31T10:10:08.4108463Z
2024-05-31T10:10:08.4144240Z Archive: /workspaces/my-project/artifacts/sonarscanner/install.zip
2024-05-31T10:10:08.4145769Z creating: /workspaces/my-project/artifacts/sonarscanner/sonar-scanner-6.0.0.4432/
2024-05-31T10:10:08.4147086Z creating: /workspaces/my-project/artifacts/sonarscanner/sonar-scanner-6.0.0.4432/bin/
2024-05-31T10:10:08.4148063Z
2024-05-31T10:10:08.4150573Z creating: /workspaces/my-project/artifacts/sonarscanner/sonar-scanner-6.0.0.4432/conf/
2024-05-31T10:10:08.4152274Z creating: /workspaces/my-project/artifacts/sonarscanner/sonar-scanner-6.0.0.4432/lib/
2024-05-31T10:10:08.4153949Z inflating: /workspaces/my-project/artifacts/sonarscanner/sonar-scanner-6.0.0.4432/bin/sonar-scanner-debug.bat
2024-05-31T10:10:08.4155768Z inflating: /workspaces/my-project/artifacts/sonarscanner/sonar-scanner-6.0.0.4432/bin/sonar-scanner.bat
2024-05-31T10:10:08.4157606Z inflating: /workspaces/my-project/artifacts/sonarscanner/sonar-scanner-6.0.0.4432/bin/sonar-scanner
2024-05-31T10:10:08.4159595Z inflating: /workspaces/my-project/artifacts/sonarscanner/sonar-scanner-6.0.0.4432/bin/sonar-scanner-debug
2024-05-31T10:10:08.4161429Z inflating: /workspaces/my-project/artifacts/sonarscanner/sonar-scanner-6.0.0.4432/conf/sonar-scanner.properties
2024-05-31T10:10:08.4163424Z inflating: /workspaces/my-project/artifacts/sonarscanner/sonar-scanner-6.0.0.4432/lib/sonar-scanner-cli-6.0.0.4432.jar
2024-05-31T10:10:08.4490692Z
2024-05-31T10:10:08.4490914Z
2024-05-31T10:10:08.4496230Z /workspaces/my-project/artifacts/sonarscanner/sonar-scanner-6.0.0.4432 /workspaces/my-project
2024-05-31T10:10:08.4498030Z Calling Sonar Scanner...
2024-05-31T10:10:08.4498674Z
2024-05-31T10:10:08.4498758Z
2024-05-31T10:10:08.7616149Z 10:10:08.758 INFO Scanner configuration file: /workspaces/my-project/artifacts/sonarscanner/sonar-scanner-6.0.0.4432/conf/sonar-scanner.properties
2024-05-31T10:10:08.7617501Z
2024-05-31T10:10:08.7634140Z 10:10:08.762 INFO Project root configuration file: NONE
2024-05-31T10:10:08.7634725Z
2024-05-31T10:10:08.7832251Z 10:10:08.782 INFO SonarScanner CLI 6.0.0.4432
2024-05-31T10:10:08.7832758Z
2024-05-31T10:10:08.7859007Z 10:10:08.784 INFO Java 17.0.11 Debian (64-bit)
2024-05-31T10:10:08.7859507Z
2024-05-31T10:10:08.7871466Z 10:10:08.786 INFO Linux 6.5.0-1021-azure amd64
2024-05-31T10:10:08.7871955Z
2024-05-31T10:10:08.8165445Z 10:10:08.815 INFO User cache: /home/vscode/.sonar/cache
2024-05-31T10:10:08.8166052Z
2024-05-31T10:10:09.5010949Z 10:10:09.500 INFO JRE provisioning: os[linux], arch[x86_64]
2024-05-31T10:10:09.5012112Z
2024-05-31T10:10:11.5085952Z 10:10:11.507 INFO EXECUTION FAILURE
2024-05-31T10:10:11.5086663Z
2024-05-31T10:10:11.5093620Z 10:10:11.508 INFO Total time: 2.752s
2024-05-31T10:10:11.5094219Z
2024-05-31T10:10:11.5110801Z 10:10:11.509 ERROR Error during SonarScanner CLI execution
2024-05-31T10:10:11.5113156Z java.lang.IllegalStateException: Error status returned by url [https://api.sonarcloud.io/analysis/jres?os=linux&arch=x86_64]: 403
2024-05-31T10:10:11.5115460Z at org.sonarsource.scanner.lib.internal.http.ServerConnection.callUrl(ServerConnection.java:176)
2024-05-31T10:10:11.5118308Z at org.sonarsource.scanner.lib.internal.http.ServerConnection.callApi(ServerConnection.java:143)
2024-05-31T10:10:11.5120049Z at org.sonarsource.scanner.lib.internal.http.ServerConnection.callRestApi(ServerConnection.java:121)
2024-05-31T10:10:11.5121843Z at org.sonarsource.scanner.lib.internal.JavaRunnerFactory.getJreMetadata(JavaRunnerFactory.java:159)
2024-05-31T10:10:11.5122928Z at org.sonarsource.scanner.lib.internal.JavaRunnerFactory.getJreFromServer(JavaRunnerFactory.java:138)
2024-05-31T10:10:11.5123937Z at org.sonarsource.scanner.lib.internal.JavaRunnerFactory.createRunner(JavaRunnerFactory.java:85)
2024-05-31T10:10:11.5125041Z at org.sonarsource.scanner.lib.internal.ScannerEngineLauncherFactory.createLauncher(ScannerEngineLauncherFactory.java:53)
2024-05-31T10:10:11.5126155Z at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:117)
2024-05-31T10:10:11.5126921Z at org.sonarsource.scanner.cli.Main.analyze(Main.java:75)
2024-05-31T10:10:11.5127439Z at org.sonarsource.scanner.cli.Main.main(Main.java:63)
2024-05-31T10:10:11.5127838Z 10:10:11.510 ERROR
Confirmed downgrading to V5 works, but V6 still failed.
What caused you to upgrade, if I can ask? It hasn’t been announced, although the binaries were indeed released. Do you have something (custom?) automatically downloading the latest version?
Hi, I have the same problem, my pipeline download the latest version of of sonar scanner CLI via homebrew (macOS) and with version 6 failed in 403 error.
I found this to be necessary after dealing with our SonarCloud scans failing due to scanner being “too old”, and I don’t want to keep babysitting the sonar-scanner-cli version in our pipelines.
Regarding the “we don’t maintain that” comment, what sources does SonarSource maintain, and what justifies “a release”? How can we make ensure we get a valid build of sonar-scanner-cli?
Languages of the repository: Swift, Xcode Mobile Project
Issue:
We started to get the below error on multiple native swift mobile projects from CircleCI since Sunday (June 2nd, 2024). We have made no configuration changes and everything was working well on May 30th, Thursday.
Error observed below:
[01:59:02]: ▸ 01:59:02.233 INFO Scanner configuration file: /opt/homebrew/Cellar/sonar-scanner/6.0.0.4432/libexec/conf/sonar-scanner.properties
[01:59:02]: ▸ 01:59:02.235 INFO Project root configuration file: /Users/distiller/project/sonar-project.properties
[01:59:02]: ▸ 01:59:02.245 INFO SonarScanner CLI 6.0.0.4432
[01:59:02]: ▸ 01:59:02.246 INFO Java 21.0.3 Homebrew (64-bit)
[01:59:02]: ▸ 01:59:02.248 INFO Mac OS X 14.3.1 aarch64
[01:59:02]: ▸ 01:59:02.276 INFO User cache: /Users/distiller/.sonar/cache
[01:59:02]: ▸ 01:59:02.613 INFO JRE provisioning: os[macos], arch[arm64]
[01:59:03]: ▸ 01:59:03.818 INFO EXECUTION FAILURE
[01:59:03]: ▸ 01:59:03.818 INFO Total time: 1.587s
[01:59:03]: ▸ 01:59:03.818 ERROR Error during SonarScanner CLI execution
[01:59:03]: ▸ java.lang.IllegalStateException: Error status returned by url [https://api.sonarcloud.io/analysis/jres?os=macos&arch=arm64]: 403
[01:59:03]: ▸ at org.sonarsource.scanner.lib.internal.http.ServerConnection.callUrl(ServerConnection.java:176)
[01:59:03]: ▸ at org.sonarsource.scanner.lib.internal.http.ServerConnection.callApi(ServerConnection.java:143)
[01:59:03]: ▸ at org.sonarsource.scanner.lib.internal.http.ServerConnection.callRestApi(ServerConnection.java:121)
[01:59:03]: ▸ at org.sonarsource.scanner.lib.internal.JavaRunnerFactory.getJreMetadata(JavaRunnerFactory.java:159)
[01:59:03]: ▸ at org.sonarsource.scanner.lib.internal.JavaRunnerFactory.getJreFromServer(JavaRunnerFactory.java:138)
[01:59:03]: ▸ at org.sonarsource.scanner.lib.internal.JavaRunnerFactory.createRunner(JavaRunnerFactory.java:85)
[01:59:03]: ▸ at org.sonarsource.scanner.lib.internal.ScannerEngineLauncherFactory.createLauncher(ScannerEngineLauncherFactory.java:53)
[01:59:03]: ▸ at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:117)
[01:59:03]: ▸ at org.sonarsource.scanner.cli.Main.analyze(Main.java:75)
[01:59:03]: ▸ at org.sonarsource.scanner.cli.Main.main(Main.java:63)
[01:59:03]: ▸ 01:59:03.820 ERROR
[01:59:03]: ▸ 01:59:03.820 ERROR Re-run SonarScanner CLI using the -X switch to enable full debug logging.
After some more digging, this is looking like an issue introduced by Sonar. A new version 6 was released over the weekend when we starting noticing the outage. Specifically the issue is related to API authentication via terminal. Workaround is to use a previous version of Sonar either locally or on your cloud machines
Sonar maintains SonarSource/sonar-scanner-cli, and other related repos like SonarSource/sonar-scanner-cli-docker. And, we certainly can’t stop other projects from using versions of our scanner that haven’t been officially released (v6.0 for example, has had its technical release, but hasn’t been announced yet, and we probably won’t announce it until we fix this bug)
Sonar maintains SonarSource/sonar-scanner-cli , and other related repos like SonarSource/sonar-scanner-cli-docker . And, we certainly can’t stop other projects from using versions of our scanner that haven’t been officially released (v6.0 for example, has had its technical release, but hasn’t been announced yet, and we probably won’t announce it until we fix this bug)
Sonar may view releasing to GitHub as a “technical” and not an “official” release … but that’s not something the rest of the industry will agree with. Releasing to the Sonar maintained GitHub repos is doing a public release, which is why many have been using it and running into these problems with it. Releasing to GitHub and doing a marketing announcement should be controlled a bit tighter if you don’t want people to be picking up these “technical” releases and using them before they are ready for consumption.
Going back to the original issue, we’re seeing Sonar results in our PRs now so the API problem does seem to be addressed - even though there hasn’t been an official announcement of the fix in this thread.
Anyway, I don’t recall seeing any posts announcing a new SonarScanner release here. This forum only has a “Release” category for SonarQube and SonarLint. The only way to check if a new version has been released is by opening the documentation, even though it’s not explicitly announced on this forum, right?
I can also confirm - I re-ran my failed sonar-scanner stages this morning and they are now completing successfully. Issue seems to have been resolved upstream.
This issue did not occur with the previous CLI version (5.0) and only started after the upgrade. The SonarQube server remains at version 10.6 without any changes.