summary
fail to update plugin scmtfvc because /api/plugins/updates on SonarQube server provides wrong value in version field.
which versions are you using
- SonarQube Server Enterprise Edition 2025.5 (113872)
how is SonarQube deployed
- kubernetes/docker
what are you trying to achieve
Automate/scripting plugin updates on enterprise server edition
what have you tried so far to achieve this
- read version for scmtfvc plugin version value from https://my-sonarqube-server/api/plugins/updates –> “2.5.0 (build 318)“
- compare version with https://downloads.sonarsource.com/sonarqube/update/scmtfvc.json –> “2.5.0“
- if versions match (== there is an update available in marketplace), then download plugin jar file using downloadUrl provided in https://downloads.sonarsource.com/sonarqube/update/scmtfvc.json
- install jar file
This works for all plugins except for scmtfvc, because version in /api/plugins/updates is “2.5.0 (build 318)“ while https://downloads.sonarsource.com/sonarqube/update/scmtfvc.json returns “2.5.0”
How to reproduce:
- install an outdated version of scmtfvc plugin to a self-hosted server instance
- open /api/plugins/updates on this instance
- or: install latest scmtfvc plugin and open /api/plugins/installed
- open https://downloads.sonarsource.com/sonarqube/update/scmtfvc.json
- compare versions in json results → “2.5.0 (build 318)“ != “2.5.0”
Investigation:
I think the plugin itself does not cause the issue, but a bug in sonarqube server:
When sonarqube reads metadata from plugin manifest, the field Plugin-Display-Version is used, but should use Plugin-Version instead.
This works for most plugins, because they ship the same value in Plugin-Display-Version and *Plugin-Version. *
scmtfvc ships different values in these fields which seems legit to me.
Resources:
/api/plugins/update
{
"plugins": [
{
"key": "scmtfvc",
"name": "TFVC",
"category": "Integration",
"description": "Provides SCM TFVC integration",
"license": "MIT",
"organizationName": "Community",
"organizationUrl": "https://github.com/lg2de/sonar-scm-tfvc/graphs/contributors",
"issueTrackerUrl": "https://github.com/lg2de/sonar-scm-tfvc/issues",
"homepageUrl": "https://github.com/lg2de/sonar-scm-tfvc",
"editionBundled": false,
"updates": [
{
"release": {
"version": "2.5.0 (build 318)",
"date": "2025-05-05",
"description": "update DevOps api",
"changeLogUrl": "https://github.com/lg2de/sonar-scm-tfvc/releases/tag/2.5.0"
},
"status": "COMPATIBLE",
"requires": []
}
]
}
],
"updateCenterRefresh": "2025-11-11T09:55:46+0000"
}
https://downloads.sonarsource.com/sonarqube/update/scmtfvc.json
{
"name": "TFVC",
"key": "scmtfvc",
"organization": {
"name": "Community",
"url": "https://github.com/lg2de/sonar-scm-tfvc/graphs/contributors"
},
"category": "Integration",
"license": "MIT",
"issueTrackerURL": "https://github.com/lg2de/sonar-scm-tfvc/issues",
"sourcesURL": "https://github.com/lg2de/sonar-scm-tfvc/sonar-scm-tfvc-plugin",
"versions": [
{
"version": "2.5.0",
"date": "2025-05-05",
"description": "update DevOps api",
"archived": false,
"downloadURL": "https://github.com/lg2de/sonar-scm-tfvc/releases/download/2.5.0/sonar-scm-tfvc-plugin-2.5.0.318.jar",
"changeLogUrl": "https://github.com/lg2de/sonar-scm-tfvc/releases/tag/2.5.0"
},
{
"version": "2.4.0",
"date": "2022-05-26",
"description": "update DevOps api",
"archived": true,
"compatibility": "9.9 - 10.7",
"downloadURL": "https://github.com/lg2de/sonar-scm-tfvc/releases/download/2.4.0/sonar-scm-tfvc-plugin-2.4.0.127.jar",
"changeLogUrl": "https://github.com/lg2de/sonar-scm-tfvc/releases/tag/2.4.0"
}
]
}