Authentication WITHOUT token

Is there a way to use Sonarqube in a Jenkins build for multiple teams, WITHOUT having tokens?

My team is using the Jenkins plugin to incorporate SonarQube into our build process. We are using something similar to this in our Jenkins pipeline build file.

stage('Code Quality Check via SonarQube') {
steps {
    script {
        def scannerHome = tool "sonarqube_scanner";
        withSonarQubeEnv("sonarqube_scanner") {
             sh "${scannerHome}/bin/sonar-scanner -Dsonar.projectKey=obp-planting-ui -Dsonar.sources=. -Dsonar.css.node=. -Dsonar.host.url=https://sonar-github.cloud.bayer.com -Dsonar.login=xxxx"
            }
        }
    }
}

I think deploy keys, or pem files would be better and a more scalable way to go about this rather than personal tokens.

Hi @Romans116, welcome to the SonarSource Community!

It looks like you have our SonarScanner for Jenkins installed since you have the withSonarQubeEnv step in your script. But you might have missed that the Jenkins plugin also adds a global configuration where you can specify credentials under Manage Jenkins / Configure System:

With this set up, you can drop the sonar.host.url and sonar.login parameters off your analysis entirely and the pipeline(s) will inherit from this global configuration.

1 Like

Thank you.

Is the server authentication token different than the token that is generated when creating a project?
Is there another way that does not require a token at all? Can I include a pem file in a directory?

Screen Shot 2020-10-01 at 3.10.33 PM

Also, with the server authentication token, how do permissions work? For example, would all users have access to the projects and be able to view them on Sonar instances web interface?

Just because the new project wizard motivates you as an individual to generate a token for use with the project doesn’t mean that’s the only way to do it; and in fact it’s not the best way to do it if you’re aiming to conduct all your analysis from a CI system.

Most customers using centralized CI create a dedicated user to represent the CI system, create a token for that user, give that user ‘Execute analysis’ permission for existing projects, and add that user to the default permissions template used for when new projects are created. On top of that, many then choose to restrict the “Create project” permission to only a few central accounts and the CI user.

Thank you for that! Last question, is there no alternative to tokens? Can I use something other than a token to authenticate? Any temporary credential method or types of file I can store in a repo?

You can always store the token in a file if you prefer. Any of the properties passed to the scanner, including the sonar.login, can be stored in a sonar-project.properties file that lives at the root of the project. And then this file can be checked in.

Hi Jeff,

I am unable to create a dedicated user for our CI system.

Is there a way to set permissions automatically for every project created with a project key?

You can explore doing so via the web API; everything that can be done within the SonarQube UI can be done via web API calls.

Also, as you noticed above, we are using the Jenkins plugin for Sonarqube. However, when I remove the token from the Jenkinsfile, Sonarqube doesn’t complete successfully.

Here is the error:

ERROR: Not authorized. Analyzing this project requires to be authenticated. Please provide the values of the properties sonar.login and sonar.password.

Here was the script in Jenkinsfile:

stage('Code Quality Check via SonarQube'){
    steps {
        script {
            def scannerHome = tool "sonarqube_scanner";
            withSonarQubeEnv("sonarqube_scanner") {
                sh "${scannerHome}/bin/sonar-scanner -Dsonar.projectKey='${env.JOB_NAME}'"
            }
        }
    }
}

Is there something that I’m doing correctly?

As @Jeff_Zapotoczny noted, IF you store your token in a Jenkins credential then you can use it in your Sonarqube command:

def sonarCmd = "${sonarScanner} -Dsonar.login=${env.SONAR_AUTH_TOKEN} -Dsonar.host=${env.SONAR_HOST_URL} -Dsonar.projectKey=$repoName -Dsonar.projectName=$repoName -Dsonar.projectVersion=$version"

The token should be from a Sonarqube user dedicated to running scans and nothing else. You can create “local” user in Sonarqube via the UI, create a token for that user, then store it in Jenkins.

1 Like

Note: You CAN set up your Sonarqube to allow anonymous users and allow anyone to run/submit a scan but that is not recommended. It’s a lot more work than setting up a dedicated local Sonarqube user and it eliminates security on your Sonarqube instance.