Azure DevOps Scanner The token you provided doesn't have sufficient rights to check license

This is “normal” as there are no verification upon saving.

Can you also try to get that Service Connection through the azdo rest API, and se what is filled as a password value ? You have the doc just here

this is what i am getting

{
“data”: {},
“id”: “xxxxxxxxxxxxxxx”,
“name”: “SonarQube”,
“type”: “sonarqube”,
“url”: “http://10.10.0.40:9000”,
“createdBy”: {
“displayName”: “Atif Farrukh”,
“id”: “xxxxxxxxxxxxxxxxxxxxxxxxxxxx”,
“uniqueName”: “xxxxx”
},
“authorization”: {
“scheme”: “UsernamePassword”
},
“isShared”: false,
“isReady”: true,
“owner”: “Library”
}

Don’t you have any parameters like this inside ?

“parameters”: {
“username”: null
},

nope, not in sonarqube

Did you get all endpoints at once with the API ? Is yes, you need to then get the id, and get it “solo” by just adding the id after a slash in the endpoints

/endpoints/{id]?api-version=xxx

here you go

{
“data”: {},
“id”: “xxxxxxxxxxxxxxxxxxxxx”,
“name”: “SonarQube”,
“type”: “sonarqube”,
“url”: “http://10.10.0.40:9000”,
“createdBy”: {
“displayName”: “Atif Farrukh”,
“url”: “xxxxxxxxxxxxxxxxxxxxxxxxxxx”,
“_links”: {
“avatar”: {
“href”: “xxxxxxxxxxxxxxxxxxxxx”
}
},
“id”: “xxxxxxx”,
“uniqueName”: “xxxxxxxxxxxxx”,
“imageUrl”: “xxxxxxxxxxxxxxxxx”,
“descriptor”: “win.Uy0xLTUtMjEtNDEzNTA2ODk3Ny01ODc5MjQ0MDEtMjE4ODk1NjAyMS0xNjQ0”
},
“authorization”: {
“parameters”: {
“username”: null,
“password”: null
},
“scheme”: “UsernamePassword”
},
“isShared”: false,
“isReady”: true,
“owner”: “Library”
}

@mickaelcaro any update regarding this issue?

any update regarding this issue?

@mickaelcaro any update regarding this issue?

For reference, I have encountered this after upgrade to 8.7.1 and taken the same steps as above, creating a new Service Connection. Still finding that I get this issue, but only when using a Linux based build agent (not sure if that is relevant).

Also, looking at the logs on Sonarqube I can see it is getting a 401 when trying to reach the is_valid_license API endpoint:

[08/Apr/2021:16:30:59 +0100] “GET /api/server/version HTTP/1.0” 200 - “-” “-” “AXirv6CFEDFxZdlpAAWD”
[08/Apr/2021:16:30:59 +0100] “GET /api/editions/is_valid_license HTTP/1.0” 401 - “-” “-” “AXirv6CFEDFxZdlpAAWE”

Hi @Tom_Ferguson

No update so far, i’ll work on a fix ASAP.

Mickaël

Hi. I’m also getting that same error.
Setting the web log to TRACE I could find that it seems to search our AD for a user with the name of our token.
Is this normal or have i done something wrong in the config-file?

Edited logs below. IE not real token and CN’s, DC’s and OU’s censored.

2021.06.10 14:52:58 TRACE web[AXn1+5qxpoOm8wyKAAAC][sql] time=0ms | sql=SELECT u.uuid as uuid, u.login as login, u.name as name, u.email as email, u.active as "active", u.scm_accounts as "scmAccounts", u.salt as "salt", u.crypted_password as "cryptedPassword", u.hash_method as "hashMethod", u.external_id as "externalId", u.external_login as "externalLogin", u.external_identity_provider as "externalIdentityProvider", u.user_local as "local", u.is_root as "root", u.onboarded as "onboarded", u.reset_password as "resetPassword", u.homepage_type as "homepageType", u.homepage_parameter as "homepageParameter", u.last_connection_date as "lastConnectionDate", u.last_sonarlint_connection as "lastSonarlintConnectionDate", u.created_at as "createdAt", u.updated_at as "updatedAt" FROM users u WHERE u.login=? AND u.active=1 | params=339f40c91f339f40c91f339f40c91f339f40c91f
2021.06.10 14:52:58 DEBUG web[AXn1+5qxpoOm8wyKAAAC][o.s.a.l.LdapUsersProvider] Requesting details for user 339f40c91f339f40c91f339f40c91f339f40c91f
2021.06.10 14:52:58 DEBUG web[AXn1+5qxpoOm8wyKAAAC][o.s.a.l.LdapSearch] Search: LdapSearch{baseDn=OU=Users,OU=***,DC=****,DC=********,DC=net, scope=subtree, request=(&(objectClass=user)(sAMAccountName={0})), parameters=[339f40c91f339f40c91f339f40c91f339f40c91f], attributes=[email, cn]}
2021.06.10 14:52:58 DEBUG web[AXn1+5qxpoOm8wyKAAAC][o.s.a.l.LdapContextFactory] Initializing LDAP context {java.naming.referral=follow, java.naming.security.principal=CN=svc_Sonar,OU=***,OU=*****,OU=****,DC=**,DC=******,DC=net, com.sun.jndi.ldap.connect.pool=true, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.sasl.realm=*******.net, java.naming.provider.url=ldap://****.**.******.net:389, java.naming.security.authentication=simple}
2021.06.10 14:52:58 DEBUG web[AXn1+5qxpoOm8wyKAAAC][o.s.a.l.LdapUsersProvider] User 339f40c91f339f40c91f339f40c91f339f40c91f not found in <default>
2021.06.10 14:52:58 DEBUG web[AXn1+5qxpoOm8wyKAAAC][auth.event] login failure [cause|No user details][method|BASIC][provider|REALM|LDAP][IP|0:0:0:0:0:0:0:1|10.158.116.5:54171][login|339f40c91f339f40c91f339f40c91f339f40c91f]

@mickaelcaro I have the same issue, however, i have several projects in my TFS repository. One of them succeeds. I compared the verbose logs between the successful and failure builds, I notice the failed one sets sonar.password=*** whereas the successful one doesnt. I’m using the Community Edition 9.x.

Log from the Successful build:
set SONARQUBE_SCANNER_PARAMS={“sonar.host.url”:“https://myserver.com/",“sonar.login”:***,“sonar.projectKey”:“ProjA”,“sonar.projectName”:“ProjA”,“sonar.projectVersion”:“ProjA_20210916.2”,“sonar.scanner.metadataFilePath”:“D:\TFS2017BuildQueue\_work\_temp\sonar\ProjA_20210916.2\e3d42a61-3b97-d954-a366-8a160d8a171b\report-task.txt”,“sonar.verbose”:"true”}

here’s the failed one:
set SONARQUBE_SCANNER_PARAMS={“sonar.host.url”:“https://myserver.com/","sonar.login”:,“sonar.password”:,“sonar.projectKey”:“ProjB”,“sonar.projectName”:“ProjB”,“sonar.projectVersion”:“ProjB_20210916.7”,“sonar.branch.name”:“master-projB”,“sonar.scanner.metadataFilePath”:“D:\TFS2017BuildQueue\_work\_temp\sonar\ProjB_20210916.7\f8661401-31ab-9a6c-aaec-6851bed3530a\report-task.txt”,“sonar.verbose”:“true”}

Is it possible the Community edition allows no more than 1 project?

I’ve also attempted to set sonar.password to an empty string in the Prepare Analysis build step additional properties. Still no luck!

Hi @bprodduturi

Are you using the same Service Connection for both builds ?

Hi @mickaelcaro - each project has its own repository in our TFS and therefore I had to create a new Service Connection per project and obtain a different token for each project.

Ok then i would suggest to drop and recreate the faulty service connection, to see first if that can fix the issue.

Mickaël

@mickaelcaro I’ve deleted the Service Connection in TFS. Revoked the token in Sonar under My Account. Recreated a new token. Recreated a new Service Connection with the new Token. Made sure the build template is reading the new Service Connection. Fired the build, and the still seeing the same issue.

@mickaelcaro Someone else reported the same problem as mine here: Visual Studio Feedback

I dont understand what the workaround is. I’ve tried setting sonar.login={token} in the additional properties in the Prepare Analysis build step, and no luck.

Do you have by chance a SonarQube.Analysis.xml file somewhere in your checked out code ?

Hello @mickaelcaro! I am experiencing this issue, and can be of assistance in any debugging.

What I have gathered so far, after reinstalling the extension in DevOps, recreating the service connection, and recreating the tokens, that it gets stuck on calling “/api/editions/is_valid_license”. When I try and call that endpoint, I get the following response:

{
  "errors": [
    {
      "msg": "Unknown url : /api/editions/is_valid_license"
    }
  ]
}

Our version of SonarQube is 9.1.0.47736, and I believe that our problems started when we upgraded to it

Here is a exerpt of the log from running the task in a pipeline, with system.debug on

15:54:48.927  Downloading from http://10.24.3.103:9000/api/server/version...
15:54:48.958  Checking validity of server license
15:54:48.958  Downloading from http://10.24.3.103:9000/api/editions/is_valid_license...
##[error]15:54:48.958  The token you provided doesn't have sufficient rights to check license.
##[debug]Processed: ##vso[task.logissue type=error;]15:54:48.958  The token you provided doesn't have sufficient rights to check license.