I am not sure if this is the correct place to post this.
I have recently upgraded my SonarQube Extension to 6.0 and tried to update my yml pipelines files to use the v6 of the task.
I only change the @5 to @6 for the various task involved.
At the SonarQubePrepare task, I get an error that it is searching for a GitHub resource.
The problem for me is that my network is on-premise and not connected to the internet.
Was there some major change to cause this to happen?
Yes – v6 of the tasks now download the scanner from GitHub. This was done for a few reasons:
No longer require a new release of the Scanner for Azure DevOps to allow users to use the newest version of the scanner
When there’s a bug in the newest version of the scanner, make it easy for users to revert to an older version without having to release a new version of the task
And as far as I’m aware there was supposed to be a helpful message to tell you what to do in case you don’t have access to the internet… I’m following up on that.
With the newest update to the Azure DevOps SonarQube extension, the scanner binaries are no longer embedded, and instead have to be downloaded over the Internet, requiring access to both binaries.sonarsource.com – and the entire github.com.
This latter requirement is proving to be very difficult, if not downright impossible, in our setup with highly limited Internet access. We cannot have open access to the entirety of GitHub.
So I ask
Are you able to narrow this requirement down at all? Say down to a certain github organization or a list of endpoints that are actually needed.
If not, are we able to download the relevant scanner binaries to our VMs ourselves so that they are available locally there and do not need to be downloaded over the public Internet?
That’s good to hear. I’m just hoping all resources that needs to be downloaded from the internet either be embedded or some how be kept in a folder like what Azure DevOps Server has done for updating on-prem agents.
Hi,
thanks for this answer!
I wasn’t aware of this at all and suddenly faced with this unclear error message last week.
Might it be an option to add a configuration possibility to have control over the download location?
For example, we allow access from our build agents to our Artifactory instance and some pipelines already retrieve the sonar scanners from there (Artifactory basically acting as a “proxy”).
Would be great to have this, since I definitely like the idea of having control over the scanner version without having to change the extension version and also having a more lightweight extension.
What about my suggestion to have the possibility to override the scanner location?
Just whitelisting GitHub is probably not an option for us and we already have an Artifactory proxy to binaries.sonarsource.com. Maybe even a local path could be sufficient after deploying the scanners to the build agents.
I’m following up on that.
