Bitbucket - Pull request decoration did not happen

Since a few weeks i am seeing the following message Pull request decoration did not happen. The SonarCloud organization is not bound to Bitbucket Cloud. Please install the SonarCloud application on Bitbucket Cloud, or read "How to bind an existing organization?" section in the "Organizations" documentation page to fix your setup. I know this happens when you don’t have a organization linked to bitbucket but nothing have changed.

The situation:
My company has a workspace which me and my team are part of. We have a bitbucket team account which is also a member of the company workspace. The team account is bound to our sonar organization. The only thing that happened is that we change the team account password a few weeks ago. We build our code wit AWS codebuild and pass all the required sonar.pullrequest params.

Can a password of the bitbucket account linked to the organization cause this issue?

    mvn clean verify -B -e sonar:sonar \
      -Dsonar.login= \
      -Dsonar.host.url=https://sonarcloud.io \
      -Dsonar.pullrequest.key=\
      -Dsonar.pullrequest.branch= \
      -Dsonar.pullrequest.base=\
      -Dsonar.pullrequest.bitbucketcloud.repository= \
      -Dsonar.pullrequest.bitbucketcloud.owner= \
      -Dsonar.pullrequest.bitbucketcloud.triggerCommit= \ 
      -Dsonar.projectKey= \
      -Dsonar.qualitygate.wait=true \
      -Dsonar.qualitygate.timeout=300 \
      -Dsonar.organization=

Hi @wesleymooiman

Could you please give me the end of the logs of an analysis with that message, especially those 3 lines:

ANALYSIS SUCCESSFUL, you can find the results at: https://sonarcloud.io/dashboard?id=...
Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
More about the report processing at https://sonarcloud.io/api/ce/task?id=...

I can initiate a private thread if you prefer not to post them here.

that would be nice

Hi @wesleymooiman, thanks for your patience.

We introduced a limitation a few weeks ago, for security reasons, SonarCloud can now only decorate projects owned by the BBC organization bound to the SonarCloud organization.

The only workaround I see so far, would be to have a single SonarCloud organization bound to the company account and to analyze all the projects from it, but I understand it can be a big work to put that in place, and may not reflect the way your company is organized.

I have opened an internal feature ticket, I can also suggest you to open a Feature request. Interested users will be able to vote for it.

I’m really sorry for this unexpected disruption of your build process.
Have a nice day,
Claire

1 Like

Hello Claire,

That is unfortunate to hear. At the moment the official guidelines in the company are that each squad/team creates it owns sonarcloud account. I will discuss this limitation with my colleagues.

Hello Claire, how does this limitation improve security? As long as the organization/user bound to bitbucket has access to the repository scanned it is safe right?

Situation:
sonar cloud team bound to bitbucket team account (organization). User that belongs to organization has access to all repositories being scanned. So why can we no longer decorate these repositories? Is there some limitation/flaw in bitbucket cloud api where is not safe to support this behaviour?

Hello @wesleymooiman

Firstly, I apologize for the disruption of your build process.

I thought it would help if I jump in here. The safety of customer data is the highest priority at SonarSource and we are continuously verifying the security of our products to ensure this.

We found an authorization behaviour that was outside of the SonarCloud security pattern. It was a small issue with no risk to customer data. We checked for customer use-cases and found none so we fixed it as good practice to avoid any possibility of exploitation. We were not able to detect instances of your configuration.

Our security pattern determines that the repo being analysed must be part of the same organisation in SonarCloud as it is in BBC. Your company’s unique configuration has circumvented that by creating the project manually and not binding the project to the BBC repo.

To avoid issues we always recommend that you import your projects from Bitbucket rather than creating them manually. This is to ensure the SonarCloud project configurations are aligned with your repository. You can find documentation on that here: https://sonarcloud.io/documentation/getting-started/bitbucket-cloud/

To rectify this issue your analysis will need to be moved to the Owner account.

I hope this helps.

Best Regards,
Mark Clements
Security Officer

1 Like