Bug report: Web API endpoint search_gitlab_repos lists old component data instead of new

I found what I believe is a bug in one of the endpoint api/alm_integrations/search_gitlab_repos

It will return the GitLab project’s original values for

  • “sqProjectKey”: “x_y_z_int001_code_AXwmuUqhccjl3LgiYrr0”,
  • “sqProjectName”: “x.lips3.test.integrations.int001”

instead of the current ones (see e.g. components/show):

“component”: {
“key”: “x_y_z_ms001_code_AXwmuUqhccjl3LgiYrr0”

The two keys are two different components, but the api/alm_integrations/search_gitlab_repos is listing the old (incorrect one).

After some more resource, I found out that there were in fact two components that had the same GitLab project id and the older one was the one showing up in search_gitlab_repos instead of the current one.

I consider this a bug. The API should show the information for the current GitLab projects.

@ganncamp Just ping so that the thread does not close due to 7 days.

Hi @lfvjimisola ,

Thank you for reporting it. I’ll try to look closer at it sometime this week and will get back to you.

Best regards,

Any updates? I had a meeting with PO Python ecosystem who said that there was something going on behind the scenes (from what she could see), but nothing has been communicated here.

It’s a blocker for us since you, as expected, don’t get the accurate (i.e. up-to-date) information.

Hi @lfvjimisola,

When you say that:

Does this mean that the old one no longer exists? In the result, do you see just one component? Also, can you maybe share the full request/response? I can open personal messages for that.

Best regards,


But, components exists in JFrog for the particular GitLab project id. But, in GitLab one no longer exists as the group id and artifact id in pom.xml has changed.

I’m not sure if I can reproduce since I had to remove the old component in order to be able to continue.

To reproduce this should work,

  1. create a minimal maven project, artifact id = artifact_org
  2. Create the project in SonarQube (GitLab linked)
  3. Run sonarscanner, confirm that there is data for the project in SonarQube
  4. Change the artifact id (artifact_new) in pom.xml
  5. Run sonarscanner

Now use the API (api/alm_integrations/search_gitlab_repos) and check which component the API returns. In our case it was artifact_org and not artifact_new.


1 Like

Could you please also clarify the following:

  1. What do you mean by artifact_org?
  2. Are you on Community Edition?
  3. How do you run sonarscanner?
  4. How do you use api/alm_integrations/search_gitlab_repos?

Best regards,


is changed to e.g.

  1. No, Developer Edition.

maven projects: maven plugin
python projects: pysonar-scanner (ping @jean.jimbo ;))
others: sonarscanner cli

In Java, like this but you can just use the endpoints directly to confirm.

private Mono<String> fetchProjectKey(int projectId, String projectPath, String projectName) {
		return webClient.get()
			.uri(uriBuilder -> uriBuilder.path("api/alm_integrations/search_gitlab_repos")
				.queryParam("almSetting", "LFV GitLab")
				.queryParam("p", "1")
				.queryParam("ps", 100)
				.queryParam("projectName", projectName)
			.doOnNext(response -> LOG.info("Response for search_gitlab_repos: {}", response))
			.flatMap(response ->

				List<Map<String, Object>> repositories = (List<Map<String, Object>>) response.get("repositories");
				return repositories.stream().filter(repo -> repo.get("id").equals(projectId)).findFirst().map(repo -> {
					String fullSlug = repo.get("pathSlug") + "/" + repo.get("slug");
					LOG.warn("fullSlug: {}", fullSlug);
					if (!fullSlug.equals(projectPath)) {
								"Project with ID {} has most likely changed name, token, key and/or URL as there is a difference in projectPath '{}' vs full slug '{}'",
								projectId, projectPath, fullSlug);
						return Mono.<String>empty();
					return Mono.justOrEmpty((String) repo.get("sqProjectKey"));

Hi @lfvjimisola,

I think I finally understand what might be the problem here, it’s sonar.projectKey, which isn’t explicitly specified. Your project key is a unique identifier for your project. If you are using Maven, ensure the key matches the “groupId:artifactId” format as it’s a default value for projectKey. When artifactId was changed, it created new SQ project, which isn’t bound to gitlab and won’t appear in api/alm_integrations/search_gitlab_repos results.
Please, let me know whether it makes sense.

Best regards,

As I explained to your colleague, we have created a system to auto-detect sonar key and token without the use of sonar-project.properties.

I could be wrong here, but I don’t think that you are right :thinking:

The new project is bound to GitLab because it shows if I delete the original component.
The bug here is that there are two components that have a link to the same GitLab project and, for the given endpoint, SonarQube returns the original (non-current) one.