Jenkins 2.204.1 LTS with SonarQube Scanner for Jenkins (2.11) and Sonar Quality Gates (1.3.1) plugins installed
Java 11.0.3
sonar-scanner 4.2.0.1873/linux
SonarQube Enterprise 7.9.2 / Postgres 9.6
The overall pipeline stages, using Pipeline script implementation are as follow:
Scan codebase using sonar-scanner using only projectName, projectKey and token parameters
Publish SonarQube analysis onto server
Gather Checkmarx information and published it to SonarQube dashboard
Get Quality Gate status information for validating the pipeline
The exact error returned from the Jenkins pipeline is:
org.sonarqube.ws.client.HttpException: Error 403 on HTTPS_SQ_URL/api/ce/task?id=AXKkA3nms5KcF7SnBV9f : {“errors”:[{“msg”:“Insufficient privileges”}]}
The HTTPS_SQ_URL/api/ce/task?id=AXKkA3nms5KcF7SnBV9f URL is reachable from the browser, where status is SUCCESS
what might be the cause of the error returned by the pipeline ?
A mis-configuration from the sonar.properties ?
A mis-configuration from the nginx.conf ?
Testing the configuration says everything is fine.
Jenkins plugins versions ?
Everything is fine regarding Jenkins plugins dependencies.
Missing credentials on the Jenkins side ?
Token is being used with sonar-scanner for publishing analysis to SonarQube server;
The user credentials (username/password) has been added to the Jenkins crendential pool.
The error is telling you that the request that’s made to get the Quality Gate status is being done without the correct credentials.
And, I see that you’re using a 3rd-party Jenkins plugin to get QG status into your Jenkins job. You know that’s not necessary, right? That’s what SonarQube’s built-in webhooks are for. The setup is documented here.
I’ve code-formatted your pipeline code (``` on the line before and on the line after) for easier reading.
I think the problem here is that the credentials that would normally be used from the global ‘SonarQube Staging’ server instance, are being overridden on the analysis command line with an explicit user token. That means the auth that actually has perms to the project isn’t being used for this part (from the docs I cited earlier):
Note that to prevent race conditions, when the step starts (or is restarted) a direct call is made to the server to check if the task is already completed.
BTW, I know you’ve already deleted that analysis token you just published to the internet, right?
And since you’ve deleted that user token, you’ll need to update your config. So make sure the globally-configured SonarQube Staging instance is has the token of a user that has access to this project & you should be good.