Error on retrieving Quality Gate Status

SonarQube
1

The current setup is as follow:

  • Jenkins 2.204.1 LTS with SonarQube Scanner for Jenkins (2.11) and Sonar Quality Gates (1.3.1) plugins installed
  • Java 11.0.3
  • sonar-scanner 4.2.0.1873/linux
  • SonarQube Enterprise 7.9.2 / Postgres 9.6

The overall pipeline stages, using Pipeline script implementation are as follow:

  • Scan codebase using sonar-scanner using only projectName, projectKey and token parameters
  • Publish SonarQube analysis onto server
  • Gather Checkmarx information and published it to SonarQube dashboard
  • Get Quality Gate status information for validating the pipeline
    The exact error returned from the Jenkins pipeline is:
    org.sonarqube.ws.client.HttpException: Error 403 on HTTPS_SQ_URL/api/ce/task?id=AXKkA3nms5KcF7SnBV9f : {“errors”:[{“msg”:“Insufficient privileges”}]}

The HTTPS_SQ_URL/api/ce/task?id=AXKkA3nms5KcF7SnBV9f URL is reachable from the browser, where status is SUCCESS

what might be the cause of the error returned by the pipeline ?

  • A mis-configuration from the sonar.properties ?
  • A mis-configuration from the nginx.conf ?
    Testing the configuration says everything is fine.
  • Jenkins plugins versions ?
    Everything is fine regarding Jenkins plugins dependencies.
  • Missing credentials on the Jenkins side ?
    Token is being used with sonar-scanner for publishing analysis to SonarQube server;
    The user credentials (username/password) has been added to the Jenkins crendential pool.

Thanks,
Christian.

2

Hi Christian,

The error is telling you that the request that’s made to get the Quality Gate status is being done without the correct credentials.

And, I see that you’re using a 3rd-party Jenkins plugin to get QG status into your Jenkins job. You know that’s not necessary, right? That’s what SonarQube’s built-in webhooks are for. The setup is documented here.

 
HTH,
Ann

3

Hi Ann,

Is it the Jenkins user running the build that lacks access to SonarQube or the SonarQube tokenized user that is missing some role ?

I’ll make some cleanup regarding plugins once the QG callback works.

thanks,
Christian.

4

Hi Christian,

Sorry, but since I believe the call is coming from the 3rd-party Jenkins plugin, I really can’t answer that.

 
:woman_shrugging:
Ann

5

Hi Ann,

I removed Sonar Quality Gates (1.3.1) from the Jenkins plugin set, restart Jenkins and run the job, the result is still the same.

Should I removed SonarQube Scanner for Jenkins (2.11) as well and try it out ?

Christian.

6

Hi Christian,

Let’s see your pipeline code. I guess you’re making that request manually, rather than waiting for the webhook…?

Have you reviewed the documentation I pointed you to earlier?

 
Ann

7

Ann,

Here is the pipeline code:

node {
    stage("SonarQube Analysis") {
        cleanWs()
        withSonarQubeEnv('SonarQube Staging') {
            
            sh '''
            set +x

            cp -pr /var/lib/jenkins/workspace/Build-prj/* .
            cp -pr /var/lib/jenkins/workspace/Build-prj/.scannerwork .

            /var/lib/tools/sonar-scanner-4.2.0.1873-linux/bin/sonar-scanner \
            -D sonar.projectKey=Build -D sonar.projectName=Build \
            -D sonar.login=107d0a8ec45cace6b6c5f9df483b15e7ca12eb3e
            '''
        }
    }
}

stage("SonarQube Quality Gate") {
    timeout(time: 1, unit: 'HOURS') {
        def qg = waitForQualityGate()
        if (qg.status != 'OK') {
            error "Pipeline Aborted due to Quality Gate Failure: ${qg.status}"
        }
    }
}
8

Hi,

I’ve code-formatted your pipeline code (``` on the line before and on the line after) for easier reading.

I think the problem here is that the credentials that would normally be used from the global ‘SonarQube Staging’ server instance, are being overridden on the analysis command line with an explicit user token. That means the auth that actually has perms to the project isn’t being used for this part (from the docs I cited earlier):

Note that to prevent race conditions, when the step starts (or is restarted) a direct call is made to the server to check if the task is already completed.

BTW, I know you’ve already deleted that analysis token you just published to the internet, right?

And since you’ve deleted that user token, you’ll need to update your config. So make sure the globally-configured SonarQube Staging instance is has the token of a user that has access to this project & you should be good.

 
HTH,
Ann

9

It is working.
It appears that the server authentication token was created with the wrong type on Jenkins side.

Thank you so much.
Christian.