We recently upgraded from 8.9.6 LTS to 9.9.0 LTS, using the docker-sonarqube enterprise installation. We are using GitHub Enterprise and Jenkins CI.
Ever since the upgrade our Quality Gate reporting to PRs has not functioned. We believe the root cause is due to an authentication issue with the DevOps Platform Integration settings.
We were using a GitHub App and registered it with SonarQube under Configuration → General Settings → DevOps Platform Integration → GitHub as per this documentation.
I am consistently seeing “Authentication failed, verify the Client Id, Client Secret and Private Key fields” when clicking on “check configuration”
I have done the following:
Regenerated the client secret and private key multiple times (key added both with and without the ‘begin key’ header/footers and terminating newline)
Double checked the App ID and Client ID
Ensured using correct GitHub API URL (is https://<instance URL>/api/v3 )
Ensured using HTTPS protocol
The Callback URL is now the base URL and we removed the “/oauth2/callback” suffix, as per the docs
Updated the permissions required as per the docs
Removed the Webhook URL as per the docs
Created a new GitHub App from scratch (also fails with the same error)
We can log in using our GitHub credentials so authentication isn’t an issue for devs to connect to the server.
Quality Gate reporting and authentication with the GitHub App worked fine on 8.9.6 LTS.
Any insights on what else I can try or what terms I can search in the logs for clues?
No, there isn’t anything between SonarQube and GitHub that could be interfering.
More things we’ve tried:
Re-enabled the webhook and added a webhook secret since the logs in web.log stated “2023.03.14 17:33:47 WARN web[AYbcRuoL0yMVBBdKCF/k][o.s.s.a.GithubWebhookAuthentication] Unauthenticated calls from GitHub are forbidden. A webhook secret must be defined in the GitHub App with Id 16.”
Reporting Quality Gate status on GitHub branches requires an additional permission (9.0)
When working in private GitHub repositories, you need to grant read-only access to the Contents permission on the GitHub application that you’re using for SonarQube integration. See the GitHub integration documentation for more information.
So I need to double-check: did you grant all perms listed in the docs you linked to?
PR decorations suddenly started working again and the DevOps Platform Integration for GitHub is now reporting that the authentication succeeds.
I have done nothing to change the SonarQube server or GitHub App settings since my last message. I have confirmed that the settings have remained the same.
I wish I knew what was wrong and how it was fixed, this is frustrating.
I’ve got a similar issue were the logs have a bunch of these:
[o.s.s.a.GithubWebhookAuthentication] Failed to authenticate payload from Github webhook. Either the webhook was called by unexpected clients or the webhook secret set in SonarQube does not match the one from Github.
We have had it for some time and are now running 10.1.
I though it was the same issue as yours at first, but I am not sure if that is the case.
PR decoration has failed again after working for nearly a year.
I am seeing this in the logs now:
| 2024.03.20 10:12:18 WARN web[AY4acW5RhoLBvkLMdaQf][o.s.s.a.GithubWebhookAuthentication] Unauthenticated calls from GitHub are forbidden. A webhook secret must be defined in the GitHub App with Id 1.
| 2024.03.20 10:12:19 WARN web[AY4acW5RhoLBvkLMdaQh][o.s.s.a.GithubWebhookAuthentication] Unauthenticated calls from GitHub are forbidden. A webhook secret must be defined in the GitHub App with Id 16.
| 2024.03.20 10:12:34 INFO ce[AY5bVt5e38wDzU7oHz3M][o.s.c.t.p.a.p.PostProjectAnalysisTasksExecutor] Webhooks | globalWebhooks=7 | projectWebhooks=0 | status=SUCCESS | time=20640ms
| 2024.03.20 10:12:35 WARN ce[AY5bVt5e38wDzU7oHz3M][o.s.a.c.g.GithubApplicationHttpClientImpl] GET response did not have expected HTTP code (was 401): {"message":"'Issued at' claim ('iat') must be an Integer representing the time that the assertion was issued","documentation_url":"https://docs.github.com/enterprise-server@3.9/rest"}
| 2024.03.20 10:12:35 WARN ce[AY5bVt5e38wDzU7oHz3M][o.s.a.c.g.GithubApplicationHttpClientImpl] GET response did not have expected HTTP code (was 401): {"message":"'Issued at' claim ('iat') must be an Integer representing the time that the assertion was issued","documentation_url":"https://docs.github.com/enterprise-server@3.9/rest"}
| 2024.03.20 10:12:35 ERROR ce[AY5bVt5e38wDzU7oHz3M][o.s.c.t.p.a.p.PostProjectAnalysisTasksExecutor] Execution of task class com.sonarsource.G.D.d failed
| java.lang.NullPointerException: Cannot invoke "org.sonar.alm.client.github.GithubBinding$GsonInstallation$Permissions.getChecks()" because the return value of "org.sonar.alm.client.github.GithubBinding$GsonInstallation.getPermissions()" is null