- ALM used: GitHub
- CI system used: GitHub Actions
- Languages of the repository: Python, Docker
- SonarCloud project URL: SonarQube Cloud
As of today (May 21, 2025), the SonarCloud API endpoint for searching hotspots is returning 500 errors for public projects that previously worked without authentication. The API now seems to require authentication even for public projects.
Steps to Reproduce
Make a GET request to the hotspots search API for a public project:
GET https://sonarcloud.io/api/hotspots/search?projectKey=PixeeSandbox_pixee-platform-integration-test--pygoat
Error Observed
HTTP/2 500 Internal Server Error
content-type: application/json
date: Wed, 21 May 2025 13:36:53 GMT
vary: accept-encoding
content-encoding: gzip
x-cache: Error from cloudfront
via: 1.1 a204176092d05bded77f4d517d5968aa.cloudfront.net (CloudFront)
x-amz-cf-pop: MCI50-P1
x-amz-cf-id: DK0l6jdzz5L9mLM1PfXfbC7P775CZkTkDtKVfw0gHINoBnXveanW-g==
x-xss-protection: 1; mode=block
x-frame-options: DENY
referrer-policy: strict-origin-when-cross-origin
x-content-type-options: nosniff
strict-transport-security: max-age=31536000; includeSubDomains
vary: Origin
x-http2-stream-id: 3
transfer-encoding: chunked
{
"errors": [
{
"msg": "No query parameters provided to fetch group membership. One of groupId, userId, organizationId is required."
}
]
}
Expected Behavior
The API should return the hotspots for the public project without requiring authentication, as it did previously (before May 21, 2025).
Adding a Sonar authentication token in the request header allows the API to work as expected. This suggests a change in the authentication requirements for this API endpoint.
Is this a deliberate change in the API behavior, or is it an unintended regression?