I want to responsed the line and code values from component.sources using the API

SonarQube Server / Community Build
1

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube Server / Community Build, Scanner, Plugin, and any relevant extension)
  • how is SonarQube deployed: zip, Docker, Helm
  • what are you trying to achieve
  • what have you tried so far to achieve this

Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!

I am currently using “SonarQube Community Edition v25.3.0.104237”.
I want to create a report based on the scan results, and I’m including the following details for each issue:

Issue Message: This API (java/io/File.(Ljava/lang/String;)V)...
Severity: MAJOR
Component: author_gradle:src/test/java/TooManyEmptyNewLines.java
StartLine: 68

These values are retrieved successfully from the following API call:

curl -X GET "http://sonarqube25:9000/api/issues/search?components=author_gradle&s=FILE_LINE&impactSoftwareQualities=SECURITY&issueStatuses=CONFIRMED,OPEN&severities=MAJOR,CRITICAL,BLOCKER" \
     -H "Authorization: Bearer sqp_c65b28b9bb0d03657d0c2e04bc2a8be83f92c538" \
     -H "Accept: application/json" | jq

However, I would also like to include the actual “source code line” corresponding to the startLine in the report.
I found that the SonarQube web page uses this endpoint :

image
image2024×494 40.2 KB

image
image1766×132 2.81 KB

http://sonarqube25:9000/api/sources/issue_snippets?issueKey=201a43c8-ce49-49b4-a419-d00458199350

And in the browser, this API returns the correct source code snippet.
But when I try to access the same endpoint via curl:

curl -X GET "http://sonarqube25:9000/api/sources/issue_snippets?issueKey=201a43c8-ce49-49b4-a419-d00458199350" \
     -H "Authorization: Bearer sqp_c65b28b9bb0d03657d0c2e04bc2a8be83f92c538" \
     -H "Accept: application/json" | jq

I receive the following error:

{
  "errors": [
    {
      "msg": "Insufficient privileges"
    }
  ]
}

I’m certain this is not a token issue, because
The same token successfully retrieves issue metadata.
The token was generated by the Administrator account with full privileges.
The project is public and all necessary permissions (including “See Source Code”) are granted.

I also tested the "GET api/sources/show" API provided by SonarQube directly from the web:

curl -X GET "http://localhost:9000/api/sources/show?key=author_gradle:src/test/java/TooManyEmptyNewLines.java&from=68&to=68" \
     -H "Authorization: Bearer sqp_c65b28b9bb0d03657d0c2e04bc2a8be83f92c538" \
     -H "Accept: application/json" | jq

But I keep getting the same "Insufficient privileges" error, even though the token I’m using was generated when the project was created and has all global permissions.
Even with an admin-level token, the same error persists.

image
image2470×830 134 KB

image
image2388×218 12.5 KB

image
image2392×686 40.3 KB

So my questions are:

  1. Is there any additional parameter or special requirement needed to access this API via curl?
  2. Is /api/sources/issue_snippets intended for internal use only and not part of the public REST API?
  3. What is the correct endpoint and required parameters to use for this API?
2

You appear to be using a token prefixed with sqp – which is a project-specific analysis token. You should generate a user token (it will be prefixed with squ_ to have full API access that reflects your account permissions. Read more about tokens here.

3

I’ve solved it, thank you so much.!