Intermittent error: You're not authorized to analyze this project

Must-share information (formatted with Markdown):

• which versions are you using:
  SonarQube Developer Edition v10.5.1

• how is SonarQube deployed: zip, Docker, Helm
  Not sure, almost certainly on a self-hosted VM inside the corporate network.

• what are you trying to achieve
  Run scans consistently.

We use a SonarQubePrepare@7 task inside our Azure DevOps build pipeline yml file to run scans against our Python code on a SQ server. The DevOps project has a service connection which uses a Global type PAT token created in my user account on the SQ server. My user has Execute Analysis permission on the SQ project associated with the scan. The sonar-users group to which I belong also has global execute analysis permission.

This has been set up like this for months and 99.9% of the scans run as expected. But intermittently, when I create a new branch in my Python project, all scans by SQ appear to fail on that branch with:

16:24:34.653 ERROR You're not authorized to analyze this project or the project doesn't exist on SonarQube and you're not authorized to create it. Please contact an administrator.

The only way round this I’ve found is to create a new branch with the same code changes. This is pretty frustrating, and happens to one of my colleagues occasionally too. I did see this but I’m not sure it’s related.

Hi,

While the new branch scans are failing, are analyses of other branches - with the same sonar.token value - succeeding?

 
Ann

Thanks @ganncamp. I’ve tried loads of different things today - created new branches in different ways, deleted and recreated the service connection from Azure DevOps to SonarQube, using both global and user type tokens from SQ. I’m now an admin on this server and have given myself ‘execute analysis’ permission as a user. But every single run I do now fails - unless I trigger a run on the master branch! If I ask someone else to trigger a run on my branch, that too fails with the same error: You're not authorized to analyze this project...

Hi,

Okay, first 10.5.1 is a bit long-in-the-tooth at this point. Can you upgrade to the current version, 2025.1 LTA, and see if this is replicable? To be honest, I’m not aware of anything specific w/r/t this that’s been addressed since 10.5.1, but this is an obligatory first ask.

Also is the pipeline exactly the same for main and branches, or are there two different sets of commands? I’m focused on this part of the error when I ask that:

You’ve got global analyze. Do you have global create?

Also, can you provide a full, debug analysis log starting from the analysis command itself?

 
Thx,
Ann

Hi Ann,

Yes, we also have access to a much more recent SonarQube Enterprise server. The long-term plan is to switch to using that instead but some networking issues between that and DevOps would need to be resolved first.

The pipeline does not (AFAIK) treat different branches differently w.r.t. SonarQube. This was all working fine (except occasionally failing intermittently) until yesterday.

Yes I do have global create permission. This is what I see for me under Global Permissions > Users:

image536×183 8.42 KB

I’m running a new build on my branch now with system diagnostics enabled from DevOps. If you mean some other kind of debugging then pls let me know how to enable that.

Hi,

I’m looking for a sonar.verbose=true analysis log.

 
Thx,
Ann

Thanks. Can I share the logs with you privately pls?

Hi,

Feel free to redact them as necessary.

 
Ann

Ok, redacted logs attached, thanks.
SQ_logs_redacted.txt (52.5 KB)
Hope they reveal something useful!

Hi,

This happens right before that error you cited:

2025-02-12T17:00:13.3790749Z 17:00:13.375 INFO  Load New Code definition
2025-02-12T17:00:13.4565650Z 17:00:13.455 DEBUG GET 403 https://dev-shared.digital.geaviation.com/sonarqube/api/new_code_periods/show.protobuf?project=prodaps%3Aprodaps-python&branch=%239970-create-0.12.0-release-build-brand-new-branch1 | time=79ms
2025-02-12T17:00:13.4574829Z 17:00:13.456 DEBUG Error response content: <html>
2025-02-12T17:00:13.4575240Z <head><title>403 Forbidden</title></head>
2025-02-12T17:00:13.4575572Z <body>
2025-02-12T17:00:13.4575848Z <center><h1>403 Forbidden</h1></center>
2025-02-12T17:00:13.4576157Z <hr><center>Microsoft-Azure-Application-Gateway/v2</center>
2025-02-12T17:00:13.4576454Z </body>
2025-02-12T17:00:13.4576691Z </html>
2025-02-12T17:00:13.4577066Z , headers: {connection=[keep-alive], content-length=[179], content-type=[text/html], date=[Wed, 12 Feb 2025 17:00:13 GMT], server=[Microsoft-Azure-Application-Gateway/v2]}
2025-02-12T17:00:13.4705317Z 17:00:13.468 INFO  EXECUTION FAILURE

You should talk to your network folks.

 
HTH,
Ann

Thanks for looking at the logs. But then why would it work for the master branch, as surely a network issue would block all branches?

Hi,

For that, you really need to talk to your network folks. I can only guess that the query string for a branch contains some phrase that’s “triggering” the proxy.

 
HTH,
Ann

@ganncamp - thank you so much! By trial and error I found that something’s changed recently (in the firewall protecting SonarQube?) that means that any branch names that include a hyphen (‘-’) will trigger the 403 error and hence:

ERROR You're not authorized to analyze this project or the project doesn't exist on SonarQube and you're not authorized to create it. Please contact an administrator.

If I replace all the hyphens in the original branch name with underscores then the build passes fine. I’ll follow up with the SQ admin as there may have been some recent firewall changes (as hyphens in branch names was working as recently as 10 Feb.)…

Just a suggestion for SonarSource, assuming this hasn’t already been done in a later release of SonarQube…

Perhaps the error message displayed in response to a 403 (You're not authorized...) can be reworded to include the possibility of a network or firewall error; as I wasted many hours yesterday needlessly fiddling with my user permissions, PAT tokens and DevOps service connections. The existing error message led me down a blind alley.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.