I’m currently working on integrating SonarQube with Azure DevOps, and I’m wondering if anyone has experience configuring it to work with a read-only access token? Our security policy restricts us from granting write access, so we’re hoping to limit permissions to just what’s necessary.
Has anyone successfully set this up, or are there any known limitations or workarounds? Any insights or advice would be greatly appreciated!
We are using SonarQube Version 9.9 (build 65466) on premise.
SonarQube needs an appropriately scoped token (with read/write permissions) in order to decorate Pull Requests (with comments, and with a status check indicating whether or not the Quality Gate succeeded or not). These are key features of the Developer Edition of SonarQube.
That does not answer my Question.
I asked specifically not to have a token with a write permission.
secondly I wrote “we are using SonarQube Version 9.9 (build 65466) on premise”
You can configure a Read-only token (we don’t check the permissions in SonarQube v9.9), but you won’t be able to decorate pull requests in Azure DevOps, a key feature of Developer Edition. We can’t decorate pull requests with a read-only token because… commenting on a pull-request isn’t a read-only action. It is a write action.
I’ve tried it an im getting the Following Error “Invalid Azure URL or Personal Access Token”.
And both are valid i’ve confirmed it by calling the “/_apis/projects?api-version=3.0” endpoint in azure devops.
i’ve downloaded the sonarqube_web.log
this is the error in the log file. I suspect the domain certificate but it’s fine in chrome and curl.
2024.09.17 11:34:17 ERROR web[AZDAm+3zJ1a9YL83AEBO][o.s.a.c.a.AzureDevOpsHttpClient] Unable to contact Azure DevOps server for request [
https://[redacted]/_apis/projects?api-version=3.0]:
[PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
i’ve tried to fix that by changing the following enviroment variables under windows.
JAVA_TOOL_OPTIONS
-Djavax.net.ssl.trustStoreType=Windows-MY -Djavax.net.ssl.trustStore=NUL
the JAVA_TOOL_OPTIONS options seem to be ignored
with the following _JAVA_OPTIONS flags set the sonarqube server did not start.
_JAVA_OPTIONS
-Djavax.net.ssl.trustStoreType=Windows-MY -Djavax.net.ssl.trustStore=NUL
A tool like SSLPoke is great for removing SonarQube from the equation and making sure your certs have been imported correctly. Can you give it a try? Make sure it’s running with the same JVM you’re starting SonarQube with.
When adjusting the trust store for SonarQube, you’ll want to make sure that you’re passing the adjusted trust store to sonar.web.javaAdditionalOpts in your conf/sonar.properties file.
setting sonar.web.javaAdditionalOpts did the trick. Thank you.
I’ve set the following:
sonar.web.javaAdditionalOpts=-Djavax.net.ssl.trustStoreType=Windows-ROOT