Jenkins-Pipeline withSonarQubeEnv fails with Not authorized

SonarQube Server / Community Build
,
1
  • SonarQube Developer Edition v2025.6.1 (117629)
  • Jenkins 2.504.1
  • SonarQube Scanner for Jenkins Version 2.18.2
  • using Maven 3.9.12

While running the SonarQube Analysis in our Jenkins Pipeline via

stage('SonarQube analysis') {
        steps {
            withSonarQubeEnv(installationName: 'SonarQube MMS', credentialsId: 'f3133c45-7700-415d-88a5-b27aeb0ca60a') {
                withMaven(maven: 'Maven3Latest', publisherStrategy: 'EXPLICIT') {
                    sh 'env | grep SONAR'
                    sh 'mvn -X sonar:sonar'
                }
            }
        }
      }

with a valid Credential (Global Analysis-Token)
created in SonarQube

image
image1528Ă—977 70.7 KB

and set as Credential (Secret Text) in Jenkins:

image
image1534Ă—111 15.5 KB

and assign the Credential to the SonarQube-Server:

image
image1633Ă—440 29.1 KB

the output from Jenkins while performing the stage implies that everything is ok:

[2026-02-02T10:40:08.294Z] [Pipeline] sh
[2026-02-02T10:40:08.550Z] + env
[2026-02-02T10:40:08.550Z] + grep SONAR
[2026-02-02T10:40:08.550Z] SONARQUBE_SCANNER_PARAMS={ "sonar.host.url" : "https:\/\/q4deumsy1au.mms-at-work.de\/", "sonar.token" : "******"}
[2026-02-02T10:40:08.550Z] SONAR_AUTH_TOKEN=******
[2026-02-02T10:40:08.550Z] SONAR_CONFIG_NAME=SonarQube MMS
[2026-02-02T10:40:08.550Z] SONAR_MAVEN_GOAL=sonar:sonar
[2026-02-02T10:40:08.550Z] SONAR_HOST_URL=https://q4deumsy1au.mms-at-work.de/
[2026-02-02T10:40:08.559Z] [Pipeline] sh
[2026-02-02T10:40:08.814Z] + mvn -X sonar:sonar
[2026-02-02T10:40:08.814Z] Picked up JAVA_TOOL_OPTIONS: -Dmaven.ext.class.path="/var/lib/jenkins/workspace/001_Deployments/Icecatservice/eps-dev-ics-app-001_CD@tmp/withMaven73a694c4/pipeline-maven-spy.jar" -Dorg.jenkinsci.plugins.pipeline.maven.reportsFolder="/var/lib/jenkins/workspace/001_Deployments/Icecatservice/eps-dev-ics-app-001_CD@tmp/withMaven73a694c4" 
[2026-02-02T10:40:08.814Z] Apache Maven 3.9.12 (848fbb4bf2d427b72bdb2471c22fced7ebd9a7a1)
[2026-02-02T10:40:08.814Z] Maven home: /var/lib/jenkins/tools/hudson.tasks.Maven_MavenInstallation/Maven3Latest
[2026-02-02T10:40:08.814Z] Java version: 21.0.7, vendor: Azul Systems, Inc., runtime: /usr/lib/jvm/java-21-zulu-openjdk-ca
[2026-02-02T10:40:08.814Z] Default locale: en_US, platform encoding: UTF-8
[2026-02-02T10:40:08.814Z] OS name: "linux", version: "4.18.0-553.94.1.el8_10.x86_64", arch: "amd64", family: "unix"

but when the SonarScannerEngine starts it throws an error due to failed Authorisation:

[2026-02-02T10:40:14.386Z] [INFO] Starting SonarScanner Engine...
[2026-02-02T10:40:14.386Z] [INFO] Java 21.0.9 Eclipse Adoptium (64-bit)
[2026-02-02T10:40:14.637Z] [DEBUG] JVM max available memory: 3 GB
[2026-02-02T10:40:14.637Z] [WARNING] Property 'env.SONARQUBE_SCANNER_PARAMS' is encrypted. The encryption of scanner properties is deprecated and will soon be removed.
[2026-02-02T10:40:14.637Z] [DEBUG] Developer 2025.6.1.117629
[2026-02-02T10:40:14.892Z] [DEBUG] Sonar User Home: /var/lib/jenkins/.sonar
[2026-02-02T10:40:14.892Z] [DEBUG] Loading OS trusted SSL certificates...
[2026-02-02T10:40:14.892Z] [DEBUG] This operation might be slow or even get stuck. You can skip it by passing the scanner property 'sonar.scanner.skipSystemTruststore=true'
[2026-02-02T10:40:15.143Z] [DEBUG] Loaded [146] system trusted certificates
[2026-02-02T10:40:17.006Z] [DEBUG] Loaded truststore from '/usr/lib/jvm/java-21-zulu-openjdk-ca/lib/security/cacerts' containing 112 certificates
[2026-02-02T10:40:17.257Z] [INFO] Load global settings
[2026-02-02T10:40:17.257Z] [DEBUG] --> GET https://q4deumsy1au.mms-at-work.de/api/settings/values.protobuf
[2026-02-02T10:40:17.507Z] [DEBUG] <-- 401 https://q4deumsy1au.mms-at-work.de/api/settings/values.protobuf (176ms, 0-byte body)
[2026-02-02T10:40:17.508Z] [DEBUG] Error response content: , headers: {connection=[keep-alive], content-length=[0], content-security-policy=[default-src 'self'; base-uri 'none'; connect-src 'self' http: https:; font-src 'self' data:; frame-src; img-src * data: blob:; object-src 'none'; script-src 'self' 'sha256-D1jaqcDDM2TM2STrzE42NNqyKR9PlptcHDe6tyaBcuM='; style-src 'self' 'unsafe-inline'; worker-src 'self'], date=[Mon, 02 Feb 2026 10:40:17 GMT], server=[nginx/1.29.2], strict-transport-security=[max-age=31536000; includeSubDomains;], x-content-type-options=[nosniff], x-frame-options=[SAMEORIGIN], x-xss-protection=[0]}
[2026-02-02T10:40:17.508Z] [ERROR] Not authorized. Please check the user token in the property 'sonar.token' or 'sonar.login' (deprecated).
[2026-02-02T10:40:17.508Z] org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'jdk.internal.loader.ClassLoaders$AppClassLoader@8297b3a-org.sonar.scanner.bootstrap.ScannerPluginRepository': Unsatisfied dependency expressed through constructor parameter 0: Error creating bean with name 'jdk.internal.loader.ClassLoaders$AppClassLoader@8297b3a-org.sonar.scanner.bootstrap.ScannerPluginInstaller': Unsatisfied dependency expressed through constructor parameter 0: Error creating bean with name 'jdk.internal.loader.ClassLoaders$AppClassLoader@8297b3a-org.sonar.scanner.bootstrap.PluginFiles': Unsatisfied dependency expressed through constructor parameter 1: Error creating bean with name 'GlobalConfiguration' defined in org.sonar.scanner.bootstrap.GlobalConfigurationProvider: Unsatisfied dependency expressed through method 'provide' parameter 0: Error creating bean with name 'GlobalServerSettings' defined in org.sonar.scanner.bootstrap.GlobalServerSettingsProvider: Failed to instantiate [org.sonar.scanner.bootstrap.GlobalServerSettings]: Factory method 'provide' threw exception with message: Not authorized. Please check the user token in the property 'sonar.token' or 'sonar.login' (deprecated).
[2026-02-02T10:40:17.508Z] 	at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:804)

The same global analysis token used in a local maven build (set sonar.token in settings.xml) or via -Dsonar.token works well.

Any idea what’s going on here ??? How to solve the problem?

Settings the token directly via mvn sonar:sonar -Dsonar.token=XXX solves the problem but then I dont’t need the withSonarQubeEnv at all.
Apart from that, I do need the whole environment later on in the waitForQualityGate().

Thanks for your help!

Marko

2

Interestingly the authorization works then I use a Project-Analysis Token (also generated by the Administrator).
So it boils down to the fact that using the global analysis token is the only problem.
But I don’t want to generate >10 different project analysis tokens for all of our projects.

I checked the permissions: The Administratior as well as the Administrator-Groups have the analysis privilege.
The same applies for the privilege settings for the project.

3

Hi Marko,

Welcome to the community!

When you used a project-analysis token, was it passed to analysis via the same mechanisms? I.e. withSonarQubeEnv, Jenkins Credential, & assigning the Credential to the Server?

Because I’m wondering if those mechanisms are the problem. You said the global-analysis token worked when you passed it directly into analysis with -Dsonar.token. So it’s really not the token that’s the problem. You’ve proven that part out already.

4

Hi there!

It works if i put the Project Analysis Token as credentiald … see below

stage('SonarQube Analysis') {
        steps {
            withSonarQubeEnv(installationName: 'SonarQube MMS', credentialsId: '8aabc79a-3215-46ce-b383-b3f9373ddf89') {
                withMaven(maven: 'Maven3Latest', publisherStrategy: 'EXPLICIT') {
                    sh 'mvn sonar:sonar'
                }
            }
        }
      }

this way I’m overring the Global Analysis Token) set in the Jenkins SonarQube-Server-Setting:

image
image1648Ă—498 38.3 KB

it also works left out the credentialsId at all

stage('SonarQube Analysis') {
        steps {
            withSonarQubeEnv(installationName: 'SonarQube MMS') {
                withMaven(maven: 'Maven3Latest', publisherStrategy: 'EXPLICIT') {
                    sh 'mvn sonar:sonar'
                }
            }
        }
      }

and setting the Project Token in the Jenkins SonarQube-Server-Setting

image
image1708Ă—642 56.5 KB

But that is not what I want - providing plenty of different Analysis-Tokens for >10 different pipelines/projects … poluting the Jenkins Files with unneeded Ids

As you can see here the global token as well as the project token are established at Admin-Level:

image
image1766Ă—714 49 KB

Thanks and best regards
Marko

5

I couldn’t believe my eyes, but I found the reason:

It might sound crazy, but repeatedly, simply “copying” the created global or project analysis tokens into Jenkins Credentials seems to have gone wrong.
As a result, they were incorrectly stored in Jenkins (and then, of course, no longer visible).
This explains, why a project key works but other global keys or project keys not.
After removing the affected Jenkins Credentials and create them afresh everything works like a charm.

Thank you very much, also for your time.

1 Like
6

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.