We are using SonarCloud tasks in Azure Pipeline to create and analyze our repositories.
While creating a new project and tried to analyze it, the SonarCloudPublish task returned a
##[error]ERROR: Project not found. Please check the 'sonar.projectKey' and 'sonar.organization' properties, the 'SONAR_TOKEN' environment variable, or contact the project administrator to check the permissions of the user the token belongs to
We invested a lot of time in this issue until we tried to create manually the project in SonarCloud. There, we got the following message: Could not create Project, key already exist: app-service
Based on the following topic, it seems that the project keys are global to Sonarloud and not on an organisation scope.
Why I open that ticket:
While the errors are both relevant, the first that we got is misleading. Is there any chance to make it more clear for future case?
Being limited in the projects that we can create is a pain as this might hit us late in the project creation process. Is there any plans on making the project keys unique at an organisation level?
Probably not. I think the theory is that this 404 message is more secure than admitting that the project key is already owned by someone else. (And yes, the clear message you get at project creation kinda takes the wind out of this sail.)
Again, very fair point. I’ll raise this internally, but I’ve seen few complaints about this in the last 5 years. So I doubt there will be any movement on this any time soon.
Could there be at least a clear documentation stating that each organisation should have a clear, unique prefix for their keys? We just had to modify all our project keys to match a new workaround standard because one project key was already used.
Regarding the security issue, it wouldn’t cost much to an ill-intended person to find it out in the community posts. Altough I agree, having the information of whether a project key is used or not available isn’t great.
Since there’s no public list to consult to make sure you’re picking a unique ID before you try to use it, I’m not sure it will be useful to add anything to the docs. But I’ll ping the the docs team and let them decide on that.