Malformed key for Project:. Allowed characters are alphanumeric, '-', '_', '.' and ':', with at least one non-digit

Dear all,

In the past several weeks we have observed a strange behavior we are running SonarQube CE 8.3.1. When running SonnarScanner-CLI (any version) our pipelines fail and we receive the following message:

ERROR: Error during SonarQube Scanner execution
ERROR: Malformed key for Project: ‘ACDSS:release/1.0.0’. Allowed characters are alphanumeric, ‘-’, ‘_’, ‘.’ and ‘:’, with at least one non-digit.
ERROR: Re-run SonarQube Scanner using the -X switch to enable full debug logging.

The strange thing about what is happening is that it only happens when we create a “new branch” in Bitbucket Server and the Bamboo server (both running on-prem) runs the pipeline. All of our current branches are being scanned with no issues and include the “/” as part of the branch name.

Here is where things get really weird with the newly created branches if we substitute the branch from ‘ACDSS:release/1.0.0’ to ‘ACDSS:release-1.0.0’ or ‘ACDSS:release_1.0.0’ the scan completes properly and is uploaded to SonarQube.

Does anyone have any idea of what might be going on considering that it has been running for 2+ years using the “/” as part of the branch name. I am wondering what I am doing wrong?

Thanks in advance for any guidance and/or suggestions.


Hi Max,

I suspect there might be an issue with the way your pipeline is configured to run a scan on a new branch. What’s going on is that for these new branches that you create, the scanner is actually considering it as a new project because the scanner parameter “” is missing. You should make sure that for any new branch created that is scanned, you pass this parameter to the scanner with the name of the branch, which can perfectly include the “/” symbol.

So, what is the command with which the scanner is being triggered in these failing pipeline jobs for new branches? Is the parameter being passed or not?

Hi Daniel,

Thank you for your reply I tried your suggestion of including but when I do that I get the following error:

**|09-Jul-2020 09:53:12|ERROR: Validation of project reactor failed:|**
**|09-Jul-2020 09:53:12|  o To use the property "" and analyze branches, Developer Edition or above is required. See for more information|**

Apparently this is a feature not available in the community edition.

Here is the command line that is executed in this case we are using an old scanner but the same behavior occurs with the latest scanner. In the previous tests we where not passing

D:\MyPrograms\sonar-scanner-\bin\sonar-scanner.bat "" -Dsonar.projectKey=ACDSS:release/1.0.0 "-Dsonar.projectName=ACDSS release/1.0.0" -Dsonar.login=****** -Dsonar.password=****** ... in: D:\Atlassian\ApplicationData\BAMBOO\xml-data\build-dir\ACDSS-DEV-JOB1

What is bizarre is that if I configure the Sonar for Bamboo plugin from Mibex and check the box saying "Escape invalid branch characters (only necessary for SonarQube versions before 5.0)" see screenshot then the scan works but it replaces “/” with and “_” but I only have to do this with new branches.

Any other suggestion or am I out of luck.

Thanks again,

Hello Max,

Indeed, I didn’t realise you were running CE. Analysing branches is only supported for Developer Edition and above, so the behaviour you encounter is normal. Therefore adding SonarScanner analysis to a CI job on a branch is not a good idea and you may very well run on issues like this!



Thanks for the explanation I really appreciate it.


Hi Daniel,

I have been working with the Bamboo SonarQube Plugin vendor MIBEX on this issue and they discovered on their side that this issue was not present with SonarQube 8.2 Community Edition meaning that we could run scans on branches and they would simply be new projects in SonarQube.

Has something changed between SonarQube 8.2 Community Edition that is causing the issue?

Thanks again for any guidance,


Hi Max,

The slash ‘/’ symbol was already documented as not accepted in version 8.2, but this was not correctly enforced by SonarQube: this is why you had no issues before. On version 8.3 ticket SONAR-12884 was implemented to fix/cover that gap.

The plugin provider may take this into account, or you may configure your project key to respect this pattern.


Hi Daniel,

Thanks again for you quick reply. Just to clarify because I am still a bit confused the “/” are no longer acceptable in 8.3 or above in the Community Edition but are acceptable In the Developer Edition and above?

Thanks and sorry to continue to pester you