Only only one project can be analyzed via GITLAB CI

We are running sonarqube 10.1 on an internal VM Server. We are using Gitlab CI to build and run sonar-scanner on our code. We have set up environmental variables on the CI Job for the SONAR_URL and SONAR_TOKEN. The token is a global analysis token (sqa_). The user assigned to that token has global admin with analysis permissions on all projects. We have run one scan on a project with no issues. We configured another project (same gitlab instance, same build CI Servers, same permissions on the sonarqube project), but the second project is failing on the sonar-scanner.

11:14:51.349 INFO: CPD Executor CPD calculation finished (done) | time=67ms
11:14:51.357 DEBUG: SCM revision ID 'bc91a3377cd6bb4dd70819300e4c383d403319ea'
11:14:51.442 INFO: Analysis report generated in 84ms, dir size=1.3 MB
11:14:51.626 INFO: Analysis report compressed in 184ms, zip size=732.3 kB
11:14:51.626 INFO: Analysis report generated in /home/gitlab-runner/builds/Nj97UqsK/0/research-informatics/labconnect/.scannerwork/scanner-report
11:14:51.626 DEBUG: Upload report
11:14:51.673 DEBUG: POST 403 <our URL>/api/ce/submit?projectKey=research-informatics_labconnect_AYp0lRvCt4LgbfhqfYDh | time=46ms
11:14:51.680 DEBUG: eslint-bridge server will shutdown
11:14:56.681 DEBUG: eslint-bridge server closed
11:14:57.232 INFO: ------------------------------------------------------------------------
11:14:57.232 INFO: ------------------------------------------------------------------------
11:14:57.232 INFO: Total time: 31.482s
11:14:57.297 INFO: Final Memory: 33M/120M
11:14:57.297 INFO: ------------------------------------------------------------------------
11:14:57.297 ERROR: Error during SonarScanner execution
java.lang.IllegalStateException: Failed to upload report: You're not authorized to analyze this project or the project doesn't exist on SonarQube and you're not authorized to create it. Please contact an administrator.
	at org.sonar.scanner.scan.SpringProjectScanContainer.doAfterStart(
	at org.sonar.core.platform.SpringComponentContainer.startComponents(
	at org.sonar.core.platform.SpringComponentContainer.execute(
	at org.sonar.scanner.bootstrap.SpringGlobalContainer.doAfterStart(
	at org.sonar.core.platform.SpringComponentContainer.startComponents(
	at org.sonar.core.platform.SpringComponentContainer.execute(
	at org.sonar.batch.bootstrapper.Batch.doExecute(
	at org.sonar.batch.bootstrapper.Batch.execute(
	at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(
	at com.sun.proxy.$Proxy0.execute(Unknown Source)
	at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(
	at org.sonarsource.scanner.api.EmbeddedScanner.execute(
	at org.sonarsource.scanner.cli.Main.execute(
	at org.sonarsource.scanner.cli.Main.execute(
	at org.sonarsource.scanner.cli.Main.main(
Caused by: You're not authorized to analyze this project or the project doesn't exist on SonarQube and you're not authorized to create it. Please contact an administrator.

I have verified the project key is correct. I have deleted and recreated the project in sonarqube multiple times (updating the project key each time) with the same results.

I looked at our SonarQube log (access.log) and it does not appear that a POST method is being recorded in that log.

The only solution I found was to modify the project to disable the SCM Scanner. When that is disabled, the scanning was successful. The other project does have this feature enabled and works without issue. Is there a reason why this feature can only work on one project?

Hey there.

Do you have a WAF (Web Application Firewall) or something similar sitting in front of your SoanrQube instance that could be blocking requests based on some “inspection” of what’s being posted? This can often result in 403 errors being returned by the WAF that don’t show up in the SonarQube logs.

We do not have a firewall between our build agents, sonarqube, or gitlab. All of them are hosted internally. It appears the 403 is coming during the scanning when SonarQube attempts to go back to gitlab for the blame information. If we disable that setting, the scan completes successfully.

When setting up the project initially in SonarQube, we are able to connect to gitlab to obtain the git repo information. Create Project → Gitlab does return a list of all of our available repositories in Gitlab. We are also using Gitlab as the SSO for SonarQube. So we know that SonarQube is able to “talk” to gitlab.

SonarQube doesn’t get in touch in Gitlab for the blame info – it’s relying on the information stored with the code (like the .git folder), but that information is then sent to the SonarQube server.

Are you serving your SonarQube server over HTTPS?

Yes, SonarQube is being served via HTTPs with an Apahe reverse proxy in front of it.

Does the 403 show up in the Apache reverse proxy logs?

Here is an error I found in our Apache logs from the time of a scan.

[Fri Sep 08 09:37:44.317444 2023] [:error] [pid 695029] [client ] [client ModSecurity: Access denied with code 403 (phase 2). Match of “eq 0” against “MULTIPART_UNMATCHED_BOUNDARY” required. [file “/etc/httpd/conf.d/mod_security.conf”] [line “86”] [id “200004”] [msg “Multipart parser detected a possible unmatched boundary.”] [hostname “”] [uri “/api/ce/submit”] [unique_id “ZPsjqG2w31xNolV6Z-E52QAAAAE”]

I think this Stackoverflow post should help you.

Adjusting that setting in Apache did resolve the issue with the uploading of the scan report.

1 Like