Orchestrator: Adding support for downloading artifacts without Jfrog

alain.kermis · February 8, 2024, 3:18pm

Good day, SonarSource Community!

As many of you are aware, since 24 January 24, community plugins can no longer make requests to JFrog via the Orchestrator library. This is due to anonymous access being disabled on JFrog: see SONAR-21476.

As of 2024-02-07T23:00:00Z, a fix has been introduced whereby users can now bypass JFrog entirely by doing the following:

Upgrade Orchestrator version to 4.7.1.1872
Utilize OrchestratorBuilder#setOrchestratorProperty(...) to override the default orchestrator.artifactory.url to central maven (or any other maven repository)
All should work after this

Please note: due to these changes, only the following aliases will work when attempting to download artifacts through Orchestrator:

LATEST_RELEASE for the latest release (in terms of version number, not date)
LATEST_RELEASE[x.y] for the latest release of a series, for example LATEST_RELEASE[5.2]
x.y.z for an exact release including build number

Please refer to the README.md for any other information.

Regards
Alain

felipebz · February 8, 2024, 5:13pm

Hi,

Thanks for the update.

I’m not sure if I should open a new topic or not, but… Unfortunately, this isn’t working anymore because the version numbers are ordered using Comparator.naturalOrder(), which is not the correct way to order them:

github.com

SonarSource/orchestrator/blob/cb5c55dbcd573b66bc8dcdcda9dc3f9484b0fe8e/sonar-orchestrator/src/main/java/com/sonar/orchestrator/util/MavenVersionResolver.java#L55C1-L57


      
          MavenRepositoryVersion mavenMetadata = downloadVersions();
          this.versions = mavenMetadata.getVersioning().getVersions();
          this.versions.sort(Comparator.naturalOrder());

As shown in the image below, this is the result after versions.sort:

As result, the getLatestVersion function will consistently return the latest 9.9.x version (currently 9.9.4.87374) instead of the latest 10.x release.

alain.kermis · February 9, 2024, 8:34am

You are indeed correct. This is a bug and a ticket has been created to deal with it. In the meantime, I suggest using LATEST_RELEASE[10] as this will work.

Many thanks for the find!

Alain

alain.kermis · February 9, 2024, 2:10pm

Hi there, @felipebz

The fix has been merged and released. Please use 4.7.1.1872 instead.

Regards

xdwangwei · December 7, 2024, 1:04pm

401 Error While Building SonarQube 7.8 Source Code on macOS 13.4

Hello everyone, I am trying to build the SonarQube 7.8 source code on macOS 13.4. I am using the command ./gradlew build, but I am encountering a 401 error. The specific error message is as follows:

* What went wrong:
A problem occurred configuring root project 'sonarqube'.
> Could not resolve all artifacts for configuration ':classpath'.
   > Could not resolve com.github.ben-manes:gradle-versions-plugin:0.21.0.
     Required by:
         project :
      > Could not resolve com.github.ben-manes:gradle-versions-plugin:0.21.0.
         > Could not get resource 'https://repox.jfrog.io/repox/plugins.gradle.org/com/github/ben-manes/gradle-versions-plugin/0.21.0/gradle-versions-plugin-0.21.0.pom'.
            > Could not HEAD 'https://repox.jfrog.io/repox/plugins.gradle.org/com/github/ben-manes/gradle-versions-plugin/0.21.0/gradle-versions-plugin-0.21.0.pom'. Received status code 401 from server:

I saw this post in the community: Orchestrator: Adding support for downloading artifacts without Jfrog, but I am not sure how to proceed with the steps mentioned. I am not very familiar with SonarQube, so could someone provide more detailed instructions?

My goal is to modify some code in sonar-scanner-engine and re-generate the sonar-scanner-engine-shaded JAR file. Any help would be greatly appreciated!

Thank you all!