Permissions error during SonarScanner CLI Docker execution

I don’t think we’re doing it
For java, we’re using the command
sonar-scanner -Dsonar.login=$${SONAR_LOGIN} -Dsonar.projectKey=$REPO_NAME -Dsonar.projectName=$REPO_NAME -Dsonar.java.binaries=. -Dsonar.branch.name=$BRANCH_NAME -Dsonar.qualitygate.wait=false -Dsonar.log.level=WARN -Dsonar.language=java -Dsonar.coverage.jacoco.xmlReportPaths=$(find "$(pwd)" -path ‘jacoco.xml’ | sed 's/./&/’ | tr ‘\n’ ‘,’)

For yarn :
sonar-scanner -Dsonar.projectKey=$REPO_NAME -Dsonar.projectName=$REPO_NAME -Dsonar.branch.name=$BRANCH_NAME -Dsonar.login=$${SONAR_LOGIN} -Dsonar.sources=.

From the look at your commands, I guess you are not using our image as a single step, but instead using it as a base container for your pipeline or something like this. Basically I have the feeling you are skipping our entrypoint.
In this case, you have to either:

• ensure the default working directory (./.scannerwork) can be written by the user 1000
• change the working directory to a place where the user 1000 will have write permission
• revert to root user if you are extending our image and this is not a security concern for you

I’m using it as a single step, it’s inside a cloudbuild ci but it only launches these commands and the entrypoint isn’t changed (at least it shouldn’t be)

So your solution would be to do our own custom image ? The problem is that, in this case, we’ll have to maintain it

Can you share an extract of your pipeline for me to better understand how you use the image?

yes : this is the sonar step inside the cloudbuild CI : It gets the vars from env vars
It’s set at true at the end to avoid blocking the CI if sonar fails

 - name: sonarsource/sonar-scanner-cli
    env:
      - REPO_NAME=$REPO_NAME
      - BRANCH_NAME=$BRANCH_NAME
      - 'SONAR_HOST_URL=$SONAR_HOST_URL'
    id: sonar
    secretEnv:
      - SONAR_LOGIN
    script: >-
      sonar-scanner -Dsonar.login=${SONAR_LOGIN} -Dsonar.projectKey=$REPO_NAME
      -Dsonar.projectName=$REPO_NAME -Dsonar.java.binaries=.
      -Dsonar.branch.name=$BRANCH_NAME -Dsonar.qualitygate.wait=false
      -Dsonar.log.level=WARN -Dsonar.language=java
      -Dsonar.coverage.jacoco.xmlReportPaths=$(find "$(pwd)" -path '*jacoco.xml'
      | sed 's/.*/&/' | tr '

      ' ',')|| true

The problem is that you are using the script attribute, that will execute it inside our image, actually bypassing our entrypoint.
To use our image entrypoint, you should instead pass things as arguments.

Something like:

- name: sonarsource/sonar-scanner-cli
    env:
      - REPO_NAME=$REPO_NAME
      - BRANCH_NAME=$BRANCH_NAME
      - 'SONAR_HOST_URL=$SONAR_HOST_URL'
    id: sonar
    secretEnv:
      - SONAR_LOGIN
    args: 
      - '-Dsonar.projectKey=$REPO_NAME'
      - '-Dsonar.projectName=$REPO_NAME'
      - '-Dsonar.java.binaries=.'
      - '-Dsonar.branch.name=$BRANCH_NAME'
      - '-Dsonar.qualitygate.wait=false'
      - '-Dsonar.log.level=WARN'
      - '-Dsonar.coverage.jacoco.xmlReportPaths=**/*jacoco.xml'

On a side note, sonar.language is deprecated for years. Also, if you have a Maven or Gradle project, it would be better to scan it using our Maven or Gradle scanner directly.

Thanks. Going to try this
We used sonar scan for maven earlier but it didn 't work for a big part of project after upgrading sonarqube so we stopped using it : Failed to create temp file sonar 9.6 - #50 by Yanis_Corselle

In fact, we can’t use the args instead of script as args doesn’t permits to use secret envs : Use secrets from Secret Manager  |  Cloud Build Documentation  |  Google Cloud

To make it work, i’ll need to do it the old way while accessing secret with command line : Secret Manager のシークレットを使用する  |  Cloud Build のドキュメント  |  Google Cloud

Hi ,
Where you ran the clean runner caches commands? Can anyone please confirm??
I am using JenkinsX as CI-CD tool.
SonarScanner 5.0.1.3006
Java 17.0.11 Alpine (64-bit)
Linux 5.15.0-1041-azure amd64
SonarQube server 10.2.0.77647

Getting this error on pull request-
Error during SonarScanner execution
org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name ‘ClassRealm{javascript}-org.sonar.plugins.javascript.eslint.BridgeServerImpl’: Unsatisfied dependency expressed through constructor parameter 4; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name ‘AnalysisTempFolder’ defined in org.sonar.scanner.analysis.AnalysisTempFolderProvider: Unsatisfied dependency expressed through method ‘provide’ parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘DefaultInputProject’ defined in org.sonar.scanner.scan.InputProjectProvider: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.sonar.api.batch.fs.internal.DefaultInputProject]: Factory method ‘provide’ threw exception; nested exception is java.lang.IllegalStateException: Fail to create working dir: /workspace/source/.scannerwork

Thanks

Hi @Anubhav_Kumar1,

Welcome to the community!

Have you tried

Are you sure you’re using the latest version of the image?

 
Ann

Hi ,
Yes , I am using the latest version sonar-scanner cli.https://hub.docker.com/layers/sonarsource/sonar-scanner-cli/latest/images/sha256-0bc49076468d2955948867620b2d98d67f0d59c0fd4a5ef1f0afc55cf86f2079?context=explore
And where I need to run this clear runner caches??can you please let me know
Thanks

Hi,

This is going to be CI-specific. You may want to contact your provider. Your other option is to fall back to the 5.0.1 version.

 
HTH,
Ann

Hi,
We are using Jenkins-X only for CI.
And can you share the link for this 5.0.1 image from dockerhub registry?
Thanks

Hi G Ann Campbell,
Any updates on this please?
Thanks

Hi G Ann Campbell ,
I just wanted to understand in which image version of sonarscanner below issue got fixed:-
Error during SonarScanner execution
org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name ‘ClassRealm{javascript}-org.sonar.plugins.javascript.eslint.BridgeServerImpl’: Unsatisfied dependency expressed through constructor parameter 4; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name ‘AnalysisTempFolder’ defined in org.sonar.scanner.analysis.AnalysisTempFolderProvider: Unsatisfied dependency expressed through method ‘provide’ parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘DefaultInputProject’ defined in org.sonar.scanner.scan.InputProjectProvider: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.sonar.api.batch.fs.internal.DefaultInputProject]: Factory method ‘provide’ threw exception; nested exception is java.lang.IllegalStateException: Fail to create working dir: /workspace/source/.scannerwork

Hey @Anubhav_Kumar1

GitLab has a Clear Cache button on their UI in the pipelines view.

I haven’t used JenkinsX, so I wouldn’t know where to look, but there could also be a similar button/mechanism for clearing your pipeline cache.

If there isn’t, it might be worth reading up on how your pipeline software stores cache, and subsequently how it can be modified/cleared in order to get your sonar job working again.

Okay Thank you MaxAtBelmond
Let me check in the documentation side for Jenkins-X.

Thanks

We’re not able to set -Dsonar.working.directory when running the latest sonar-scanner-cli docker image. Looks like the value is overridden from some default location and this directory needs to be accessible in our CI Jenkins workspace to evaluate Quality Gate status.

WARN: Property ‘sonar.working.directory’ with value ‘/sonar/.scannerwork’ is overridden with value ‘/tmp/.scannerwork’

NOTE: Downgrading to sonarsource/sonar-scanner-cli:5.0.1 works.