Pull Request decoration in azure devops

Hi,

I 've made some improvements in CI to make the pull requests decoration working with azure devops
If i set a token int ‘Prepare Sonar Cloud’ task like this :
``

  • task: SonarCloudPrepare@1
    displayName: ‘Prepare analysis on SonarCloud’
    inputs:
    SonarCloud: ‘SonarCloud’
    organization: ‘MyOrganization’
    scannerMode: ‘MSBuild’
    projectKey: ‘MyProjectKey’
    projectName: ‘MyProjectName’
    extraProperties: |
    sonar.pullrequest.vsts.token.secured=ezfdcogjareg7xzjk6a
    ``
    It works : i have a decoration in my pull request preventing the merge to occurs when the quality gate has failed. That’s ok.

But if i change the token to use $(System.AccessToken) nothing is added.
So i 've checked the backgound task log AXkUeoz-pCU09BoF-Uuu to search the reason. I can see in the log the token has been sent:
- sonar.pullrequest.vsts.token.secured=******

Is there a way to verify in the sonar cloud log if it’s an access problem (eg: Project Collection Build Service account not having the write access in my azure devops project) or if the decoration has not been sent ?

Thanks
Ced

Azure DevOps

  • CI system used Azure DevOps
  • Languages of the repository C#

Hi @CedricConnes

Be careful to not mix Token’s type here.

  • sonar.pullrequest.vsts.token.secured should be a Personal Access Token that you create on Azure DevOps, so that SonarCloud can use it to call Azure DevOps REST APIs. I would highly recommend you to set it either at your project level (on SonarCloud), or at organization level (if you decide to go for binding your organization/repository, if it’s not already the case), this will avoid some potential leaks, this is a password :wink:
  • System.AccessToken : this is an internal OAuth token used by the build agents to make calls against the Azure DevOps API : in that sense, this will not work for SonarCloud to call AzDo APIs
  • 3rd type of token if the one you set on the SonarCloud service connection, allowing the build agent and the scanners to call SonarCloud’s APIs

HTH
Mickaël

Thanks for your help mickael.

I 've some more questions when reading your message:

  • In fact it’s because the pat stored in the token.secured is a password which make me not use one’s mine: everybody acceding to the sources could use it.
  • Why System.AccessToken will not work for SonarCloud use ?
  • When the token expires i need to renew it in only one place and not in several yml store in several repositories : again a pat is not very practical
  • System.AccessToken seemed to me a good candidate : it has a short time live and it is automatically renewed by azure.

Ced

Our good practice here is to link your Azure DevOps organization with your SonarCloud one : You will be asked for one and only one PAT at the beginning of the operation, and organization setting will be the only place to update it when it will expire.

In fact, the organization has been linked to github by mistake when it has been created in sonar cloud.
I asked to sonar if there is a way to rebind it on our azure dev ops and the answer was no.
So I asked to my manager, if i could delete and recreate the organization in sonar cloud and his answer was no: all the divisions of our organization are using this sonar cloud account.

So any idea, i could try ?
Ced

Have you tried creating a manual project on SonarCloud by chance ?

Yes, i create all my projects manually : ‘Analyse Nex Project’ > ‘create a project manually’ > i configure project keyand name but there is nothing else available.

Ced