We are experiencing some issues with the SonarCloud-AzureDevOps integration in the context of analysing pull requests. We use AzD both for hosting the Git repositories as well as for CI/CD pipelines.
For the integration we use the managed tasks SonarCloudPrepare, SonarCloudAnalyze, and SonarCloudPublish with CLI scanner mode.
The issue started when the token for SonarCloud to connect to AzureDevOps expired and we renewed it for all projects.
For most projects the renewal did not cause any issues, but for some projects slightly different problems showed up, namely that the
AzD task to run the Sonar analysis cannot find the Pull Request on Sonar side during the Run Code Analysis task:
##[error]ERROR: Error during SonarScanner execution
ERROR: Could not find the pullrequest with key '12345'
ERROR: Caused by: Error 404 on https://sonarcloud.io/api/alm_integration/show_pullrequest?project=PROJECT&pullrequestKey=12345 : {"errors":[{"msg":"Unable to find the pullrequest with key \u002762850\u0027"}]}
We use TypeScript and Go and both are equally affected.
Only six out of roughly 100 projects are affected. What these projects have in common is that they have a monorepo setup, i.e. there are multiple Sonar projects for the same AzD repository.
We already checked in the SonarCloud console if the monorepo flag is still set for these projects. In fact, for some of these projects it was not set. However, enabling it again did not resolve the issue.
In addition, we already checked that the tokens for the AzureDevOps-SonarCloud integration are valid for both directions.
It also works for the analysis of the main/master branch in our release pipelines for these projects, just not for Pull Requests.
Please apologize for the delay to start investigating your issue, I will take care of it.
First, I would like to check if you still have this issue, and if yes, how many projects are affected (mono repo or not). I will send you a private message so you can share with me some details that are required for this investigation.
Since this issue is usually related to misconfiguration and/or PAT issues, I would ask if you did double checked our documentation:
Thanks for getting back to us. Yes, we still have this problem in six projects/two repos, all being monorepos. I’ve checked the documentation, but found nothing new. Will reply to your DM with more details.
Hi @tomz , thanks for sharing the information. I can see in our logs that one critical request into Azure DevOps API is failing with an HTTP 401, which means the request was unauthorized by Azure DevOps API when our services tried to use the token that you provided (for Pull Request usage, which is different from the token that you configure at the organization level).
Azure DevOps does not provide further information for us, since the token does not have enough permissions. I believe the token is invalid and/or expired, otherwise, we would have received an HTTP 403 (access forbidden, because in this scenario the token has authorization, but not enough permissions).
Thanks for looking into the logs! We found out that indeed an expired token caused the issue, but not the project-specific tokens for pull request usage, but the one on organization level. It seems that the organization-level token is used by the Azure pipeline tasks in the case of monorepos, while this is not the case for normal repos.
It would be highly appreciated if there was an endpoint to update the organization-level token via API as well so that this could be scripted on our side.