Resolving sonar.login warning

Good morning. I’m trying to resolve a warning regarding the property ‘sonar.login’. My environment and setup is this one. I’m running an Azure DevOps Pipeline building a Maven project. Everything works, the results are published in SonarCloud. The problem is that I keep getting this warning:

The property ‘sonar.login’ is deprecated and will be removed in the future. Please use the ‘sonar.token’ property instead when passing a token.

Now, I do not specify that property in any of my pipeline task. I cannot find the property in any place on the SonarCloud project UI. Furthermore I have also explicitly specified the extraproperty sonar.token, but without any different result.

I post here my Pipeline, please provide some help, where is this sonar.login option??

trigger:
 branches:
   include:
     - develop 
   exclude:
     - main

pool:
  vmImage: ubuntu-latest

stages:
  - stage: InstallOpenJDK_Packaging
    displayName: Install OpenJDK 20.0.2 and perform Packaging
    jobs:
      -  job: installing
         displayName: Install OpenJDK, Install Modules, and run Sonar
         steps:

          - task: SonarCloudPrepare@1
            inputs:
              SonarCloud: 'NoteSpese-SonarCloud'
              organization: 'prismacatania'
              scannerMode: 'Other'
              extraProperties: |
                  sonar.projectKey=Note-Spese-Common-Module
                  sonar.token=xxx


          - task: JavaToolInstaller@0
            displayName: Install OpenJDK
            inputs:
              versionSpec: '20'
              jdkArchitectureOption: 'x64'
              jdkSourceOption: 'LocalDirectory'
              jdkFile: 'openJdk/openjdk-20.0.2_linux-x64_bin.tar.gz'
              jdkDestinationDirectory: 'openJdk/builds'
              cleanDestinationDirectory: true
          - script: |
                echo "$(JAVA_HOME)"
            displayName: displaying JAVA_HOME variable

          - task: Maven@4
            displayName: Compile and Build via Packaging(common-module)
            inputs:
              goals: install
              mavenPomFile: 'common-module/pom.xml'
              publishJUnitResults: true
              testResultsFiles: '**/surefire-reports/TEST-*.xml'
              testRunTitle: 'Packaging common test run'
              javaHomeOption: 'JDKVersion'
              jdkVersionOption: '20'
              mavenVersionOption: 'Default'
              mavenAuthenticateFeed: false
              effectivePomSkip: false
              sonarQubeRunAnalysis: true
          - task: SonarCloudPublish@1
            inputs:
              pollingTimeoutSec: '1000'

Hey there.

Which version of the SonarCloud Extension for Azure DevOps are you using? sonar.token should start being used as of v1.40 of the extension (using the service connection you’ve defined. You shouldn’t pass any credentials in the YAML itself, and should consider the one you posted (and that I redacted) as compromised).

I’m sorry English is not my first language so I did not get the message 100%, My version is 1.41(latest). I did not understand if the redacted pipeline is the one that should work.

Hm – in that case, sonar.token should be used automatically.

Can you make sure you don’t have sonar.login set somewhere else, like in the pom.xml of your project?

I see the same message in the SonarCloudAnalyze build log and also in SonarCloud’s UI. According to the build log the version of the SonarCloudAnalyze task is already 1.40.0.

I don’t have sonar.login set manually anywhere. But I assume it could be set by the SonarCloudPrepare task? The SonarCloudPrepare task uses version 1.37.0 for me.

Seems like the warning is gone with SonarCloudPrepare task version 1.38.0 and SonarCloudAnalyze task version 1.41.0.