Scope permissions for gitlab access token

Hello!

We are using SonarQube (Enterprise Edition) version 10.6.0 and it is deployed with Helm to GKE

Following the documentation to get PR (MR) decorations in our Gitlab, we have an access token created as per the documentation, reporter permissions and read_api scope (GitLab integration)

I can see in the following error that it looks to suggest it needs the api and read_api scopes, is this the case or should this be working with just read_api? Ideally we want the least permissions

Error:

2024.07.09 15:11:49 ERROR ce[044af8f5-5290-4819-9e09-2be982a09348][o.s.a.c.g.GitlabApplicationClient] Gitlab API call to [https://gitlab.com/api/v4/projects/<<REDACTED>>/merge_requests/47/notes] failed with 403 http code. gitlab response content : [{"error":"insufficient_scope","error_description":"The request requires higher privileges than provided by the access token.","scope":"api read_api"}]
2024.07.09 15:11:49 DEBUG ce[044af8f5-5290-4819-9e09-2be982a09348][c.s.b.D.D.D] post for gitlab merge request decoration has finished after 137 ms
2024.07.09 15:11:49 ERROR ce[044af8f5-5290-4819-9e09-2be982a09348][c.s.b.D.D.F] An exception was thrown during Merge Request decoration : Your GitLab token has insufficient scope
2024.07.09 15:11:49 ERROR ce[044af8f5-5290-4819-9e09-2be982a09348][o.s.c.t.p.a.p.PostProjectAnalysisTasksExecutor] Execution of task class com.sonarsource.b.D.C failed
org.sonar.alm.client.gitlab.GitlabServerException: Your GitLab token has insufficient scope
      at org.sonar.alm.client.gitlab.GitlabApplicationClient.checkResponseIsSuccessful(GitlabApplicationClient.java:188)
      at org.sonar.alm.client.gitlab.GitlabApplicationClient.checkResponseIsSuccessful(GitlabApplicationClient.java:176)
      at com.sonarsource.b.D.D.D.postNote(Unknown Source)
      at com.sonarsource.b.D.D.F.路(Unknown Source)
      at com.sonarsource.b.D.r.路(Unknown Source)
      at java.base/java.util.Spliterators$ArraySpliterator.forEachRemaining(Unknown Source)
      at java.base/java.util.stream.ReferencePipeline$Head.forEach(Unknown Source)
      at com.sonarsource.b.D.r.路(Unknown Source)
      at com.sonarsource.b.D.C.路(Unknown Source)
      at java.base/java.util.Optional.ifPresent(Unknown Source)
      at com.sonarsource.b.D.C.路(Unknown Source)
      at com.sonarsource.b.D.C.좫(Unknown Source)
      at org.sonar.ce.async.SynchronousAsyncExecution.addToQueue(SynchronousAsyncExecution.java:27)
      at com.sonarsource.b.D.C.路(Unknown Source)
      at java.base/java.util.Optional.ifPresent(Unknown Source)
      at com.sonarsource.b.D.C.finished(Unknown Source)
      at org.sonar.ce.task.projectanalysis.api.posttask.PostProjectAnalysisTasksExecutor.executeTask(PostProjectAnalysisTasksExecutor.java:101)
      at org.sonar.ce.task.projectanalysis.api.posttask.PostProjectAnalysisTasksExecutor.finished(PostProjectAnalysisTasksExecutor.java:92)
      at org.sonar.ce.task.step.ComputationStepExecutor.executeListener(ComputationStepExecutor.java:89)
      at org.sonar.ce.task.step.ComputationStepExecutor.execute(ComputationStepExecutor.java:61)
      at org.sonar.ce.task.projectanalysis.taskprocessor.ReportTaskProcessor.process(ReportTaskProcessor.java:75)
      at org.sonar.ce.taskprocessor.CeWorkerImpl$ExecuteTask.executeTask(CeWorkerImpl.java:212)
      at org.sonar.ce.taskprocessor.CeWorkerImpl$ExecuteTask.run(CeWorkerImpl.java:194)
      at org.sonar.ce.taskprocessor.CeWorkerImpl.findAndProcessTask(CeWorkerImpl.java:160)
      at org.sonar.ce.taskprocessor.CeWorkerImpl$TrackRunningState.get(CeWorkerImpl.java:135)
      at org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:87)
      at org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:53)
      at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:131)
      at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:76)
      at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:82)
      at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
      at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
      at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
      at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
      at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
      at java.base/java.lang.Thread.run(Unknown Source)
2024.07.09 15:11:49 INFO  ce[044af8f5-5290-4819-9e09-2be982a09348][o.s.c.t.p.a.p.PostProjectAnalysisTasksExecutor] Pull Request decoration | status=FAILED | time=1069ms

Many thanks,

Kieran C

Hello,

Has anyone had a chance to look into this?

Many thanks,

Kieran

Hello @kieranc ,

I confirm that there is a mistake in our documentation, the needed scope is api in this case, which makes sense because SonarQube needs to post a comment in the Merge Request, so a read-only permission won’t be enough.

It was valid in our 10.4 documentation but it’s wrong since 10.5, probably a mistake made during a refactoring.

I will make sure it’s being updated pronto!

Cheers

1 Like

Hello Antoine,

Thank for you getting back to me and confirming this was a documentation issue. I suspected that was the case.

We have started from 10.5 (and quickly moved up to 10.6) and didn’t think to check previous versions :sweat_smile:

Thanks again,

Kieran

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.