Sonar Cube failing on merge request

SonarQube Cloud
1

Generic info

  • ALM used: Gitlab
  • CI system used:Gitlab
  • Languages of the repository : Python

Main branch of the repository is working properly:

Executing "step_script" stage of the job script 00:42
Using effective pull policy of [always] for container sonarsource/sonar-scanner-cli:latest
Using docker image sha256:13f0962529ea288983c4ff97a161295478469ed05ce07bdb157ab1fe279d0107 for sonarsource/sonar-scanner-cli:latest with digest sonarsource/sonar-scanner-cli@sha256:7462f132388135e32b948f8f18ff0db9ae28a87c6777f1df5b2207e04a6d7c5c ...
$ sonar-scanner
12:22:25.764 INFO  Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties
12:22:25.769 INFO  Project root configuration file: /builds/xemex.eu/pythonshared/sonar-project.properties
12:22:25.789 INFO  SonarScanner CLI 7.1.0.4889
12:22:25.791 INFO  Java 17.0.14 Amazon.com Inc. (64-bit)
12:22:25.792 INFO  Linux 5.15.154+ amd64
12:22:25.801 DEBUG Scanner max available memory: 1 GB
12:22:25.827 DEBUG uname -m returned 'x86_64'
12:22:25.831 DEBUG Using JVM default truststore: /usr/lib/jvm/java-17-amazon-corretto.x86_64/lib/security/cacerts
12:22:25.832 DEBUG Create: /builds/xemex.eu/pythonshared/.sonar/cache
12:22:25.833 INFO  User cache: /builds/xemex.eu/pythonshared/.sonar/cache
12:22:25.833 DEBUG Create: /builds/xemex.eu/pythonshared/.sonar/cache/_tmp
12:22:25.963 DEBUG Loading OS trusted SSL certificates...
12:22:25.964 DEBUG This operation might be slow or even get stuck. You can skip it by passing the scanner property 'sonar.scanner.skipSystemTruststore=true'
12:22:26.655 DEBUG Loaded [1029] system trusted certificates
12:22:26.985 DEBUG Loaded truststore from '/usr/lib/jvm/java-17-amazon-corretto.x86_64/lib/security/cacerts' containing 147 certificates
12:22:27.179 INFO  Communicating with SonarQube Cloud
12:22:27.180 INFO  JRE provisioning: os[linux], arch[x86_64]
12:22:27.208 DEBUG --> GET https://api.sonarcloud.io/analysis/jres?os=linux&arch=x86_64
12:22:28.244 DEBUG <-- 200 https://api.sonarcloud.io/analysis/jres?os=linux&arch=x86_64 (1035ms, 471-byte body)
12:22:28.285 DEBUG Executing: /builds/xemex.eu/pythonshared/.sonar/cache/bcb1b7b8ad68c93093f09b591b7cb17161d39891f7d29d33a586f5a328603707/OpenJDK17U-jre_x64_linux_hotspot_17.0.11_9.tar.gz_extracted/jdk-17.0.11+9-jre/bin/java --version
12:22:28.313 DEBUG openjdk 17.0.11 2024-04-16
12:22:28.313 DEBUG OpenJDK Runtime Environment Temurin-17.0.11+9 (build 17.0.11+9)
12:22:28.314 DEBUG OpenJDK 64-Bit Server VM Temurin-17.0.11+9 (build 17.0.11+9, mixed mode, sharing)
12:22:28.318 DEBUG --> GET https://api.sonarcloud.io/analysis/engine
12:22:28.574 DEBUG <-- 200 https://api.sonarcloud.io/analysis/engine (256ms, 292-byte body)
12:22:28.579 DEBUG Work directory: /builds/xemex.eu/pythonshared/.scannerwork
12:22:28.592 DEBUG Executing: /builds/xemex.eu/pythonshared/.sonar/cache/bcb1b7b8ad68c93093f09b591b7cb17161d39891f7d29d33a586f5a328603707/OpenJDK17U-jre_x64_linux_hotspot_17.0.11_9.tar.gz_extracted/jdk-17.0.11+9-jre/bin/java -Dorg.bouncycastle.pkcs12.ignore_useless_passwd=true -jar /builds/xemex.eu/pythonshared/.sonar/cache/8c20c2157519bcc7897e99dc64276ea1c23c27d5b41dbbd620991f5faaa46714/sonarcloud-scanner-engine-11.12.0.497.jar
12:22:28.936 INFO  Starting SonarScanner Engine...
...
12:23:06.360 INFO  EXECUTION SUCCESS
12:23:06.362 INFO  Total time: 40.601s

When new code is pushed to a branch and a merge request is created, the scanner fails:

Executing "step_script" stage of the job script 00:04
Using effective pull policy of [always] for container sonarsource/sonar-scanner-cli:latest
Using docker image sha256:13f0962529ea288983c4ff97a161295478469ed05ce07bdb157ab1fe279d0107 for sonarsource/sonar-scanner-cli:latest with digest sonarsource/sonar-scanner-cli@sha256:7462f132388135e32b948f8f18ff0db9ae28a87c6777f1df5b2207e04a6d7c5c ...
$ sonar-scanner
12:53:52.581 INFO  Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties
12:53:52.589 INFO  Project root configuration file: /builds/xemex.eu/pythonshared/sonar-project.properties
12:53:52.608 INFO  SonarScanner CLI 7.1.0.4889
12:53:52.611 INFO  Java 17.0.14 Amazon.com Inc. (64-bit)
12:53:52.612 INFO  Linux 5.15.154+ amd64
12:53:52.621 DEBUG Scanner max available memory: 1 GB
12:53:52.646 DEBUG uname -m returned 'x86_64'
12:53:52.649 DEBUG Using JVM default truststore: /usr/lib/jvm/java-17-amazon-corretto.x86_64/lib/security/cacerts
12:53:52.651 DEBUG Create: /builds/xemex.eu/pythonshared/.sonar/cache
12:53:52.652 INFO  User cache: /builds/xemex.eu/pythonshared/.sonar/cache
12:53:52.652 DEBUG Create: /builds/xemex.eu/pythonshared/.sonar/cache/_tmp
12:53:52.777 DEBUG Loading OS trusted SSL certificates...
12:53:52.777 DEBUG This operation might be slow or even get stuck. You can skip it by passing the scanner property 'sonar.scanner.skipSystemTruststore=true'
12:53:53.475 DEBUG Loaded [1029] system trusted certificates
12:53:53.712 DEBUG Loaded truststore from '/usr/lib/jvm/java-17-amazon-corretto.x86_64/lib/security/cacerts' containing 147 certificates
12:53:53.917 INFO  Communicating with SonarQube Cloud
12:53:53.918 INFO  JRE provisioning: os[linux], arch[x86_64]
12:53:53.941 DEBUG --> GET https://api.sonarcloud.io/analysis/jres?os=linux&arch=x86_64
12:53:54.856 DEBUG <-- 401 https://api.sonarcloud.io/analysis/jres?os=linux&arch=x86_64 (914ms, 83-byte body)
12:53:54.864 ERROR Failed to query JRE metadata: GET https://api.sonarcloud.io/analysis/jres?os=linux&arch=x86_64 failed with HTTP 401
{"Message": "User is not authorized to access this resource with an explicit deny"}. Please check the property sonar.token or the environment variable SONAR_TOKEN.
org.sonarsource.scanner.lib.internal.MessageException: Failed to query JRE metadata: GET https://api.sonarcloud.io/analysis/jres?os=linux&arch=x86_64 failed with HTTP 401
{"Message": "User is not authorized to access this resource with an explicit deny"}
	at org.sonarsource.scanner.lib.internal.facade.forked.JavaRunnerFactory.getJreMetadata(JavaRunnerFactory.java:167)
	at org.sonarsource.scanner.lib.internal.facade.forked.JavaRunnerFactory.getJreFromServer(JavaRunnerFactory.java:140)
	at org.sonarsource.scanner.lib.internal.facade.forked.JavaRunnerFactory.createRunner(JavaRunnerFactory.java:87)
	at org.sonarsource.scanner.lib.internal.facade.forked.ScannerEngineLauncherFactory.createLauncher(ScannerEngineLauncherFactory.java:54)
	at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.buildNewFacade(ScannerEngineBootstrapper.java:197)
	at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrapCloud(ScannerEngineBootstrapper.java:162)
	at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:149)
	at org.sonarsource.scanner.cli.Main.analyze(Main.java:76)
	at org.sonarsource.scanner.cli.Main.main(Main.java:64)
Caused by: org.sonarsource.scanner.lib.internal.http.HttpException: GET https://api.sonarcloud.io/analysis/jres?os=linux&arch=x86_64 failed with HTTP 401
{"Message": "User is not authorized to access this resource with an explicit deny"}
	at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callUrl(ScannerHttpClient.java:137)
	at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callApi(ScannerHttpClient.java:121)
	at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callRestApi(ScannerHttpClient.java:103)
	at org.sonarsource.scanner.lib.internal.facade.forked.JavaRunnerFactory.getJreMetadata(JavaRunnerFactory.java:161)
	... 8 common frames omitted
12:53:54.866 DEBUG Scanner engine bootstrapping failed
12:53:54.866 INFO  EXECUTION FAILURE
12:53:54.868 INFO  Total time: 2.290s

SONAR_TOKEN is configured properly as CI/CD variable (otherwise the main branch wouldn’t work)

2

I solved the issue myself. The SONAR_TOKEN variable was marked as protected which didn’t made it available for merge requests. Removing this flag solved the issue.