@sonar/scan can't pull scanner binaries because of invalid token

Versions

• Selfhosted SonarQube Server v25.6.0.109173 Standard Experience
• npm package @sonar/scan v4.3.0

[INFO]  Bootstrapper: Retrieving info from "package.json" file
[INFO]  Bootstrapper: Platform: win32 x64
[INFO]  Bootstrapper: Version: 4.3.0
[INFO]  Bootstrapper: SonarQube server version: 25.6.0
[INFO]  Bootstrapper: JRE provisioning is supported

How is SonarQube deployed

no information

What is the problem?

The sonar-scanner binary can’t be downloaded because of 401 Error, since

• The API Endpoint /api/v2/analysis/jres?os=win32&arch=x64 doesn’t support Bearer tokens.
• The @sonar/scanner always uses Bearer authentication, even if the API doesn’t support it.

Things I tried:

• I tried different tokens - project/global/user.
• localScannerCli:true option doesn’t help, since the server supports the JRE provisioning
• change the request to use Basic manually as a test in node_modules/@sonar/scan/src/request.js. It works! But there is no way I can configure the code to use Basic Auth…

Further Information

See sonar-scanner-npm/src/request.ts at master · SonarSource/sonar-scanner-npm · GitHub

Error in Response:

'Bearer error="invalid_token", error_description="JWT token could not be validated"',

Similar Threads

• https://community.sonarsource.com/t/sonarqube-scanner-npm-cant-download-binaries-when-using-truststore-for-custom-ca/133152: Sounds very similar, but the problem is different. It’s about certificates. We have no problem with certificates here.

Hey @babielgy!

Thanks for the detailed report.

I just tried out Community Build v25.6 with the @sonar/scanner and had no trouble getting the JRE to download. SonarQube’s v2 API definitely supports Bearer tokens.

colinmueller@Colins-MacBook-Air tssecret % sonar \
  -Dsonar.host.url=http://localhost:9000 \
  -Dsonar.token=TOKEN \
  -Dsonar.projectKey=test -X
[INFO]  Bootstrapper: Retrieving info from "package.json" file
[DEBUG] Bootstrapper: Setting the log level to DEBUG due to verbose mode
[DEBUG] Bootstrapper: Properties: {
  'sonar.userHome': '/Users/colinmueller/.sonar',
  'sonar.working.directory': '.scannerwork',
  'sonar.scanner.os': 'darwin',
  'sonar.scanner.arch': 'arm64',
  'sonar.exclusions': 'node_modules/**,bower_components/**,jspm_packages/**,typings/**,lib-cov/**',
  'sonar.verbose': 'true',
  'sonar.host.url': 'http://localhost:9000',
  'sonar.token': 'TOKEN',
  'sonar.projectKey': 'test',
  'sonar.scanner.internal.isSonarCloud': 'false',
  'sonar.scanner.apiBaseUrl': 'http://localhost:9000/api/v2',
  'sonar.scanner.app': 'ScannerNpm',
  'sonar.scanner.appVersion': '4.3.0',
  'sonar.scanner.bootstrapStartTime': '1749110903792',
  'sonar.scanner.wasJreCacheHit': 'disabled',
  'sonar.scanner.wasEngineCacheHit': 'false',
  'sonar.projectBaseDir': '/Users/colinmueller/Source/tssecret'
}
[INFO]  Bootstrapper: Platform: darwin arm64
[DEBUG] Bootstrapper: Detecting proxy: No proxy detected
[INFO]  Bootstrapper: Server URL: http://localhost:9000
[INFO]  Bootstrapper: Version: 4.3.0
[DEBUG] Bootstrapper: Check if Server supports JRE provisioning
[DEBUG] Bootstrapper: Detecting SonarQube server version
[DEBUG] Bootstrapper: Fetching API V2 /analysis/version
[INFO]  Bootstrapper: SonarQube server version: 25.6.0
[DEBUG] Bootstrapper: SonarQube Server v25.6.0 supports JRE provisioning: true
[INFO]  Bootstrapper: JRE provisioning is supported
[DEBUG] Bootstrapper: Detecting latest version of JRE
[DEBUG] Bootstrapper: Downloading JRE information for darwin arm64 from /analysis/jres
[DEBUG] Bootstrapper: Latest Supported JRE:  {
  id: 'de1ecc90-6c96-49db-8c29-7964eaf40d9f',
  filename: 'OpenJDK17U-jre_aarch64_mac_hotspot_17.0.13_11.tar.gz',
  sha256: 'a886b8f2a50eca2e59b45ea59f5a2e8e9d27ff5b5b3b069443a70cda7f27c907',
  javaPath: 'jdk-17.0.13+11-jre/Contents/Home/bin/java',
  os: 'mac',
  arch: 'aarch64'
}
[DEBUG] Bootstrapper: Looking for Cached JRE
[INFO]  Bootstrapper: No Cache found for JRE
[DEBUG] Bootstrapper: Creating Cache directory as it doesn't exist: /Users/colinmueller/.sonar/cache/a886b8f2a50eca2e59b45ea59f5a2e8e9d27ff5b5b3b069443a70cda7f27c907
[DEBUG] Bootstrapper: Starting download of JRE
[DEBUG] Bootstrapper: Downloading /analysis/jres/de1ecc90-6c96-49db-8c29-7964eaf40d9f to /Users/colinmueller/.sonar/cache/a886b8f2a50eca2e59b45ea59f5a2e8e9d27ff5b5b3b069443a70cda7f27c907/OpenJDK17U-jre_aarch64_mac_hotspot_17.0.13_11.tar.gz
[INFO]  Bootstrapper: Download starting...
[INFO]  Bootstrapper: Download complete
[INFO]  Bootstrapper: Downloaded JRE to /Users/colinmueller/.sonar/cache/a886b8f2a50eca2e59b45ea59f5a2e8e9d27ff5b5b3b069443a70cda7f27c907/OpenJDK17U-jre_aarch64_mac_hotspot_17.0.13_11.tar.gz
[DEBUG] Bootstrapper: Verifying checksum a886b8f2a50eca2e59b45ea59f5a2e8e9d27ff5b5b3b069443a70cda7f27c907
[DEBUG] Bootstrapper: Checksum Value: a886b8f2a50eca2e59b45ea59f5a2e8e9d27ff5b5b3b069443a70cda7f27c907
[DEBUG] Bootstrapper: Extracting /Users/colinmueller/.sonar/cache/a886b8f2a50eca2e59b45ea59f5a2e8e9d27ff5b5b3b069443a70cda7f27c907/OpenJDK17U-jre_aarch64_mac_hotspot_17.0.13_11.tar.gz to /Users/colinmueller/.sonar/cache/a886b8f2a50eca2e59b45ea59f5a2e8e9d27ff5b5b3b069443a70cda7f27c907/OpenJDK17U-jre_aarch64_mac_hotspot_17.0.13_11.tar.gz_unzip

Am I doing something differently than you? Where are you providing the token?

I also wonder if there could be something happening at the reverse proxy layer (if you are serving your SQ Server over HTTPS) that is preventing the use of a BEARER token?

Hey Colin,

thank you. You’re totally right. It has to do something with the way we’re hosting the community edition.

I started a local sonarqube in docker and everything worked as expected.

I’m going to investigate the issue with our admins and report the cause as soon as we know more.

It was indeed our reverse proxy.
There was a rule that was always expecting Basic authentication for the web v2 api, but other endpoints were still working with Bearer tokens.

Thank you!

Thanks for following up! Glad you got it sorted.

Have a nice weekend.