Hi,
I have a Azure Devops pipeline for .Net project which uses sonarcloud as security testing tool. When I am manually running the pipeline, the sonarcloud analysis is successfull and report is generated on sonarcloud portal.
But, when I am raising PR for the develop branch, for the PR build, the sonarcloud task gives error “Could not find Pull Request with ID”
I verified on SonarCloud portal and I am not able to see neither this PR, nor the feature branch.
It’s likely that PAT you’ve configured into SonarCloud doesn’t have access to that particular project. Systems very often return 404 as a “secure” version of 401 (refusing to acknowledge the existence of what you don’t have access to).
When I run the pipeline manually, I am able to run sonarcloud task successfully. Its only when I raise PR, for the PR build, I am getting the error “Could not find pull request”
If PAT doesn’t have access, then I would not been able to run SonarCloud task when I run the pipeline manually also.
The errormessage is: {“errors”:[{“msg”:“Unable to find the pullrequest with key \u00279775\u0027”}]
We eventually deleted the project from sonarcloud and let DevOps re-create the project. Then the PR sonaranalyse ran successful but now the next issue appeared. Somehow SonarCloud doesn’t report the status of the quality gate anymore to DevOps and DevOps keeps ‘waiting’ (although the PAT filled in sonarcloud and is fully functioning).
Turns out, although when filling in the PAT in the sonarcloud interface and it gave the green ‘valid’ checkmark, somehow the PAT was invalid (it only turned ‘red’ after refreshing the page). After filling in a valid PAT SonarCloud was able to give comments on PRs again. It would have been nice to have some sort of notice in SonarCloud (maybe in the background processes) to see that the authentication is failing.
So for us the solution was: refresh the PAT together with recreating the project itself in SonarCloud. Hope this helps you @hitika26.
Can you provide analysis logs from a run that succeeds and from one that fails?
The analysis / scanner log is what’s output from the analysis command. Hopefully, the log you provide - redacted as necessary - will include that command as well.
Yes, by manual run, I mean the CI trigger of the pipeline. I run the pipeline directly from Azure Devops which picks the DEV branch of the repository. For this run, the sonarcloud is successful.
The failed sonarcloud run is when PR is raised from Feature to DEV, it picks the code from Feature branch.
The token added for it on sonarcloud must be valid because I am able to execute sonarcloud for Manual Run and only facing error for PR Run
We are facing the same issue with one particular project (all other projects work perfectly).
Only PRs are failing, analytics for a branch works without any issues.
Hi @aura
What needs to be replaced with –location in the below command:
curl --location --request GET ‘’
–header ‘Authorization: BASIC <B64_PAT>’
Also, when I put that URL on browser, it says TF401019: The Git repository with name or identifier *** does not exist or you do not have permissions for the operation you are attempting.
You don’t need to provide a value with the flag --location. To confirm, if a valid PAT is provided, you will get information back from running the command. If not, no info will be returned. Additionally, with the --verbose flag, you can see more info about unauthorized access.
This is an example of a command using a dummy PAT I ran locally using --verbose (I removed some non relevant info) with fails with a 401 Unauthorized response.
curl --location --request GET <URL> --header 'Authorization: BASIC dummy' --verbose
Note: Unnecessary use of -X or --request, GET is already inferred.
* Trying x.x.x.x:443...
* Connected to dev.azure.com (x.x.x.x) port 443 (#0)
...
* Server certificate:
* subject: C=US; ST=WA; L=Redmond; O=Microsoft Corporation; CN=dev.azure.com
* start date: Feb 21 17:47:20 2023 GMT
* expire date: Feb 16 17:47:20 2024 GMT
* subjectAltName: host "dev.azure.com" matched cert's "dev.azure.com"
* issuer: C=US; O=Microsoft Corporation; CN=Microsoft Azure TLS Issuing CA 05
* SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
...
* Using Stream ID: 1 (easy handle 0x7f9153811400)
> GET <URL> HTTP/2
> Host: dev.azure.com
> user-agent: curl/7.86.0
> accept: */*
> authorization: BASIC dummy
>
< HTTP/2 401 <----- Unauthorized
...
If the PAT provided in the curl command doesn’t work, it will confirm the problem is with the PAT.
Another interesting thing to notice, the URL I sent you should authenticate you with Azure DevOps, which makes me think your user might not have indeed access to this PR. If your user is the one creating the PAT, perhaps that’s why it’s failing.
Other than the curl command, could you please check on your side if another user with more privileges can create the PAT?
You can check here the documentation about how to setup the connection with the required permissions and configuration in Azure DevOps for SonarCloud. In particular, please review the sections Location of Personal Access Tokens in SonarCloud and Use a technical user.
Turns out, although when filling in the PAT in the sonarcloud interface and it gave the green ‘valid’ checkmark, somehow the PAT was invalid (it only turned ‘red’ after refreshing the page). After filling in a valid PAT SonarCloud was able to give comments on PRs again. It would have been nice to have some sort of notice in SonarCloud (maybe in the background processes) to see that the authentication is failing.
So for us the solution was: refresh the PAT together with recreating the project itself in SonarCloud.
Hi @aura
Thanks for the clarification. I am not the one who created the PAT for SonarCloud, and I am not having the PAT that was used here. But I asked the user who created and added that, he had again updated the PAT but the problem still persists. Through this, we came to the conclusion that this problem is not related to PAT.
Additionally, I am having access to the PR as it was raised by me only.
I am not the one who created the PAT for SonarCloud, and I am not having the PAT that was used here. But I asked the user who created and added that, he had again updated the PAT but the problem still persists.
Did you try the recommendation on the documentation about how to setup the connection with the required permissions and configuration in Azure DevOps for SonarCloud? In particular, the sections Location of Personal Access Tokens in SonarCloud and Use a technical user ?
Additionally, could you please make sure the Azure DevOps user creating the PAT is a basic user? I found this thread in our community about issues with the user type.
Unfortunately, our internal logs show that the pull request can’t be found and it leads to the PAT being incorrect.
Could you please send me screenshots of the following?
In Azure DevOps, when creating (or editing) a new token, show that it has scope custom define and the code has read & write selected
In Azure DevOps, under Organization settings, ensure that Azure Active Directory Conditional Access Policy Validation is disabled if needed.
In Azure DevOps, under Organization settings, ensure the user creating the PAT has Basic access level
In your terminal, show that the curl command with --verbose flag suggested here is working as expected
In SonarCloud, under the Organization Administration section and Azure DevOps connectivity management, show the status of the current token. If it’s invalid, you will see this:
