SonarQube not pulling code from Azure repo

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)

Standalone Windows Server 2019 (Virtual machine in Azure)
SonarQube 9.3.0.51899 Enterprise
SonarScanner 4.7.0.2747
Azure Plugin: SonarQube 5.4.0
Java: 11.0.13

  • what are you trying to achieve

View + scan code in Azure repo. Currently SonarQube connects to Azure but does not see code.

  • what have you tried so far to achieve this:

I have followed the SonarQube Azure guide (Azure DevOps Integration | SonarQube Docs) up to the point of “Configuring branch analysis” (as at the moment we will be using the program to scan specific sections of code rather than in a CI/CD environment, I haven’t integrated it into any pipelines)

Method used to attempt analysis:

Sonar-scanner via CLI:

sonar-scanner.bat -D”sonar.projectKey=PROJECT_PROJECT” -D”sonar.sources-.” -D”sonar.host.url=http://SERVER:9000” -D”sonar.login=[KEY]”

  • See attached log.txt for output of the scan
    log.txt (6.6 KB)

Result: Project shows “Main branch of this project is empty” instead of saying that it hasn’t been analysed.

SonarQube settings

Administration → DevOps Platform Integrations → Azure

2

  • Check configuration shows no errors

[PROJECT NAME] → Project Settings → DevOps Platform Integration

  • Check configuration shows no errors

Azure Settings

Service Connection:

  • The service connection has been set up with the token generated in SonarQube, however no history has been logged either in Azure or SonarQube?

    8

Things to note:

  • The “MASTER NAME” was correctly pulled into SonarQube from Azure and matches exactly (although it does have a period in it (e.g.: “master.name”) if that makes any difference?)
    • Adding a different Azure project with a different “MASTERNAME” (with no period) also populates it in SonarQube correctly, however the same ‘no lines of code’ error occurs
  • When initially adding the project, SonarQube also detects the other projects available in the Azure users’ organisation, indicating that the connection to Azure is successful. Here is an example when I attempt to add another project using the same DevOps connection:

  • Encrypted PAT was used for Azure connection [as mentioned on: Azure DevOps Integration | SonarQube Docs]

  • User authentication is via LDAP / AD. SonarQube starts as a service by ‘sonarqubeservice’, and the Azure user is called ‘sonarqubeserviceazure’. LDAP authentication works correctly for users to log onto SonarQube server

  • SonarQube extension has been installed in Azure, even though I don’t think it is required for sonar-scanner?

  • The entire process takes 7 seconds (as per log.txt), so it appears that the even though the connection is successful SonarQube isn’t pulling the code from the repo to analyse.

    • INFO: Load project settings for component key: ‘PROJECT_PROJECT’ (done) | time=32ms
    • INFO: Load project branches (done) | time=16ms
      • I’m assuming these should be taking longer?
  • The Windows Firewall + the Azure Firewall have ports 80 & 9000 open only

  • The SonarQube instance (SONARQUBE:9000) is accessible from other systems

  • Logs show “Success”

Troubleshooting performed thus far:

Deleted project from SonarQube, deleted all tokens, deleted all PATs, regenerated tokens + PATs, retested:

  • No change

Created a basic Java program located in a folder on the SonarQube server to test functionality via CLI scan

  • Java program analysed successfully (see first screenshot)

In project settings: Disable the SCM sensor setting (on/off)

  • No change

Adjusted the setting Code (Read & Write) in the Azure PAT:

  • Attempted both “code (read/write)” and ‘Full Access’
  • No change

Azure Service Connections

  • Grant access permissions to all pipelines is selected

Googled the heck out of it:

  • Nothing I found and tested made any difference

Log files
compute.txt (3.1 KB)
search.txt (1.2 KB)
web.txt (3.2 KB)
system.txt (1.5 KB)

Thoughts:

  • As I can analyse a local folder containing code, it appears that SonarQube is installed correctly
  • As I can connect to Azure and it pulls the project, and it can see the correct name for the main branch, it appears that the Azure connection is configured correctly
  • Am I required to open any further ports for the connection?

I am at a loss as to why it appears SonarQube can access Azure, but can’t pull the code. Any assistance in this matter would be appreciated,

Hi,

Maybe this is a dumb question, but did you check the project out before the analysis? I find these log lines “interesting” (suspicious):

WARN: SCM provider autodetection failed. Please use "sonar.scm.provider" to define SCM of your project, or disable the SCM Sensor in the project settings.

INFO: 0 files indexed

INFO: 0 source files to be analyzed
INFO: 0/0 source files have been analyzed

&etc.

Analysis can’t fetch your code. The code must already be present in the directory when you fire analysis.

 
Ann

Hello Ann,

Thank you for your assistance :slight_smile:

Your question is smarter than my answer: No, I didn’t check the code out.

[Just to clarify: I’m not one of the programmers working on this project, I’m just one of the people setting up the tools that they will be using, so my DevOps and coding experience in minimal]

The current requirement isn’t for constant code quality monitoring, but rather for-cause analysis; hence why I stopped before integrating into any pipelines.

You did inspire me though, and I discovered I can download the code manually from the repo and run the analysis via CLI (for some of the languages), so I have a partial workaround at least.

So now the question probably is: Do you know how I would go about checking out the code for analysis if I wanted an ad-hoc, static (in-situ) analysis rather than via pipelines or having to manually download the code?

Thank you for your help

-Justin

Hi Justin,

It’s probably easiest to ask the coders on the project. I haven’t used Azure, so I’d just be cobbling together a guess based on the interwebs.

 
:sweat_smile:
Ann

Thank you for your help Ann :slight_smile:
I’m meant to be teaching the coders the how to scan using SonarQube next week :smiley:

In the meantime, ff anyone has any Azure DevOps / SonarQube integration experience and can shed some light on my issue, please let me know!