Sonarqube-scan-action prevents caching

MortenHindsholm · June 14, 2024, 12:04pm

Must-share information:

which versions are you using SonarQube? 10.4.1 Enterprise Edition, sonarqube-scan-action v2.2
how is SonarQube deployed? On-premises, standard server installation
what are you trying to achieve? Cache SonarQube scanner files on GitHub Actions
what have you tried so far to achieve this? Downgraded sonarqube-scan-action to v2.0.2

We are using the standard GitHub Actions cache action to cache the scanner files because it takes a long time to download:

    - name: SonarQube Cache
      uses: actions/cache@v4
      with:
        path: ${{ github.workspace }}/.sonar/cache
        key: ${{ runner.os }}-sonar

    - name: SonarQube Scan
      uses: sonarsource/sonarqube-scan-action@v2.0.2
      env:
        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
        SONAR_USER_HOME: ${{ github.workspace }}/.sonar
      with:
        args: >
          -Dsonar.projectKey=${{ github.event.repository.name }}
          -Dsonar.projectVersion=${{ inputs.project-version }}

This works fine when using sonarqube-scan-action v2.0.2. After the first build, files under ${{ github.workspace }}/.sonar/cache are cached and future scans run much quicker.

Upgrading to sonarqube-scan-action v2.2 makes the cache action Post job cleanup fail like this:

> Post job cleanup.
/usr/bin/tar --posix -cf cache.tzst --exclude cache.tzst -P -C /home/runner/work/ai-rapportering/ai-rapportering --files-from manifest.txt --use-compress-program zstdmt
/usr/bin/tar: .sonar/cache/3ede12e96a509e101c6eab2aa4706c50/sonar-php-plugin.jar_unzip: Cannot open: Permission denied
/usr/bin/tar: .sonar/cache/0c7e084443770eb32129caa9121bb60e/sonar-ruby-plugin.jar_unzip: Cannot open: Permission denied
...
/usr/bin/tar: Exiting with failure status due to previous errors
Warning: Failed to save: "/usr/bin/tar" failed with error: The process '/usr/bin/tar' failed with exit code 2

The cache action is clearly not allowed to read the scanner files.

I suspect this could be due to the fact that in a recent commit the user is explicitly set in the Dockerfile as:

USER 0

even though the GitHub documentation says:

Ensure your Dockerfile does not set the USER instruction, otherwise you will not be able to access GITHUB_WORKSPACE.

We would of course like to upgrade sonarqube-scan-action to the latest version, but we need to be able to cache the scanner files. Could you please look into this?

MortenHindsholm · June 24, 2024, 9:47am

I now realize that this post should have been tagged with github-actions but I cannot find a way to add a tag.
Should I delete the post and create a new one one with the proper tag?

Csaba_Feher · June 24, 2024, 11:52am

Hi Morten,

Thanks for reporting that.
We have seen errors where clearing the cache helped the CLI run; I think it is worth a try, but it is a bit different from what you described.

However, we will have a look and repro the issue that you described and get back to you.

[Edit:
The documentation says: GitHub Actions must be run by the default Docker user (root). We use USER 0 to set back to root as the base image as per docker best practices does set non-root user. ]

Thanks
Csaba

MortenHindsholm · June 24, 2024, 12:59pm

Thanks for looking into this

I will try clearing the cache but if I remember correctly, I already did that without success.

MortenHindsholm · June 25, 2024, 9:44am

Deleting the cache does not help, but as a workaround I have added this step after the SonarQube scanner step:

- name: Make SonarQube files accessible for cache action
  run: sudo chmod -R a+rx ${{ github.workspace }}/.sonar

Then the standard GitHub cache action is able to cache the files downloaded by the Sonar scanner.

There is an open issue for the cache action to add a sudo option. I suppose it could help, if it was implemented.

Still it would be great if you were able to do something in the sonarqube-scan-action. Perhaps you could look into changing the permissions for directories under .sonar/cache to make them more accessible. Right now they are like:

drwx------  2 root root    4096 Jun 25 07:52 sonar-plsql-plugin.jar_unzip

which prevents others from accessing the cached files.

Csaba_Feher · July 2, 2024, 11:45am

@MortenHindsholm

Thank you for raising this. We spent some time investigating the issue, and we think we found the error: the cleanup scripts’ limited execution radius of the permission reset.
the new version of the sonarqube-scan-action 2.3.0 should have the fix. Please let us know if this solves the problem for you.

Thanks
Csaba

MortenHindsholm · July 29, 2024, 10:31am

Thank you for the fix. The action is working perfectly now

system · August 5, 2024, 10:31am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.