SonarQube unable to open project after adding "Administer" permission on the group level

Dear team,

I broke my self-hosted SonarQube… again!

Version: 9.7

What did I do?
We are using GitLab OAuth and Group Sync, so every group has permissions to one project. On one of those groups, I have added (not removed!) another permission level - “Administer”, so they can change themselves some settings that are not supported by sonarqube.properties file that is in their repository.

As a consequence, noone can open that project anymore. Not me, as a general system and project admin (GitLab user), not even as a SonarQube (non-GitLab) system admin user (who has access to everything)…

On the UI it looks like this:

image1344×104 5.96 KB

A beautiful Java error stack trace from the server:

2023.01.11 11:06:46 ERROR web[AYWcP8oqVCHq4at3ABE7][o.s.s.w.WebServiceEngine] Fail to process request http://192.168.199.241:9000/api/project_pull_requests/list?project=iShuttle
java.lang.NullPointerException: Pull request data should be available for branch type PULL_REQUEST
        at java.base/java.util.Objects.requireNonNull(Objects.java:246)
        at com.sonarsource.G.D.A.D.A(Unknown Source)
        at com.sonarsource.G.D.A.D.A(Unknown Source)
        at com.google.common.collect.ImmutableList.forEach(ImmutableList.java:422)
        at com.sonarsource.G.D.A.D.handle(Unknown Source)
        at org.sonar.server.ws.WebServiceEngine.execute(WebServiceEngine.java:111)
        at org.sonar.server.platform.web.WebServiceFilter.doFilter(WebServiceFilter.java:84)
        at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:139)
        at org.sonar.server.platform.web.SonarLintConnectionFilter.doFilter(SonarLintConnectionFilter.java:66)
        at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:139)
        at org.sonar.server.platform.web.MasterServletFilter.doFilter(MasterServletFilter.java:108)
        at jdk.internal.reflect.GeneratedMethodAccessor38.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:187)
        at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:145)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143)
        at org.sonar.server.platform.web.UserSessionFilter.doFilter(UserSessionFilter.java:81)
        at org.sonar.server.platform.web.UserSessionFilter.doFilter(UserSessionFilter.java:68)
        at jdk.internal.reflect.GeneratedMethodAccessor38.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:187)
        at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:145)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143)
        at org.sonar.server.platform.web.CacheControlFilter.doFilter(CacheControlFilter.java:76)
        at jdk.internal.reflect.GeneratedMethodAccessor38.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:187)
        at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:145)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143)
        at org.sonar.server.platform.web.SecurityServletFilter.doHttpFilter(SecurityServletFilter.java:60)
        at org.sonar.server.platform.web.SecurityServletFilter.doFilter(SecurityServletFilter.java:47)
        at jdk.internal.reflect.GeneratedMethodAccessor38.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:187)
        at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:145)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143)
        at org.sonar.server.platform.web.RedirectFilter.doFilter(RedirectFilter.java:57)
        at jdk.internal.reflect.GeneratedMethodAccessor38.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:187)
        at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:145)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143)
        at org.sonar.server.platform.web.RequestIdFilter.doFilter(RequestIdFilter.java:66)
        at jdk.internal.reflect.GeneratedMethodAccessor38.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:187)
        at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:145)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143)
        at org.sonar.server.platform.web.RootFilter.doFilter(RootFilter.java:65)
        at jdk.internal.reflect.GeneratedMethodAccessor38.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:187)
        at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:145)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143)
        at org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:109)
        at jdk.internal.reflect.GeneratedMethodAccessor38.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:187)
        at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:145)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
        at ch.qos.logback.access.tomcat.LogbackValve.invoke(LogbackValve.java:256)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
        at org.sonar.server.app.SecureErrorReportValve.invoke(SecureErrorReportValve.java:38)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:890)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1743)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.base/java.lang.Thread.run(Thread.java:829)

Other projects seem to be fine for now. Everything else seem to work fine. Just that 1 project not at all.

I would usually poke around myself, but from my experience so far, I am afraid I’ll break complete instance in 2 minutes. Therefore, I’d appreciate any official help and suggestions before that happens.

Thanks in advance!

Hi,

You should still be able to get into the project permissions via Administration → Projects → Management → [project row] → [cog menu] → Edit Permissions.

My assumption is that the first thing you’ll do once you get in is back out your change. Before you do that, can you screenshot current/broken state for further examination?

Also, SonarQube 9.8 was recently released. I don’t believe it will fix this problem, but it’s probably worth taking the upgrade.

 
Ann

Dear @ganncamp ,

You should still be able to get into the project permissions via Administration → Projects → Management → [project row] → [cog menu] → Edit Permissions.

Unfortunately, this does not work either. In both cases (accessing project from here, or from the home page), leads to a completely blank page that doesn’t load anything (apart from top menu and footer):

image1379×920 13 KB

First 5 seconds you can see the red error message (as in the screenshot I sent in the post above), then it disappears. Loading spinner just stays there trying to load the page.

Is there anything else I can try apart from upgrading?
I was thinking about turning off the GitLab OAuth completely and see if I could then access the project as a normal SonarQube user. Would that make sense?

Thanks,
Paula

Hi Paula,

Shoot. After I replied, it occurred to me that might happen, but I had my fingers crossed it wouldn’t.

I suspect that won’t have any impact. I don’t think this is about how you authenticate, but about what happens after that. But if you do decide to try it, make sure first that you have SonarQube-native account to log in with.

I’m going to flag this for more expert eyes.

 
Ann

Hello @paula.kokic.bhs,

We were able to track down this issue, and as it turns out the bug has been fixed here in 9.8.

I suggest updating to 9.8 and letting us know then if the problem persists.

Regards
Alain

Hi Alain,

Thank you for your response. Update did indeed resolve the problem!

However: I must point out - in the Release Notes you did not mention one big change that has been made - that SQ has been upgraded to Java 17. This caused our self-signed certificates not being mounted to the correct Java path, therefore not being able to connect to our GitLab instance anymore.

In order to fix, we dig manually through your last Jira tickets to find out this information, which combined with SQ logs gave us enough information to fix the problem. I hope you can in the future list such big changes directly in the release notes and also mention what kind of impact this can have. Additionally, it would be amazing if documentation (> Self Signed Certificates > Docker Example) would get updated on time.

Thanks,
Paula

Hi Paula,

Wow! Great catch and thanks for pointing it out. We’re on it.

 
Ann

Thanks for pointing this out, I’ve updated the 9.8 release upgrade notes with a note about Java 17 and a link to the ticket.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.