[o.s.w.c.OkHttpClientBuilder] --> GET https://bb.some.com/rest/api/1.0/repos
[o.s.w.c.OkHttpClientBuilder] <-- 401 https://bb.some.com/rest/api/1.0/repos (460ms, 172-byte body)
[o.s.a.c.b.BitbucketServerRestClient] Unable to contact Bitbucket server: 401 com.atlassian.plugins.rest.api.security.exception.AuthenticationRequiredException You are not permitted to access this resource
in Bitbucket log :
[https-jsse-nio-8443-exec-6] 10.10.1.2 "GET /rest/api/1.0/repos HTTP/1.1" o.a.tomcat.util.net.jsse.JSSESupport Error trying to obtain a certificate from the client
[https-jsse-nio-8443-exec-6] 10.10.1.2 "GET /rest/api/1.0/repos HTTP/1.1" c.a.o.s.r.DefaultScopesRequestCache Storing permissions [[]] to scope request cache for application name [com.atlassian.oauth2.provider.core.web.ApplicationNameSupplier@6a46f433].
[https-jsse-nio-8443-exec-6] 10.10.1.2 "GET /rest/api/1.0/repos HTTP/1.1" c.a.o.s.r.DefaultScopesRequestCache Removing all permissions from scope request cache.
[AtlassianEvent::thread-1] 10.10.1.2 "GET /rest/api/1.0/repos HTTP/1.1" c.a.o.s.r.DefaultScopesRequestCache Storing permissions [[]] to scope request cache for application name [com.atlassian.oauth2.provider.core.web.ApplicationNameSupplier@6a46f433].
[AtlassianEvent::thread-3] 10.10.1.2 "GET /rest/api/1.0/repos HTTP/1.1" c.a.o.s.r.DefaultScopesRequestCache Storing permissions [[]] to scope request cache for application name [com.atlassian.oauth2.provider.core.web.ApplicationNameSupplier@6a46f433].
[https-jsse-nio-8443-exec-6] 10.10.1.2 "GET /rest/api/1.0/repos HTTP/1.1" c.a.o.s.r.DefaultScopesRequestCache Storing permissions [[]] to scope request cache for application name [com.atlassian.oauth2.scopes.api.ScopesRequestCache$RequestCache$$Lambda$3828/0x000073a9ee11b318@ebdc1e4].
[https-jsse-nio-8443-exec-6] 10.10.1.2 "GET /rest/api/1.0/repos HTTP/1.1" c.a.o.s.r.DefaultScopesRequestCache Storing permissions [[]] to scope request cache for application name [com.atlassian.oauth2.scopes.api.ScopesRequestCache$RequestCache$$Lambda$3828/0x000073a9ee11b318@ebdc1e4].
[AtlassianEvent::thread-3] 10.10.1.2 "GET /rest/api/1.0/repos HTTP/1.1" c.a.analytics.client.EventTracer Processing event class com.atlassian.bitbucket.dmz.user.AuthorizationFailureEvent from com.atlassian.analytics.client.listener.ProductEventListener.logEventSourceInfo(ProductEventListener.java:71)
com.atlassian.analytics.client.listener.ProductEventListener.processEvent(ProductEventListener.java:49) com.atlassian.analytics.client.listener.BitbucketEventListener.onEvent(BitbucketEventListener.java:56) jdk.internal.reflect.GeneratedMethodAccessor490.invoke(Unknown Source) java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) java.base/java.lang.reflect.Method.invoke(Unknown Source)
com.atlassian.event.internal.SingleParameterMethodListenerInvoker.invoke(SingleParameterMethodListenerInvoker.java:42) com.atlassian.diagnostics.internal.platform.monitor.event.EventSystemMonitor.invokeMonitored(EventSystemMonitor.java:105) com.atlassian.diagnostics.internal.platform.monitor.event.MonitoredListenerInvoker.invoke(MonitoredListenerInvoker.java:38) com.atlassian.event.internal.ComparableListenerInvoker.invoke(ComparableListenerInvoker.java:48)
What version of SonarQube are we talking about here?
Based on your screenshot and your server log, it’s not that integration broke but that authorization failed. In fact, based on both logs, authorization failed.
Have you tried generating a new token to replace the one currently stored in SonarQube?
I’m not sure what to tell you. Both logs and the screenshot clearly indicate that the token isn’t working. Can you try replacing it? You’ll need to make sure it has the right permissions.
We’re experiencing this issue as well, and not upgrading to Bitbucket 9 was not really an option for us. After some digging, I believe I understand the problem. As part of the Bitbucket connection validation, SonarQube attempts to validate the URL by calling the Search for repositories Bitbucket REST endpoint. Previous versions of Bitbucket would return a 200 to anonymous requests to this endpoint. In BBDC version 9.x, however, it returns a 401. This causes the misleading Invalid personal access token message to be shown.
A solution on the SonarQube side could be to change the validate URL to /status, rather than /rest/api/1.0/repos.
I’ve also opened a ticket with Atlassian to determine whether this change is intentional, as their REST API documentation still suggests the repos endpoint can handle anonymous requests. I will try to report back here if/when I hear from them.
Some follow-up after hearing back from Atlassian. The endpoint used for URL validation (/rest/api/1.0/repos) will now return a 401 if there are no public repos configured. I believe the best course of action will be to change BitbucketServerRestClient.java:73 to use the /status endpoint.
Edit to include the detailed response I just received from Atlassian support:
I talked to the developers and confirmed that in 9.0 REST endpoints were hardened so that if anonymous access is disabled (which it is by default), the endpoints will now just return 401 right away rather than do processing (like accessing the database, etc.) that would return an empty string.
In SonarQube’s case, they appear to be simply using this URL call to make sure that the Bitbucket base URL is correct (returning 0 return code with an empty result set). Our development team’s suggestion is to use /about. It seems like you and our development team has come to the same conclusion.
What would be the best way to make this happen? Should I create a ticket somewhere or create a PR on GitHub?
Since there have been multiple posts regarding this issue (see here) and the solution should be very simple, how can we get a fix for this in place? Any guidance would be greatly appreciated!
Thanks for the PR; much appreciated. We prioritized the fix for BB and also created the PR. I must say our PR it’s almost 1:1 to yours, so it makes us more confident about the change introduced.
Now, we need to validate whether we have any other issues with supporting BB 9.0. I hope no new discovery will block us.
I’ll update you when we complete the validation. For now, the plan is to add the fix to version 10.8.
Thanks all once again for raising the issue and the thorough investigation - it helped us a lot.
This is a short update from my side: We’ve finished validating the fix, and it looks like it works fine.
It’s already merged, so I’m happy to announce that it will be released with the 10.8 version of the SonarQube.
Once again, many thanks to everyone (especially @LividSquid) for raising the issue, providing detailed descriptions, and proposing solutions. This was a huge help. Kudos!
