SonarScanner authorization issue after upgrade to 9.9

SonarQube Server / Community Build
1

Hello,

I wanted to upgrade from 8.9.10 Developer Edition to 9.9 Developer Edition on my system:
-RHEL 8, OpenJDK 17 (updated from 11 as part of installation), PG 12

When running a new scan in Azure DevOps I am getting following error:
##[error]ERROR: Error during SonarScanner execution
ERROR: You’re not authorized to run analysis. Please contact the project administrator.

No permissions have been changed, I tried also a PAT with full admin permissions resulting in the same error.

After rollback to 8.9.10 and upgrade to 9.8 the scanning process stil works fine, so it must somehow be related to 9.9.

What could be the issue?

Thanks and Regards

Timo

2

Hey there.

Nothing changed permissions-wise between SonarQube v9.8 and v9.9. How are you configuring the token in your Azure DevOps pipeline?

3

Hi Colin,

thanks for getting back. Currently I am using the Azure Devops extension for SonarQube and the token is stored as part of the service connection.

From the access logs I can see a difference between 9.8 and 9.9:
0:0:0:0:0:0:0:1 - - [11/Feb/2023:05:01:39 +0000] “GET /sonar/api/analysis_cache/get?project=ICC-DIH_dih-api-bc-app HTTP/1.1” 200 - “-” “ScannerCLI/4.8.0.2856” “AYY82PqD47Uc+rNoAAE6”
127.0.0.1 - - [11/Feb/2023:05:01:40 +0000] “GET /sonar/batch/project.protobuf?key=ICC-DIH_dih-api-bc-app HTTP/1.1” 200 - “-” “ScannerCLI/4.8.0.2856” “AYY82PqD47Uc+rNoAAE7”
127.0.0.1 - - [11/Feb/2023:05:01:43 +0000] “GET /sonar/api/metrics/search?ps=500&p=1 HTTP/1.1” 200 - “-” “ScannerCLI/4.8.0.2856” “AYY82PqD47Uc+rNoAAE8”
127.0.0.1 - - [11/Feb/2023:05:02:09 +0000] “GET /sonar/api/new_code_periods/show.protobuf?project=ICC-DIH_dih-api-bc-app&branch=master HTTP/1.1” 200 36 “-” “ScannerCLI/4.8.0.2856” “AYY82PqD47Uc+rNoAAE9”
0:0:0:0:0:0:0:1 - - [11/Feb/2023:05:02:09 +0000] “POST /sonar/api/ce/submit?projectKey=ICC-DIH_dih-api-bc-app&projectName=dih-api-bc-app HTTP/1.1” 200 44 “-” “ScannerCLI/4.8.0.2856” “AYY82PqD47Uc+rNoAAE+”

9.8 successfully does a POST while for 9.9 this request is missing:

    • [13/Feb/2023:10:22:58 +0000] “GET /sonar/api/analysis_cache/get?project=ICC-DIH_dih-api-bc-app HTTP/1.1” 404 - “-” “ScannerCLI/4.8.0.2856” “AYZKMze1JK2KnzjoAADB”
    • [13/Feb/2023:10:22:59 +0000] “GET /sonar/batch/project.protobuf?key=ICC-DIH_dih-api-bc-app HTTP/1.1” 200 - “-” “ScannerCLI/4.8.0.2856” “AYZKMze1JK2KnzjoAADC”
    • [13/Feb/2023:10:23:02 +0000] “GET /sonar/api/metrics/search?ps=500&p=1 HTTP/1.1” 200 - “-” “ScannerCLI/4.8.0.2856” “AYZKMze1JK2KnzjoAADD”
    • [13/Feb/2023:10:23:25 +0000] “GET /sonar/api/new_code_periods/show.protobuf?project=ICC-DIH_dih-api-bc-app&branch=master HTTP/1.1” 200 36 “-” “ScannerCLI/4.8.0.2856” “AYZKMze1JK2KnzjoAADE”

And for 9.9. the analysis_cache/get-calls returns a 404, while for 9.8 it was a 200.

Regards

Timo

4

Hey there.

I’m not too surprised about a 404 on GET /sonar/api/analysis_cache because the analyzer expires after 7 days. So I wouldn’t say it’s indicative of anything.

What’s very interesting to me is the missing POST /sonar/api/ce/submit request. Are you running your SonarQube server behind a reverse proxy (to serve it over HTTPS, for example). If so, I would suggest checking if the request even makes it that far (to your proxy, like nginx or httpd).

5

Hi,

the server is behind an Application Gateway. The WAF indeed blocked the POST request with error message ‘Multipart parser detected a possible unmatched boundary.’ When I disable the rule, it works. Not sure if it is a false positive or real issue.

Regards

Timo

1 Like
6

Hey there.

I suppose you’re using GitHub - SpiderLabs/ModSecurity: ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. With over 10,000 deployments world-wide, ModSecurity is the most widely deployed WAF in existence. – just for the record, could you tell us what version you’re using?

7

Hi,

the WAF is part of Azure Application Gateway CRS rule groups and rules - Azure Web Application Firewall | Microsoft Learn, rule 200004 in particular. Under the hood I believe it is modsec nginx plugin you mentioned.

1 Like
8

Hi, I’m getting the same error from SonarQubeAnalyze@5 after the Upgrade, but not sure I upgraded to 9.9 from Which version