Unable to decorate pull request in Azure DevOps

Hi All,

We’re running (a trial) version of SonarQube Developer Edition 8.2 (build 32929) and I’m trying to setup pull request analysis including pull request decoration. The analysis part works fine, I can see the result for the analysis and I can see there are some new issues added with the new code that’s being added. However I don’t see any mention of the found issues in my pull request in Azure DevOps.

I’ve created a Personal Acces Token in Azure DevOps and gave that all authorized scopes (I know I just need Code (read & write), but to be sure this is not the issue I selected all scopes).
In SonarQube I configured the Azure DevOps Service ALM Integration and for my project I selected the azure configuration in the Pull Request Decoration configuration section.

I’ve looked at the logs in SonarQube and came across the following warning when the Pull Request Decoration should have occured:

2020.03.27 13:12:43 WARN  ce[AXEb6JlBtvGysIyOX5YY][c.s.C.D.C.C] Failed to decorate Azure DevOps Pull Request: API resource location 225f7195-f9c7-4d14-ab28-a83f7ff77e1f is not registered on [Azure DevOps Link]. javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

So it looked like the certificate for the connection to Azure DevOps couldn’t be validated. So I installed the certificate in the local computer personal store. The root certificate was already imported in the Trusted Root and the Intermediate store. But the error still remains.

I also checked the background tasks as described in this (Pull Request Decoration not working with Azure DevOps Server 2019) comment, but I don’t see the option the show warnings.

Can anyone point me in the right direction to make the pull request decoration work?

Never mind, I got it working.

For anyone coming here in the future, SonarQube doesn’t look at the certificate imported in the windows certificate store, but rather in Java’s own store.
To add your own certificate you can use the keytool located in your jdk folder under “lib\security”. Use the following command:

keytool -import -alias tfs -keystore  "C:\Program Files\Java\jdk-12.0.1\lib\security\cacerts" -file <PATHA_TO_SSL_CERT_FILE>

You might have to change the path to the cacerts file if it’s located in another location.