Unable to run JS local analysis on 10.6

gian1200 · July 13, 2024, 11:35pm

SonarQube
Community Edition v10.6 (92116)
Sonar-scanner
Latest, v4.0.1 (sonarqube-scanner - npm), installed via NPM. Note: GitHub says that 4.1.0 is the latest, but it is not published, yet.
How is SonarQube deployed
Podman (no volume)
podman run -d -p 9000:9000 --name sonar10 sonarqube:community
What are you trying to achieve
Run analysis
What have you tried so far to achieve this
v10.5 worked fine. This happened when upgrading to v10.6 (clean install, new pod/container).
Running ./mvnw sonar:sonar on a Java project works fine on this new instance, so in theory it’s a sonar-scanner specific issue.

> npm run sonar:local -- -X

[INFO]  Bootstrapper: Retrieving info from "package.json" file
[DEBUG] Bootstrapper: Setting the log level to DEBUG due to verbose mode
[DEBUG] Bootstrapper: Properties: { <redacted> }
[INFO]  Bootstrapper: Platform: win32 x64
[DEBUG] Bootstrapper: Detecting proxy: No proxy detected
[INFO]  Bootstrapper: Server URL: http://localhost:9000
[INFO]  Bootstrapper: Version: 4.0.1
[DEBUG] Bootstrapper: Check if Server supports JRE provisioning
[DEBUG] Bootstrapper: Detecting SonarQube server version
[DEBUG] Bootstrapper: Fetching API V2 /analysis/version
[DEBUG] Bootstrapper: Unable to fetch API V2 /analysis/version: AxiosError: Request failed with status code 401. Falling back on /api/server/version
[DEBUG] Bootstrapper: Not using axios instance for http://localhost:9000/api/server/version
[INFO]  Bootstrapper: SonarQube server version: 10.6.0
[DEBUG] Bootstrapper: SonarQube Server v10.6.0 supports JRE provisioning: true
[INFO]  Bootstrapper: JRE provisioning is supported
[DEBUG] Bootstrapper: Detecting latest version of JRE
[DEBUG] Bootstrapper: Downloading JRE information for win32 x64 from /analysis/jres
[ERROR] Bootstrapper: An error occurred: AxiosError: Request failed with status code 401

For the sake of testing, I even tried giving permissions (creation and execution) to “anyone”.and disabling " Force user authentication".
When accessing http://localhost:9000/api/v2/analysis/version on incognito mode, I get 10.6.0.92116, so it’s not a permission issue.

Off-topic question: If I have Java available, why it tries to download it?

Is it somehow related to Specific JRE version no longer needed for CLI and NPM scanners ?

> java --version
openjdk 17.0.11 2024-04-16
OpenJDK Runtime Environment Temurin-17.0.11+9 (build 17.0.11+9)
OpenJDK 64-Bit Server VM Temurin-17.0.11+9 (build 17.0.11+9, mixed mode, sharing)

Colin · July 15, 2024, 6:37am

Hey there!

Where are you providing the authentication details, and what type of token are you using (project-specific token, global analysis token, user token…)?

gian1200 · July 15, 2024, 4:41pm

Hi, Colin.

Given that I gave permissions to “Anyone” group (for the sake of testing), I’m not using a token.

When I do, I use the CLI “sonar.login” parameter.

For this scenario I’ve also used a Global token (created with admin user).

> npm run sonar:local -- -X "-Dsonar.login=sqa_XXXXXX"

Token is visible in the [DEBUG] Bootstrapper: Properties: section. Additional info from logs:

  'sonar.userHome': 'C:\\Users\\XXX\\.sonar',
  'sonar.scanner.os': 'win32',
  'sonar.scanner.arch': 'x64',
  ...
  'sonar.verbose': 'true',
  'sonar.host.url': 'http://localhost:9000',
  'sonar.login': 'sqa_XXXXXX',
  'sonar.scanner.internal.isSonarCloud': 'false',
  'sonar.scanner.apiBaseUrl': 'http://localhost:9000/api/v2',
  'sonar.scanner.app': 'ScannerNpm',
  'sonar.scanner.appVersion': '4.0.1',
  'sonar.scanner.bootstrapStartTime': '1721061224363',
  'sonar.scanner.wasJreCacheHit': 'disabled',
  'sonar.scanner.wasEngineCacheHit': 'false',

Colin · July 15, 2024, 7:35pm

Just a shot in the dark – can you try replacing sonar.login with sonar.token?

gian1200 · July 15, 2024, 9:59pm

Nice shot. It worked!

Now, is this a bug, expected behavior or something in the middle?

Given that GET http://localhost:9000/api/v2/analysis/version is accesible from incognito mode, there shouldn’t be a 401, right?

Colin · July 16, 2024, 6:06am

I believe the 401 is coming from this API endpoint. Something is funky with a new feature we added to download the JRE from the SonarQube server instead of relying on it being in the user’s environment.

Now – sonar.login is depcreated, but it isn’t removed yet, so something is fishy. I’m going to flag this for attention.

And while we don’t like “Anyone” being granted Execute Analysis permissions… I would have expected it to work if that’s what is configured.

Lucas_Paulger · July 19, 2024, 11:47am

This seems to be a valid bug; the npm scanner is not handling the deprecated sonar.login correctly (it should inform the user of the deprecation and map it to the new value sonar.token)

I’ve created a ticket to address this, stay tuned for an update

https://sonarsource.atlassian.net/browse/SCANNPM-40

gian1200 · August 8, 2024, 5:18am

Looks like version 4.2.0 was released with the fix.

It now shows a warning message when using the deprecated ´sonar.login´ (which is fine).

[WARN]  Bootstrapper: Property "sonar.login" is deprecated and will be removed in a future version. Please use "sonar.token" instead.

However, I noticed that the deprecated “Anyone” still fails with 401 code (when no token is used). Is this expected?

Lucas_Paulger · August 13, 2024, 3:13pm

Thank you, @gian1200, for the callout.

Indeed, this is a valid issue. I’ve created a ticket to track a fix for this
https://sonarsource.atlassian.net/browse/SCANNPM-42

gian1200 · August 19, 2024, 10:52pm

Just tested sonarqube-scanner v4.2.1 and it works flawlessly. Marking this issue as solved.

Thanks!

system · August 26, 2024, 10:52pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.