We’ve recently encountered an issue where an Azure DevOps pipeline began failing due to invalid Sonar token. After conducting an internal investigation, we discovered an unexpected situation:
Missing Token from User Profile
The token has disappeared from the token list of the user who created it. The user claims they did not revoke it and hasn’t accessed Sonar in several weeks.
Has anyone experienced similar behavior with Sonar tokens? We’d appreciate any insights or suggestions on how to further investigate or resolve this.
Thanks in advance!
ALM used: Azure DevOps
CI system used: Azure DevOps
Error observed:
[ERROR] Failed to query JRE metadata: GET https://api.sonarcloud.io/analysis/jres?os=linux&arch=x86_64 failed with HTTP 403. Please check the property sonar.token or the environment variable SONAR_TOKEN.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
@Colin Nope! The user I mentioned in this topic never stopped being a member of the Organization and has other tokens which are used by other projects.
Among those tokens there was the one which apparently disappeared.
I’m aware that when a user is removed from an Organization, their tokens become invalid, but this is not the case here: the user was not removed from the Organization.
Then I would say the next most likely culprit would be the 60-day token expiration put into place a few months ago, while we revisit our overall token strategy.
@Colin So bad. Do you have plans to enhance this? Can we get a notification before a token expires automatically?
In our enterprise, development teams, the team responsible for administering SonarQube and the one responsible for DevOps pipelines are different teams, so replacing expired tokens is not straightforward…
Should we reuse the same token for all projects belonging to the same portfolio? Is that feasible? Is that secure?
Please, advice on how we should manage analyses execution tokens in order to minimize the probability of letting them expire due to inactivity.