Unexpected Token Invalidation in Sonar Organization

Hello everyone,

We’ve recently encountered an issue where an Azure DevOps pipeline began failing due to invalid Sonar token. After conducting an internal investigation, we discovered an unexpected situation:

  1. Missing Token from User Profile
    The token has disappeared from the token list of the user who created it. The user claims they did not revoke it and hasn’t accessed Sonar in several weeks.

Has anyone experienced similar behavior with Sonar tokens? We’d appreciate any insights or suggestions on how to further investigate or resolve this.

Thanks in advance!

  • ALM used: Azure DevOps
  • CI system used: Azure DevOps
  • Error observed:

[ERROR] Failed to query JRE metadata: GET https://api.sonarcloud.io/analysis/jres?os=linux&arch=x86_64 failed with HTTP 403. Please check the property sonar.token or the environment variable SONAR_TOKEN.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE

Hey @ftlvz

Is this ultimately a duplicate of Unexpected user removal from Sonar Organization ?

Was the user whose tokent his was the same user removed from your Sonarqube Cloud org?

@Colin Nope! The user I mentioned in this topic never stopped being a member of the Organization and has other tokens which are used by other projects.
Among those tokens there was the one which apparently disappeared.

I’m aware that when a user is removed from an Organization, their tokens become invalid, but this is not the case here: the user was not removed from the Organization.

Thus this and Unexpected user removal from Sonar Organization are 2 different cases.

Then I would say the next most likely culprit would be the 60-day token expiration put into place a few months ago, while we revisit our overall token strategy.

@Colin can this feature be disabled for some specific member, or project, or organization?

It is not configurable.

@Colin So bad. Do you have plans to enhance this? Can we get a notification before a token expires automatically?

In our enterprise, development teams, the team responsible for administering SonarQube and the one responsible for DevOps pipelines are different teams, so replacing expired tokens is not straightforward…

Should we reuse the same token for all projects belonging to the same portfolio? Is that feasible? Is that secure?

Please, advice on how we should manage analyses execution tokens in order to minimize the probability of letting them expire due to inactivity.

Thank you