"You're not authorized to run analysis. Please contact the project administrator." when SCM enabled

twehner · April 18, 2019, 10:09pm

We’ve recently been evaluating Sonarqube as a code quality and coverage analyzer on our C# and Typescript based projects. We’ve setup an SQ server running in docker, which seems to be running fine. Our builds also run inside a docker container, and use the dotnet-sonarscanner tool for .net core. The build and scanning run without issue, but the process fails to upload the analysis to the SQ server whenever we have scm/blame enabled. Everything works perfectly with scm/blame disabled.

Here is our build dockerfile:

FROM mcr.microsoft.com/dotnet/core/sdk:2.2.104 as build-netcore
ARG SONAR_TOKEN
WORKDIR /build
SHELL [“/bin/bash”, “-c”]

COPY ./ ./

RUN apt-get update -yq \
&& apt-get upgrade -yq \
&& apt-get install -yq openjdk-8-jre-headless ca-certificates-java \
&& apt-get install -y unzip \
&& curl -sL https://deb.nodesource.com/setup_10.x | bash \
&& apt-get install -y nodejs \
&& dotnet tool install --global dotnet-sonarscanner \
&& export PATH=“$PATH:/root/.dotnet/tools” \
&& dotnet restore service/AXS/AXS.sln \
&& dotnet sonarscanner begin /k:axs /d:sonar.host.url=https://redacted.io /d:sonar.login=${SONAR_TOKEN} \
&& dotnet build service/AXS/AXS.sln \
&& dotnet sonarscanner end /d:sonar.login=${SONAR_TOKEN}

Which gets executed with:

docker build --build-arg SONAR_TOKEN=${SONAR_TOKEN} .

When SCM/blame is not disabled (with auto-detection):

We get the following output (tail):

INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=205ms
INFO: SCM provider for this project is: git
INFO: 1327 files to be analyzed
INFO: 95/1327 files analyzed
INFO: 269/1327 files analyzed
INFO: 454/1327 files analyzed
INFO: 635/1327 files analyzed
INFO: 829/1327 files analyzed
INFO: 1027/1327 files analyzed
INFO: 1198/1327 files analyzed
INFO: 1327/1327 files analyzed
INFO: 102 files had no CPD blocks
INFO: Calculating CPD for 1168 files
INFO: CPD calculation finished
INFO: Analysis report generated in 392ms, dir size=11 MB
INFO: Analysis report compressed in 3062ms, zip size=5 MB
INFO: ------------------------------------------------------------------------
INFO: EXECUTION FAILURE
INFO: ------------------------------------------------------------------------
INFO: Total time: 2:05.668s
INFO: Final Memory: 18M/430M
INFO: ------------------------------------------------------------------------
ERROR: Error during SonarQube Scanner execution
ERROR: You’re not authorized to run analysis. Please contact the project administrator.
ERROR: The SonarQube Scanner did not complete successfully

BUT, when we disable the SCM/blame:

We get the following successful output (tail):

INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=226ms
INFO: SCM Publisher is disabled
INFO: 102 files had no CPD blocks
INFO: Calculating CPD for 1168 files
INFO: CPD calculation finished
INFO: Analysis report generated in 409ms, dir size=10 MB
INFO: Analysis report compressed in 2586ms, zip size=4 MB
INFO: Analysis report uploaded in 1162ms
INFO: ANALYSIS SUCCESSFUL, you can browse https://redacted.io/dashboard?id=axs
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at https://redacted.io/api/ce/task?id=AWoybkcfwsOlZVOObF9d
INFO: Analysis total time: 17.583 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 53.321s
INFO: Final Memory: 20M/333M
INFO: ------------------------------------------------------------------------
The SonarQube Scanner has finished

The token we are using in both cases is associated to the Administrator account on our SQ server, which naturally has been given all permissions to do everything (as far as we can tell).

We are counting on tracking the author on quality and coverage changes so we can automate messaging to that developer. Any thoughts as to what could cause this behavior?

Thank you in advance!

ganncamp · April 22, 2019, 6:24pm

Hi,

This is extremely odd; I don’t remember another similar report. My current working hypothesis is that collection of the SCM information somehow disrupts the value of $SONAR_TOKEN. I’m wondering if you can prove/disprove that by adding echo/print statements to your build script to show the variable value before and after analysis.

Ann

twehner · April 22, 2019, 8:12pm

Thank you for the reply. I added an echo immediately after the build and before the scanner “end”:

&& dotnet build service/AXS/AXS.sln \
&& echo “SONAR_TOKEN=${SONAR_TOKEN}” \
&& dotnet sonarscanner end /d:sonar.login=${SONAR_TOKEN}

The script echoed the proper token, but we got the same “not authorized” result. We also tried removing the environment variables from the equation entirely by hard coding the token in the script, with the same result.

For what it’s worth, running the exact same start/build/end steps outside the docker container, just on a windows 10 developer machine, works fine.

Finally, we tried excluding the .git folder from the docker context to see if we’d get any different result. In this configuration, we got a slightly different message during the sensor phase, but the same ultimate result:

INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=152ms
INFO: No SCM system was detected. You can use the ‘sonar.scm.provider’ property to explicitly specify it.
INFO: 102 files had no CPD blocks
INFO: Calculating CPD for 1168 files
INFO: CPD calculation finished
INFO: Analysis report generated in 456ms, dir size=10 MB
INFO: Analysis report compressed in 2210ms, zip size=4 MB
INFO: ------------------------------------------------------------------------
INFO: EXECUTION FAILURE
INFO: ------------------------------------------------------------------------
INFO: Total time: 1:02.187s
INFO: Final Memory: 16M/215M
INFO: ------------------------------------------------------------------------
ERROR: Error during SonarQube Scanner execution
ERROR: You’re not authorized to run analysis. Please contact the project administrator.

Wondering if it is really some other issue, like file permissions, etc. that is just being misreported as an authorization issue.

ganncamp · April 23, 2019, 6:36pm

Hi,

It was a long shot, but worth checking.

So that tells me it’s about debugging your docker container (& I have no expertise there).

You can try passing -Dsonar.verbose=true on the command line to ratchet up logging. Detail in the docs.

Ann

twehner · April 29, 2019, 7:04pm

Well, fortunately this problem was resolved for me by an unrelated switch to another docker image (moving from the mcr.microsoft.com/dotnet/core/sdk:2.2.104 image to the official aws codebuild ubuntu/standard image). Unfortunately, I never found an answer as to why it was happening in the other build container. With verbose logging on, nothing seemed unusual/unexpected in the scan log other than getting a 403 from the POST to the sonar server at the very end.

Colin · April 29, 2019, 7:28pm

Out of curiosity, what’s your SonarQube version? A few odd reports of hitting an unexpected “Not Authorized” error in SQ v7.7 have popped up in our support queue lately

twehner · April 29, 2019, 7:45pm

We’re running off the public sonarqube docker image. We rebuilt our downstream sonar image yesterday, giving us v7.7.0.23042, although our builds had already started working on the previous version with the build container change mentioned above. I didn’t make note of the sonar version on our previous server image, but it was deployed on April 4. So, it should be whatever version was in the public image at that time.

twehner · May 9, 2019, 7:04pm

Update on this issue:

We’ve been successfully analyzing one our of typescript projects for a few days now, but noticed today that when we switch the typescript quality profile to “Sonar way recommended” (instead of “Sonar way”), it started throwing the same “not authorized” error at the end of the scan process.

INFO: Sensor HTML [web] (done) | time=108ms
INFO: Sensor SonarTS [typescript]
INFO: Analyzing 27 typescript file(s) with the following configuration file /codebuild/output/src836913590/src/clients/form-runtime/tsconfig.json
INFO: 27 files analyzed out of 27
INFO: Sensor SonarTS [typescript] (done) | time=3877ms
INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=22ms
INFO: 5 files had no CPD blocks
INFO: Calculating CPD for 42 files
INFO: CPD calculation finished
INFO: Analysis report generated in 55ms, dir size=301 KB
INFO: Analysis report compressed in 63ms, zip size=142 KB
INFO: ------------------------------------------------------------------------
INFO: EXECUTION FAILURE
INFO: ------------------------------------------------------------------------
INFO: Total time: 15.795s
INFO: Final Memory: 16M/298M
INFO: ------------------------------------------------------------------------
ERROR: Error during SonarQube Scanner execution
ERROR: You’re not authorized to run analysis. Please contact the project administrator.

But, if we switch it back to “Sonar way” it works fine again. We’ve tested toggling back and forth multiple times and get consistent pass/fail behavior.

INFO: Sensor HTML [web] (done) | time=109ms
INFO: Sensor SonarTS [typescript]
INFO: Analyzing 27 typescript file(s) with the following configuration file /codebuild/output/src182442202/src/clients/form-runtime/tsconfig.json
INFO: 27 files analyzed out of 27
INFO: Sensor SonarTS [typescript] (done) | time=3231ms
INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=16ms
INFO: SCM provider for this project is: git
INFO: 1 files to be analyzed
INFO: 1/1 files analyzed
INFO: 5 files had no CPD blocks
INFO: Calculating CPD for 42 files
INFO: CPD calculation finished
INFO: Analysis report generated in 75ms, dir size=283 KB
INFO: Analysis report compressed in 64ms, zip size=133 KB
INFO: Analysis report uploaded in 42ms
INFO: ANALYSIS SUCCESSFUL, you can browse …

twehner · June 2, 2020, 9:44pm

UPDATE: over a year later and this problem has continued to pop up occasionally for us, then fix itself on the next commit or two. We finally just found the real culprit. We self host sonar within an AWS environment using a Fargate docker container. In that environment we have a load balancer sitting on top of that container. As a standard practice we keep an AWS WAF (web app firewall) attached to all of our load balancers and applications with cross site scripting rules configured to prevent XSS attacks. It turns out that when being uploaded to our sonar server, the analysis payload is sometimes tripping the XSS detector and the load balancer is returning an instant 403 response, which manifests as a “You’re not authorized to run analysis” error in the scanner. We’ll continue to dig into how to circumvent this problem without disabling XSS detection entirely, but for now we’ve confirmed that in each case that scanning failed, Amazon logged an XSS violation and rejection.

system · June 9, 2020, 9:44pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.