0

I have a pipeline in Azure DevOps which is triggered by PR requests. There are three SonarCloud tasks in this pipeline - Prepare analysis on SonarCloud, (my project build step is here), Run Code Analysis and then Publish Quality Gate Result.

When this pipeline is triggered by a PR, it's all fine until gets to the Run Code Analysis task, which then fails with the below error messages:

INFO: ------------------------------------------------------------------------
INFO: EXECUTION FAILURE
INFO: ------------------------------------------------------------------------
INFO: Total time: 9.173s
INFO: Final Memory: 7M/48M
INFO: ------------------------------------------------------------------------
##[error]ERROR: Error during SonarScanner execution
ERROR: Error during SonarScanner execution
##[error]ERROR: Not authorized. Please check the properties sonar.login and sonar.password.
ERROR:
ERROR: Not authorized. Please check the properties sonar.login and sonar.password.
ERROR: 
##[error]The SonarScanner did not complete successfully
The SonarScanner did not complete successfully
##[error]18:32:43.506  Post-processing failed. Exit code: 1
18:32:43.506  Post-processing failed. Exit code: 1

Here's the thing: whenever this same pipeline is triggered NOT by a PR, either manually or automatically by a daily schedule, it runs and passes with no issues, on any branch. If I trigger the pipeline for the branch being pulled in (not via the PR), it runs and passes fine.

Why is authorization failing only when it's triggered by a PR?! Why isn't it using the same PAT token from SonarCloud that the SAME pipelines use when triggered manually??

ataraxia
  • 995
  • 13
  • 31
  • Have you checked the branch policies? Have you checked the service connections? Those are the two places I'd look at first. – Bruno May 12 '21 at 18:44
  • What is there to look for in branch policies? And yes I checked the service connections and re-issued a new PAT from SonarCloud, still no difference. – ataraxia May 12 '21 at 20:02
  • The only two options that would prevent you from being able to use this service connection would be the option "Grant access permission to all pipelines" in the service connection. Also if your credentials are linked in a variable group, check whether "Allow access to all pipelines" is enabled, those are the two points I'd also check. I hope it helps. If you can share the important tasks it also helps to narrow down the issue. – Bruno May 12 '21 at 20:23

2 Answers2

0

Why is authorization failing only when it's triggered by a PR?! Why isn't it using the same PAT token from SonarCloud that the SAME pipelines use when triggered manually??

According to the description, it seems the PAT do not have enough permissions.

You could try to update the PAT with Full access to test:

enter image description here

Update the PAT in your SonarCloud.

You could check this document for some more details.

Leo Liu
  • 71,098
  • 10
  • 114
  • 135
  • The PAT should not need full access and this is an unnecessary security vulnerability. The issue was that the PAT was not stored in the correct place on SonarCloud, now provided in an answer. – ataraxia Jun 10 '21 at 11:26
0

I've now found the answer, the issue was the PAT issued by Azure DevOps wasn't set in the correct place on SonarCloud. I was putting it in [SonarCloud Project] -> Administration -> General Settings -> Pull Requests -> Personal access token, when in fact it should be stored in [SonarCloud Organisation] -> Administration -> Organisation settings -> Azure DevOps connectivity management -> Personal Access Token, as shown below:

SonarCloud Dashboard

ataraxia
  • 995
  • 13
  • 31