Sonar analysis fails with 403 when SonarQube plugin is installed

[smb307]

Setup:
Jenkins 2.7.4, SonarQube plugin 2.5
Maven 3.3.9, sonar-maven-plugin 3.3.0.603.
SonarQube 5.6.6 LTS

Error description:
Sonar analysis in Maven jobs on Jenkins fail as soon as we installed the build breaker plugin on SonarQube (see error message below). Sonar security is configured that users need to authenticate and maven goal in jenkins is configured with the appropriate security token:
$SONAR_MAVEN_GOAL $SONAR_EXTRA_PROPS -Dsonar.host.url=$SONAR_HOST_URL -Dsonar.login=$SONAR_AUTH_TOKEN -Dsonar.branch=${branch}
It seems that access to the SonarQube API fails. When we remove the build breaker plugin, analysis completes wihout error.

Error message:
[ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.3.0.603:sonar (default-cli) on project liferay-util: Error 403 on http://jenkins.internal.com:9090/api/qualitygates/project_status?analysisId=14672893 -> [Help 1]

[olhtbr]

I see the same on Sonar 6.4 with the following setup:
Jenkins 2.60.1, SonarQube plugin 2.6.1
Maven 3.3.9, sonar-maven-plugin 3.3.0.603
SonarQube 6.4 (build 25310)

The auth token is configured in the global Jenkins settings.

[smb307]

We solved this as a permission issue. The user with the auth token needs "browse" project permission.

[olhtbr]

Great, it's working, thanks! 👍

[smb307]

I suggest to add this to the documentation of the plugin.

[dokaspar]

In our case, there is no specific user that executes the sonar analysis, we have never set sonar.login so far. But now, after upgrading from SonarQube 5.6.6 to 6.7.1, suddenly all projects are set to private and since anonymous users (e.g., the Anyone group) don't have the permission to read api/qualitygates/project_status, we get same failure.

I guess there is no other way than switching to a specific tech user with generated token.... or making all projects public again.

[geirengebakken]

We are experiencing the same issue with no specific user running sonar analysis, and getting 403 error, even if the project is set to public, and anyone has ExecuteAnalysis privileges. Also we are running sonar in many different ways throughout our projects, so it will be a big probem I guess to use a tech user as you propose. Anyone seeing a way around this?

[sandro-h]

Hey @drhelmer, late answer (we've since taken over maintainership of the plugin): is this still an active problem for you?

[geirengebakken]

We solved this by adding a technical user to run the analysis, so its ok for us now.

[sandro-h]

@drhelmer, thanks for the feedback. I'll leave this issue open to see about documenting the case as mentioned. If the plugin needs more permissions than the sonar analysis (i.e. Browse in addition to ExecuteAnalysis) that should be noted. I'll need to verify the exact settings first though.

[sandro-h]

After testing the behavior for private Sonar projects myself, I added some documentation: https://github.com/adnovum/sonar-build-breaker#authentication. End result: the user doing the authentication does indeed need at least the Browse permission.

[aaraodeo]

I am testing with sonar-build-breaker:2.2 on sonarqube 6.7.3 community edition.
I am getting 403 while checking for quality gate, its able to get analysis id though.
I am using api token instead of username and password.
The same token is working fine with curl command but with plugin it throws 403 error.

The curl command works does that mean user for which the token in generated as required "Browse" permission or this is extra permission required by plugin and not by direct curl call?