search

mc1arke / sonarqube-community-branch-plugin

A plugin that allows branch analysis and pull request decoration in the Community version of Sonarqube
GNU Lesser General Public License v3.0
2.22k stars 521 forks source link

MR decoration not working for Gitlab - log says: The request requires higher privileges than provided by the access token. #907

Closed ManfredSchenkIOSB closed 5 months ago

ManfredSchenkIOSB commented 5 months ago

Describe the bug MR decoration with gitlab is not working.

To Reproduce Steps to reproduce the behavior:

Follow the documentation how to setup MergeRequest decoration with Gitlab SelfManaged.

Especally the part where it is mentioned that the Access token only needs scope "read_api"

Expected behavior A clear and concise description of what you expected to happen.

Screenshots If applicable, add screenshots to help explain your problem.

Software Versions

Additional context

part of the logs mentioning that the scope of the access token is not sufficient to decorate the MR:

2024.05.03 14:54:15 INFO  ce[XXXXXXXXXXXXXX][c.g.m.s.p.c.p.PullRequestPostAnalysisTask] Using pull request decorator com.github.mc1arke.sonarqube.plugin.ce.pullrequest.gitlab.GitlabMergeRequestDecorator
2024.05.03 14:54:16 ERROR ce[XXXXXXXXXXXXXX][c.g.m.s.p.a.g.GitlabRestClient] Gitlab response status did not match expected value. Expected: 201\nHttpResponseProxy{HTTP/1.1 403 Forbidden [Server: nginx, Date: Fri, 03 May 2024 12:54:16 GMT, Content-Type: application/json, Content-Length: 149, Connection: keep-alive, Cache-Control: no-cache, Vary: Origin, X-Gitlab-Meta: {"correlation_id":"XXXXXXXXXXXXXX","version":"1"}, X-Request-Id: XXXXXXXXXXXXXX, X-Runtime: 0.027855, Strict-Transport-Security: max-age=31536000; includeSubDomains, Strict-Transport-Security: max-age=31536000] ResponseEntityProxy{[Content-Type: application/json,Content-Length: 149,Chunked: false]}}\n{"error":"insufficient_scope","error_description":"The request requires higher privileges than provided by the access token.","scope":"api read_api"}
2024.05.03 14:54:16 ERROR ce[XXXXXXXXXXXXXX][o.s.c.t.p.a.p.PostProjectAnalysisTasksExecutor] Execution of task class com.github.mc1arke.sonarqube.plugin.ce.pullrequest.PullRequestPostAnalysisTask failed
java.lang.IllegalStateException: An unexpected response code was returned from the Gitlab API - Expected: 201, Got: 403
    at com.github.mc1arke.sonarqube.plugin.almclient.gitlab.GitlabRestClient.validateResponse(GitlabRestClient.java:232)
    at com.github.mc1arke.sonarqube.plugin.almclient.gitlab.GitlabRestClient.lambda$addMergeRequestDiscussion$0(GitlabRestClient.java:117)
    at com.github.mc1arke.sonarqube.plugin.almclient.gitlab.GitlabRestClient.entity(GitlabRestClient.java:177)
    at com.github.mc1arke.sonarqube.plugin.almclient.gitlab.GitlabRestClient.addMergeRequestDiscussion(GitlabRestClient.java:117)
    at com.github.mc1arke.sonarqube.plugin.ce.pullrequest.gitlab.GitlabMergeRequestDecorator.submitCommitNoteForIssue(GitlabMergeRequestDecorator.java:144)
    at com.github.mc1arke.sonarqube.plugin.ce.pullrequest.gitlab.GitlabMergeRequestDecorator.submitCommitNoteForIssue(GitlabMergeRequestDecorator.java:50)
    at com.github.mc1arke.sonarqube.plugin.ce.pullrequest.DiscussionAwarePullRequestDecorator.lambda$decorateQualityGateStatus$2(DiscussionAwarePullRequestDecorator.java:97)
    at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
    at com.github.mc1arke.sonarqube.plugin.ce.pullrequest.DiscussionAwarePullRequestDecorator.decorateQualityGateStatus(DiscussionAwarePullRequestDecorator.java:97)
    at com.github.mc1arke.sonarqube.plugin.ce.pullrequest.PullRequestPostAnalysisTask.finished(PullRequestPostAnalysisTask.java:139)
    at org.sonar.ce.task.projectanalysis.api.posttask.PostProjectAnalysisTasksExecutor.executeTask(PostProjectAnalysisTasksExecutor.java:101)
    at org.sonar.ce.task.projectanalysis.api.posttask.PostProjectAnalysisTasksExecutor.finished(PostProjectAnalysisTasksExecutor.java:92)
    at org.sonar.ce.task.step.ComputationStepExecutor.executeListener(ComputationStepExecutor.java:89)
    at org.sonar.ce.task.step.ComputationStepExecutor.execute(ComputationStepExecutor.java:61)
    at org.sonar.ce.task.projectanalysis.taskprocessor.ReportTaskProcessor.process(ReportTaskProcessor.java:75)
    at org.sonar.ce.taskprocessor.CeWorkerImpl$ExecuteTask.executeTask(CeWorkerImpl.java:212)
    at org.sonar.ce.taskprocessor.CeWorkerImpl$ExecuteTask.run(CeWorkerImpl.java:194)
    at org.sonar.ce.taskprocessor.CeWorkerImpl.findAndProcessTask(CeWorkerImpl.java:160)
    at org.sonar.ce.taskprocessor.CeWorkerImpl$TrackRunningState.get(CeWorkerImpl.java:135)
    at org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:87)
    at org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:53)
    at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:131)
    at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:76)
    at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:82)
    at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
    at java.base/java.lang.Thread.run(Thread.java:840)
2024.05.03 14:54:16 INFO  ce[XXXXXXXXXXXXXX][o.s.c.t.p.a.p.PostProjectAnalysisTasksExecutor] Pull Request Decoration | status=FAILED | time=1698ms
xC0dex commented 5 months ago

Hi @ManfredSchenkIOSB, which documentation are you referring to? For MR decoration, you need a token with API write access. For importing projects into SonarQube, a read_api token is enough. So there are basically 2 tokens in the end. One for the MR decoration and one for importing projects.

As a side note: I doubt that the bug label fits in this case, as this is not a plugin bug.

ManfredSchenkIOSB commented 5 months ago

@xC0dex I agree with you that the bug label doesn't fit here, but the input form only offered the Labels bug or Report Security vulnerability. So I chose bug since security vulnerability would have been a worse choice. I would have chosen the label unclear documentation if it had been offered to me.

In original documentation of the Sonarqube server only the read_api token is mentioned. Meanwhile I found some statements where the requirement of the api scope is explained. But I think the documentation could be more clear in this case.

xC0dex commented 5 months ago

But I think the documentation could be more clear in this case.

I see your point, the official documentation can be misleading. However, the documentation is not part of this project. Maybe to improve the docs in their project.

ManfredSchenkIOSB commented 5 months ago

closing the issue. Perhaps this issue helps other who are faced with the same error message in the future.