Authenticate sonarScanner via basic auth

Question

I\'m frustrated with this problem, Our sonarqube server is behind http basic authentication and local runner fails with 401 error. Is it somehow possible to provide credent

Answer 1

The permission "Execute Analysis" is required to execute an analysis. In order to set credential to the scanner, you need to use sonar.login and sonar.password. For more information, please have a look at :

• Authorization : https://docs.sonarqube.org/display/SONAR/Authorization
• Scanner parameters : https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner

Answer 2

I know the question is rather old, but I just spent a day to figure the following out:

TLDR: The sonar-runner, even if configured with credentials, does not use these to make it's first call to the server. The endpoint is /batch/index. You have to allow public access to that endpoint. For all other urls basic auth is fine.

Some more details: I use Apache 2.4 as reverse proxy with basic authentication for Sonar 7.9.2, which lives in docker containers under the path /sonar. Part of my Apache 2.4 config for auth

  <Location /sonar/batch/index>
    SetEnvIf User-Agent "^ScannerMaven" scanner_maven
    SetEnvIf User-Agent "^ScannerCli" scanner_maven
  </Location>
  <Location /sonar>
    <RequireAny>
      Require group sonar
      <RequireAll>
        Require expr %{REQUEST_URI} =~ m#^.*\/sonar\/batch\/index#
        Require env scanner_maven
      </RequireAll>
    </RequireAny>
    SetEnv proxy-chain-auth On
  </Location>

As you can see the path /sonar/batch/index does not use authentication. As a not very good, but better than nothing restriction, I set an env variable if someone with the User-Agent ScannerMaven or ScannerCli (thats the sonar-scanner) is making the request. Be aware that the User-Agent can be easily faked or may change depending on the scanner. For all other urls a user being in the group sonar must be authenticated. (The users for Apache and Sonar are the same, the proxy forwards the credentials with proxy-chain-auth to Sonar).

This setup is tested with maven: mvn sonar:sonar

Using

    <profiles>
      <profile>
        <id>sonar</id>
        <activation>
            <activeByDefault>true</activeByDefault>
        </activation>
        <properties>
          <sonar.host.url>https://myhost/sonar/</sonar.host.url>
          <sonar.login>${env.SONARUSER}</sonar.login>
          <sonar.password>${env.SONARPWD}</sonar.password>
        </properties>
      </profile>
    </profiles>

    [...]

    <plugin>
        <groupId>org.sonarsource.scanner.maven</groupId>
        <artifactId>sonar-maven-plugin</artifactId>
        <version>3.7.0.1746</version>
    </plugin>