waitForQualityGate not working after upgrade to Jenkins 2.63

3,382 views
Skip to first unread message

arvid...@jayway.com

unread,
Jun 2, 2017, 5:15:39 AM6/2/17
to SonarQube
Hi,

I am using Sonarqube 6.2 and my pipeline scripts with waitForQualityGate worked fine with Jenkins 2.61 in a master/3 slaves setup.
After upgrading to Jenkins 6.23 with SonarQube Scanner for Jenkins 2.6.1 the waitForQualityGate step always times out no matter what timeout I set.

Sonar Background Task duration is 2 seconds!!
Sonar global webhook configuration is https://myjenkins.com/sonarqube_webhook/

I could not find any errors in Sonar or Jenkins logs.

Anyone else experiencing the same behaviour after upgrade to Jenkins 2.63?
Any hints how to fix this?

brg
Arvid

Build log:

[Pipeline] stage
[Pipeline] { (Quality Gate)
[Pipeline] timeout
Timeout set to expire in 10 min 0 sec
[Pipeline] {
[Pipeline] waitForQualityGate
Checking status of SonarQube task 'AVxn-DTbLNyygsVzbpNs' on server 'Sonar'
SonarQube task 'AVxn-DTbLNyygsVzbpNs' status is 'IN_PROGRESS'
Cancelling nested steps due to timeout
[Pipeline] }
[Pipeline] // timeout
[Pipeline] }
[Pipeline] // stage
[Pipeline] End of Pipeline
Timeout has been exceeded
Finished: ABORTED

arvid...@jayway.com

unread,
Jun 3, 2017, 5:45:17 AM6/3/17
to SonarQube, arvid...@jayway.com
Hi again,

Further investigation reveals that the web-hook call is refused with http 403.

The results from <sonar-instance>/api/webhook/deliveries&ceTaskId= taskId

{"deliveries":[{"id":"id","componentKey":"projectKey","ceTaskId":"taskId","name":"myinstancename","url":"https://myjenkinsinstance/sonarqube_webhook/","at":"2017-06-03T10:41:45+0200","success":false,"httpStatus":403,"durationMs":58}]} 

I have not found any possibility to provide credentials to the webhook call - in any case not any that would work.

I guess the webhook implementation in Jenkins has changed to require authorization?

My workaround so far: 
I am adding a sleep 1 MINUTES between Sonar Analysis and waitForQualityGate.
In my case that avoids the webhook entirely since the analysis is done before the first call for the analysis result.

Brg
Arvid

Julien HENRY

unread,
Jun 6, 2017, 9:57:23 AM6/6/17
to SonarQube, arvid...@jayway.com
Hi,

I have just executed our integration tests on Jenkins 2.64 and everything look fine. I also had a look at Jenkins changelog but I've not seen any evidence of a behavior change. Do you confirm you don't have any proxy between the SonarQube server and the Jenkins server?

What if you try to open https://myjenkinsinstance/sonarqube_webhook/ in a web browser? You should receive an error because a POST is required, but not a 403.

++

Julien

Arvid Huss

unread,
Jun 6, 2017, 11:56:13 AM6/6/17
to Julien HENRY, SonarQube
Hi Julien,

I do have a Nginx proxy between Jenkins and Sonarqube, but I had that all the time and it was working before the upgrade to Jenkins 2.63.
When I try to open https://myjenkinsinstance/sonarqube_webhook/ in the web browser I end up att the login screen for Jenkins and after i log in I get an http 404.

Brg
Arvid

Julien HENRY

unread,
Jun 6, 2017, 12:00:59 PM6/6/17
to Arvid Huss, SonarQube
Would you mind reporting the issue on Jenkins dev mailing list? Our code extends UnprotectedRootAction so it is expected to not require authentication. Maybe they would be able to spot the reason for this change of behavior.

Julien Henry | SonarSource

Developer

http://sonarsource.com

Arvid Huss

unread,
Jun 6, 2017, 12:18:10 PM6/6/17
to Julien HENRY, SonarQube
Hi again,

I just upgraded to Jenkins 2.64 and QualityGate seems to work again as before.
Problem solved :) 

Thanks for investigating!
Arvid

Arvid Huss

unread,
Jun 6, 2017, 12:50:31 PM6/6/17
to Julien HENRY, SonarQube
Hi again,

I was just too exited. The successful run did not call the webhook since the analysis already had status SUCCESS.
The problem remains, despite the UnprotectedRootAction Jenkins requires authorization.

Moving to jenkins-dev list.
Thanks 
Arvid

curl -d "testing" https://myjenkinsinstance/sonarqube_webhook/

<html><head><meta http-equiv='refresh' content='1;url=/login?from=%2Fsonarqube_webhook%2F'/><script>window.location.replace('/login?from=%2Fsonarqube_webhook%2F');</script></head><body style='background-color:white; color:white;'>

Authentication required

<!--

You are authenticated as: anonymous

Groups that you are in:  

Permission you need to have (but didn't): hudson.model.Hudson.Read

 ... which is implied by: hudson.security.Permission.GenericRead

 ... which is implied by: hudson.model.Hudson.Administer

-->

</body></html>                                             

Arvid Huss

unread,
Jun 6, 2017, 11:57:49 PM6/6/17
to Julien HENRY, SonarQube
Hi Julien,

Are your integration tests run with a Jenkins instance that does not allow anonymous read access by default?
That would explain why it works for you but not for me.

I raised the same question on jenkins-dev mailing list but they want som more evaluation from sonarqube end which I can't provide.

brg
Arvid

Julien HENRY

unread,
Jun 7, 2017, 10:09:26 AM6/7/17
to SonarQube, julien...@sonarsource.com, arvid...@jayway.com
I just spotted the error. You made a spelling mistake in the URL:
(replace underscore by a dash)

++

Julien

Arvid Huss

unread,
Jun 7, 2017, 11:45:33 AM6/7/17
to Julien HENRY, SonarQube
Omg! Has that been changed recently? I have not changed that configuration in ages but it still worked before my upgrade. Very odd indeed.

Arvid

Julien HENRY

unread,
Jun 7, 2017, 11:49:50 AM6/7/17
to Arvid Huss, SonarQube

2017-06-07 17:45 GMT+02:00 Arvid Huss <arvid...@jayway.com>:
Has that been changed recently?

I don't remember any change in this area.

Would you mind updating the thread on jenkins-dev?

++

Arvid Huss

unread,
Jun 7, 2017, 12:50:42 PM6/7/17
to Julien HENRY, SonarQube
Done. Thanks for helping me out.
Brg
Arvid

psain...@gmail.com

unread,
Feb 14, 2018, 8:33:10 AM2/14/18
to SonarQube
Hello Everyone,

So my problem is- I am using Jenkins v 2.69 with Pipeline plugin v2.5. My Sonarqube version is - 6.6.

I am using sonar analysis with gradle.

Code Snippet - 

     stage('Static Analysis') {
                withEnv(["PATH+GRADLE=${tool 'gradle-4-2-1'}/bin",
                         "PATH+JDK=${tool 'jdk-8u121'}/bin",
                         "JAVA_HOME=${tool 'jdk-8u121'}"]) {
                    timeout(time: 15, unit: 'MINUTES') {
                        withSonarQubeEnv('mobile-sbx-sonar') {
                            sh "gradle --info -Dsonar.analysis.mode=publish -Dsonar.login=test -Dsonar.password=myPassword -PsonarBranch=${SONAR_BRANCH} sonarqube"
                    }
                }
            }
        }
        
        stage("Quality Gate"){
          timeout(time: 1, unit: 'HOURS') { // Just in case something goes wrong, pipeline will be killed after a timeout
            def qg = waitForQualityGate() // Reuse taskId previously collected by withSonarQubeEnv
            if (qg.status != 'OK') {
              error "Pipeline aborted due to quality gate failure: ${qg.status}"
            }
          }
        }

So if i allow anonymous access in Sonarqube to execute analysis, everything works fine.

But if i turns that off, then my "Quality Gate" stage fails. 

org.sonarqube.ws.client.HttpException: Error 403 on https://mySomarQubeURL/api/ce/task?id=AWGUbGCkPui42V1PimXU

Basically, I am looking for a way to pass the credentials to waitForQualityGate().

(I don't want to specify the user details in Sonar plugin configuration in Jenkins as we manage that via ansible and then it will be in plain text?)

Regards,
Pankaj Saini

G. Ann Campbell

unread,
Feb 14, 2018, 9:06:22 AM2/14/18
to SonarQube
Hi Pankaj,

This thread is more than six months old, and closed. Please open a new thread and reference this one if you feel the need.


Thx,
Ann
Reply all
Reply to author
Forward
0 new messages