sonar build stability plugin gives 403 forbidden e

My configuration is SonarQube 3.1.1, Build Stability plugin 1.2, Jenkins 1.467

I have configured the settings for the build stability plugin at the project level as mentioned at http://docs.codehaus.org/display/SONAR/Build+Stability+Plugin

Console output for this analysis has the following error for this plugin :

> [INFO] [05:17:18.108] CI URL: Jenkins:http://<host>/job/<job-name>/
> 
> [ERROR] [05:17:18.702] Received 403 when trying to access
> http://<host>/job/<job-name>//lastBuild/api/xml/
> org.sonar.api.utils.SonarException: Received 403 when trying to access
> http://<host>/job/<job-name>//lastBuild/api/xml/  at
> org.sonar.plugins.buildstability.ci.CiConnector.execute(CiConnector.java:132)
> ~[na:na]  at
> org.sonar.plugins.buildstability.ci.CiConnector.executeGet(CiConnector.java:120)
> ~[na:na]  at
> org.sonar.plugins.buildstability.ci.CiConnector.getLastBuild(CiConnector.java:68)
> ~[na:na]  at
> org.sonar.plugins.buildstability.ci.CiConnector.getBuildsSince(CiConnector.java:106)
> ~[na:na]  at
> org.sonar.plugins.buildstability.BuildStabilitySensor.analyse(BuildStabilitySensor.java:105)
> ~[na:na]  at
> org.sonar.batch.phases.SensorsExecutor.execute(SensorsExecutor.java:64)
> [sonar-batch-3.1.1.jar:na]    at
> org.sonar.batch.phases.Phases.execute(Phases.java:93)
> [sonar-batch-3.1.1.jar:na]    at
> org.sonar.batch.bootstrap.ProjectModule.doStart(ProjectModule.java:139)
> [sonar-batch-3.1.1.jar:na]    at
> org.sonar.batch.bootstrap.Module.start(Module.java:83)
> [sonar-batch-3.1.1.jar:na]    at
> org.sonar.batch.bootstrap.BatchModule.analyze(BatchModule.java:115)
> [sonar-batch-3.1.1.jar:na]    at
> org.sonar.batch.bootstrap.BatchModule.doStart(BatchModule.java:105)
> [sonar-batch-3.1.1.jar:na]    at
> org.sonar.batch.bootstrap.Module.start(Module.java:83)
> [sonar-batch-3.1.1.jar:na]    at
> org.sonar.batch.bootstrap.BootstrapModule.doStart(BootstrapModule.java:111)
> [sonar-batch-3.1.1.jar:na]    at
> org.sonar.batch.bootstrap.Module.start(Module.java:83)
> [sonar-batch-3.1.1.jar:na]    at
> org.sonar.batch.bootstrapper.Batch.startBatch(Batch.java:73)
> [sonar-batch-3.1.1.jar:na]    at
> org.sonar.batch.bootstrapper.Batch.execute(Batch.java:60)
> [sonar-batch-3.1.1.jar:na]    at
> org.sonar.maven3.SonarMojo.execute(SonarMojo.java:142)
> [sonar-maven3-plugin-3.1.1.jar:na]    at
> org.codehaus.mojo.sonar.Bootstraper.executeMojo(Bootstraper.java:104)
> [sonar-maven-plugin-2.2.jar:na]   at
> org.codehaus.mojo.sonar.Bootstraper.start(Bootstraper.java:67)
> [sonar-maven-plugin-2.2.jar:na]   at
> org.codehaus.mojo.sonar.SonarMojo.execute(SonarMojo.java:109)
> [sonar-maven-plugin-2.2.jar:na]   at
> org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:101)
> [maven-core-3.0.4.jar:3.0.4]  at
> org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:209)
> [maven-core-3.0.4.jar:3.0.4]  at
> org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
> [maven-core-3.0.4.jar:3.0.4]  at
> org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
> [maven-core-3.0.4.jar:3.0.4]  at
> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:84)
> [maven-core-3.0.4.jar:3.0.4]  at
> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:59)
> [maven-core-3.0.4.jar:3.0.4]  at
> org.apache.maven.lifecycle.internal.LifecycleStarter.singleThreadedBuild(LifecycleStarter.java:183)
> [maven-core-3.0.4.jar:3.0.4]  at
> org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:161)
> [maven-core-3.0.4.jar:3.0.4]  at
> org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:320)
> [maven-core-3.0.4.jar:3.0.4]  at
> org.apache.maven.DefaultMaven.execute(DefaultMaven.java:156)
> [maven-core-3.0.4.jar:3.0.4]  at
> org.apache.maven.cli.MavenCli.execute(MavenCli.java:537)
> [maven-embedder-3.0.4.jar:3.0.4]  at
> org.apache.maven.cli.MavenCli.doMain(MavenCli.java:196)
> [maven-embedder-3.0.4.jar:3.0.4]  at
> org.apache.maven.cli.MavenCli.main(MavenCli.java:141)
> [maven-embedder-3.0.4.jar:3.0.4]  at
> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ~[na:1.6.0_33]    at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> ~[na:1.6.0_33]    at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> ~[na:1.6.0_33]    at java.lang.reflect.Method.invoke(Method.java:597)
> ~[na:1.6.0_33]    at
> org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:290)
> [plexus-classworlds-2.4.jar:na]   at
> org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:230)
> [plexus-classworlds-2.4.jar:na]   at
> org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:409)
> [plexus-classworlds-2.4.jar:na]   at
> org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:352)
> [plexus-classworlds-2.4.jar:na] [INFO] [05:17:18.704] Sensor
> org.sonar.plugins.buildstability.BuildStabilitySensor@1188d9a3 done:
> 597 ms

Link : http://<host>/job/<job-name>//lastBuild/api/xml/ is accessible through web browser and is a correct url.

I even provided -Dsonar.login=admin -Dsonar.password=admin in the sonar configuration of the build, but still the same error appears.

Any help is appreciated.

回答1:

Looks like the Sonar authentication fails depending on the security you use on your Jenkins server. I believe it's possible to set sonar.build-stability.use_jsecuritycheck=true if Jenkins security realm is delegated to the servlet container (tomcat server.xml).

In my own case, I had no choice but using the standard security (Jenkins database), and I had trouble when I configured SonarQube Build Stability, even when I was sure to use the right URL with matching credentials.

Then I tried another Build Stability configuration, removing user and password, and including the credentials in URL : Jenkins:http(s)://<user>:<pass>@<hostname>/job/<jobname> ...fail...

Finally I tried another url pattern, using the given api token (user configuration in jenkins) instead of password : Jenkins:http(s)://<user>:<api-token>@<hostname>/job/<jobname>

This last try was a success. I even removed my SonarQube user from the global security list in Jenkins and just gave it read/discover right at project level, and it still worked.

It doesn't fill my deep desire to fill the "username/password" in the Sonar config (I WANT to use these fields...) anyway it's more secured than granting anonymous access. But still, there is a security token in the URL so the security is not as good as I want.

Hope it helped.

Edit

1) With the Jenkins Role Strategy plugin, the user needs the overall read permission in addition to the project read permission.

2) When Jenkins delegates authentication to servlet container and you set sonar.build-stability.user_jsecuritycheck=true in Sonar, you will probably get an error with Build Stability v1.2. A wrong url is generated when it tries to authenticate on Jenkins (one / is missing in the url, generating something like http://<my_host>/jenkinsloginEntry instead of http://<my_host>/jenkins/loginEntry). Should be fixed in v1.3.

回答2:

I'm facing the same issue. If it can help, here a workaround: in Jenkins > Manage Jenkins > Configure Global Security, grant Anonymous user to read both Overall and Job.