Not authorized to execute any SonarQube analysis when building pull request from a forket repo on Travis CI

1
votes

I'm setting up a project with Travis CI and SonarQube.com, everything goes smoothly when a pull request comes out of a branch from the repository but it is failing when Travis runs a build off a pull request from a forked repository.

A build out of a PR from the repository: https://travis-ci.org/PistachoSoft/dummy-calculator/builds/162905730

A build out of a PR from a forked repository: https://travis-ci.org/PistachoSoft/dummy-calculator/builds/162892678

The repository: https://github.com/PistachoSoft/dummy-calculator

As it can be seen in the build log this is the error:

You're not authorized to execute any SonarQube analysis. Please contact your SonarQube administrator.

Things I've tried out but didn't work out:

  • Updating the sonar token.
  • Using an encrypted token granted by another person from the organization.
  • Granting 'sonar-users' and 'Anyone' the 'Execute Analysis' permission on the SonarQube project.

What can I do to fix this?

1
githubgradlesonarqubetravis-ci

1 Answers

2
votes

First, I raise your attention on one important point: you should not run a "standard" SonarQube analysis on PR - otherwise your project on SonarQube.com will be "polluted" by intermediate analyses that have nothing to do with each other. Standard analyses must be executed only on the main development branch - which is usually the "master" branch. Please read the runSonarQubeAnalysis.sh file of our sample projects to see how to achieve that.

Now, why your attempt does not work? Simply because the SONAR_TOKEN environment variable (that you've set as "secure" in your YML file) will not be decoded by Travis when the PR is coming "from the outside world" (i.e when it's not a PR of your own). This is a security constraint to prevent anybody to fork your repo, update the YML file with a echo $SONAR_TOKEN, submit a PR and genlty wait that Travis executes it to unveil the secured environment variable.

Analyzing "external" PR is something that we'll soon be working on so that this is easy, straightforward and yet secured for OSS projects to benefit from this feature.