Need access to support organization for spotbugs on sonarqube

[hazendaz]

Are you admin over on sonar? I cannot seem to get myself to show up so it seems it was created outside of using github and each user must be individually added. Our account here was expired so I used mine but that didn't help. So sonar is broken right now, it would be great if you have that access and can get in me there. I need the maven plugin to run there too and cannot since I cannot add it.

[gtoison]

What has changed exactly? I'm a bit lost because the sonarcloud analysis worked on the last commit I made an now there so many changes.

[hazendaz]

The secure token is bad. It's mine but I don't have access to sonar for this organization. If a good one is put in it should work again. It was expired as they expire. Anyways tried mine but whomever setup sonar for us dud so in non github way so I cannot touch anything with sonar including the maven plugin which has had same issue for just about ever.

As to updates. Renovate wasn't suggesting all of them due to other issues I fixed so it's far more up to date now than it was. Renovate won't bother if the PR requests go unanswered. Same thing one cve issue from the lock file with dependabot I fixed as well.

Only two issues are...the token for some needs a valid one for this organization. And my other ticket is that sonar cannot get it's final PRs approved because something thinks it should remain on the 9 and 10 versions it's on now.

I'd like to figure out who setup our sonar in general though. Guessing neither of us but you can get there so if you could generate a new token and add it so gha works again for now.

[gtoison]

The sonarcloud tokens do not expire from what I can see; the issue is that the token was removed from the mvn call.
I tried putting it back in #1110 (and also updating the token itself in the project secrest) but my sonarcloud account is not even a member of the spotbugs organization, so my token does not grant rights to run an analysis.

[hazendaz]

OK maybe we can open a ticket with sonar and get reboarded. The sonatype tokens where expiring. Sonar token was complaining about the token so I tried mine. I'm not sure it was expired and agree mine doesn't expire and don't see how it would. Maybe it was revoked. Will do some more research this weekend.

[gtoison]

Your account needs to have permission to "execute analysis" for your token to be accepted, or else it will show a generic security error. That error does not say what might be the problem (invalid token or invalid organisation key or invalid project key), probably for security reasons.
The permissions are configured here: https://sonarcloud.io/organizations/spotbugs/permissions but I do not have access to that page because I am not even part of the organization.

[hazendaz]

@KengoTODA I sent you an email but asking here too, did you by chance set sonar up for spotbugs or know who did? I cannot seem to find any way for it to scan the org and its basically unusable at the moment for us to triage any more as to why the job is failing. I assumed based on error it must be credentials so I changed it but that may not have been it and after further looking, putting mine in there was a huge mistake. I'd say @gtoison outright owns this specific repo so I think both of us need access there or to find who created originally so we can get proper admin access. Worst case we would have to drop and recreate I think and not seeing how to ask for help at sonar.