We are getting org.sonarsource.scanner.api.internal.ScannerException on shared gitlab runners

Here is my sonar job:

sonarcloud-check:
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
  image:
    name: sonarsource/sonar-scanner-cli:latest
    entrypoint: [""]
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  script:
    - sonar-scanner -Dsonar.qualitygate.wait=true
  rules:
    - if: '$bypass_sonarcloud_check == "true"'
      when: always
      allow_failure: true
    - when: always
      allow_failure: false

Normally, it works all of sudden we are getting this error for all our projects:

ERROR: Error during SonarScanner execution
org.sonarsource.scanner.api.internal.ScannerException: Unable to execute SonarScanner analysis
	at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.lambda$createLauncher$0(IsolatedLauncherFactory.java:85)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
	at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLauncher(IsolatedLauncherFactory.java:74)
	at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLauncher(IsolatedLauncherFactory.java:70)
	at org.sonarsource.scanner.api.EmbeddedScanner.doStart(EmbeddedScanner.java:185)
	at org.sonarsource.scanner.api.EmbeddedScanner.start(EmbeddedScanner.java:123)
	at org.sonarsource.scanner.cli.Main.execute(Main.java:74)
	at org.sonarsource.scanner.cli.Main.main(Main.java:62)


Caused by: java.lang.IllegalStateException: 
	at org.sonarsource.scanner.api.internal.cache.FileCache.newTempFile(FileCache.java:138)
	at org.sonarsource.scanner.api.internal.cache.FileCache.get(FileCache.java:83)
	at org.sonarsource.scanner.api.internal.JarDownloader.lambda$getScannerEngineFiles$0(JarDownloader.java:60)
	at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
	at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625)
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
	at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921)
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682)
	at org.sonarsource.scanner.api.internal.JarDownloader.getScannerEngineFiles(JarDownloader.java:61)
	at org.sonarsource.scanner.api.internal.JarDownloader.download(JarDownloader.java:53)
	at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.lambda$createLauncher$0(IsolatedLauncherFactory.java:76)


Caused by: java.nio.file.AccessDeniedException: 
	at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:90)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
	at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:218)
	at java.base/java.nio.file.Files.newByteChannel(Files.java:380)
	at java.base/java.nio.file.Files.createFile(Files.java:658)
	at java.base/java.nio.file.TempFileHelper.create(TempFileHelper.java:136)
	at java.base/java.nio.file.TempFileHelper.createTempFile(TempFileHelper.java:159)
	at java.base/java.nio.file.Files.createTempFile(Files.java:878)
	at org.sonarsource.scanner.api.internal.cache.FileCache.newTempFile(FileCache.java:136)

Hi @seetharam :wave: Welcome to the GitLab community forum! :tada:

Since this error started occuring “all of a sudden”, I suspect there was some change to the sonarsource/sonar-scanner-cli:latest image, as the latest tag will always pull the newest version, which can break things or introduce backward-incompatible issues.

Looking at the error itself, it seems like the issue here is caused the result of an AccessDeniedException while attempting to create a temporary file during the SonarScanner execution. This might be due to insufficient permissions for the GitLab Runner to create files in the specified location.

Be default, it seems the sonarsource/sonar-scanner-cli:latest image runs as the scanner-cli user, while all files in ${CI_PROJECT_DIR} are owned by root. I also see that the sonarsource/sonar-scanner-cli:latest sets SONAR_USER_HOME to /opt/sonar-scanner/.sonar by default.

I suspect setting SONAR_USER_HOME to a custom folder owned by root is causing the issue you’re reporting.

Unless you need to change the SONAR_USER_HOME variable, I suggest leaving it unchanged. If you do need to change SONAR_USER_HOME to a custom location, you could try fiddling with permissions/ownership of the .sonar directory or use /tmp/.sonar instead of ${CI_PROJECT_DIR}, but first I’d suggest trying to get the job working without a custom SONAR_USER_HOME variable.