Failed to add comment

[rettichschnidi]

I did set up my build server permissions as requested (I think):

But my build in ADO fails like this:

##[warning]Failed to add status to PR: Request failed with status code 403
##[error]Failed to add comment:
##[warning]Failed to add status to PR: Request failed with status code 403

and this:

##[warning]Failed to add status to PR: Request failed with status code 403
##[error]Failed to add comment:

Maybe this is because I have not been able to enable "Allow scripts to access OAuth token" as described in the manual:

According to my ADO admin, this screenshot shows an (outdated) variant that works only for the graphical editing of Pipelines. However, I am using YAML.

Any chance this documentation needs some update?

Maybe also relevant (in my YAML):

variables:
  - group: SCANOSS

<snip>

  - job: foss_compliance
    displayName: FOSS compliance
    steps:
    - checkout: self
      fetchDepth: 1
      submodules: true
      persistCredentials: true

    - task: scanoss@1.2.0
      displayName: "SCANOSS Code Scan"
      inputs:
        apiKey: $(SCANOSS_APIKEY)
        policies: copyleft,undeclared
        policiesHaltOnFailure: eq(variables.releaseBuild, 'true')
        dependenciesEnabled: false
        dependenciesScope: prod

Also, accessing $(System.AccessToken) works as demonstrated by adding a step like this:

     - bash: |
        echo ${SYSTEM_ACCESSTOKEN} | base64
      displayName: 'Verify System.AccessToken is not zero'
      env:
        SYSTEM_ACCESSTOKEN: $(System.AccessToken)

Result:

[rettichschnidi]

It seems to work when enabling "Limit job authorization scope to current project for non-release pipelines":

Maybe "Limit job authorization scope to current project for release pipelines" is needed too, but that we already had enabled before.

[rettichschnidi]

Also, setting "debug: true" resulted in a broken upload due to debugging messages in the message to be posted:

[rettichschnidi]

Update: I had to disable "Limit job authorization scope to current project for non-release pipelines" because it broke other pipelines.

Any chance to operate this software without this option being enabled?

[agustingroh]

Hi @rettichschnidi , thank you for reporting these issues.

We are currently working on them.

Regarding the "Limit job authorization scope to current project for non-release pipelines" setting, we will investigate whether there is a way to run the task without enabling this flag.

Regards,

Agustin

[isasmendiagus]

Hi @rettichschnidi,

I have tested the SCANOSS Code Scan extension from a new project, PR comments are working correctly without requiring additional OAuth token configuration. The built-in Azure DevOps permissions are sufficient.

Could you please try following these steps in a new test project on your end?

---

1.Created New Azure DevOps Project

---

2. Initialized Repository

---

3. Created Pipeline with SCANOSS Task

Key Points:

• Used scanoss@1.2.0 (specific version)

---

4. Configured Repository Permissions and Added Build validation policy as explained in the documentation

---

[rettichschnidi]

I'll try it as soon as I get the necessary permissions in our organization.

[rettichschnidi]

I gave this a try, but my azure-pipelines.yml files looks like this:

trigger: none

pr:
- main

pool:
  vmImage: ubuntu-latest

steps:
- checkout: self
  persistCredentials: true

- task: scanoss@1.3.0
  displayName: 'SCANOSS code scan'

Using a new project works out of the box (when enabling "Contribute" and "Contribute to pull requests" in the "Repository" tab "Security").

But as soon as I change "Limit job authorization scope to current project for non-release pipelines" to off (it is on by default), I get this error again:

With this information, I guess you can investigate this issue on your own?

[agustingroh]

Hi @rettichschnidi,

We've just released a new version of the SCANOSS ADO Task (v1.4.0).

This release allows you to run the SCANOSS ADO Task with the Limit job authorization scope to current project for non-release pipelines setting turned OFF.

To make your pipeline work, you'll need to create a PAT. You can find the steps in the documentation here: https://github.com/scanoss/ado-code-scan/blob/main/OVERVIEW.md#:~:text=Personal%20Access%20Token%20(PAT)%20Configuration

Regards,

Agustin Groh

[rettichschnidi]

Update: I adjusted an internal repo so that I can now enable "Limit job authorization scope to current project for non-release pipelines" after all. Therefore, for now I am good.

The PAT seems to be a usable workaround, but will create additional load on the organization as those need to be renewed once in a while. For this reason, I will, as long as I can, enable the option mentioned above.

[agustingroh]

Fixed in #51