Can't add cert to latest Scanner CLI Docker image

There is another impact following the switch to scanner-cli (an unprivileged user). It is no longuer possible to add a custom certificate in cacert using keytool.

This case happen when using a custom certificate authority which can be common in a context of a company/enterprise.

1 Like

Hi @xavier

Are you following the documented way using -v ${YOUR_CERTS_DIR}/cacerts:/tmp/cacerts ?

Then you have to be sure the scanner-cli user (1000) has read permission on the cacerts file.

We were able to reproduce. Ticket created, thanks for the feedback.

Good morning,

We are trying this out with version 10.0 which should have the fix mentioned, however keytool is only running under the root user.
We are therefore not able to run the docker image with a dedicated user and we need to run it with the root user.
Is it possible to fix it in the future?

Hey @Paulien_van_Alst

Can you give it a try with 11.0? An entirely new base image is being used in the latest verison.

I am fine with testing it but what is then the way to go with custom certificates?
In version 11 the logic for importing the certificates into the keystore has been removed from the entry point script

Check the docs here, specifically the section If running the scanner with Docker

This does not work, the scanner is not able to use the certificates…
The certificates seem not to be loaded in the Java keystore.
The certificates are placed in /tmp/cacerts/ as indicated in the docs but nothing is done with them

Hey again @Paulien_van_Alst .

As mentioned in the docs, you must build a new Docker image if you want to use your own cacerts trust store.

If running the scanner with Docker

If you need to configure a self-signed certificate for the scanner to communicate with your SonarQube instance, you can use a volume under /tmp/cacerts to add it to the containers java trust store:

docker run \
    --rm \
    -v ${YOUR_CERTS_DIR}/cacerts:/tmp/cacerts \
    -v ${YOUR_CACHE_DIR}:/opt/sonar-scanner/.sonar/cache \
    -v ${YOUR_REPO}:/usr/src \
    -e SONAR_HOST_URL="http://${SONARQUBE_URL}" \
    sonarsource/sonar-scanner-cli`

Then, assuming both the cacerts and Dockerfile are in the current directory, create the new image with a command such as:

docker build --tag our-custom/sonar-scanner-cli

My colleagues (@Joe and @wayne.khan) has shown me a simple example, with a custom Dockerfile based on the sonar-scanner-cli DockerHub page (or its GitHub source):

ARG TAG=11.0.1.1589_6.1.0  # Specify a different tag if needed
FROM sonarsource/sonar-scanner-cli:${TAG}

# Copy a local, known good truststore
COPY cacerts /opt/sonar-scanner/jre/lib/security/cacerts`

Then build the custom sonar-scanner-cli image:

[azureuser@InterviewFirstStage java]$ sudo docker build --tag our-custom/sonar-scanner-cli .
[+] Building 0.7s (7/7) FINISHED                                                                                                                                                                               docker:default
 => [internal] load build definition from Dockerfile                                                                                                                                                                     0.0s
 => => transferring dockerfile: 294B                                                                                                                                                                                     0.0s
 => [internal] load metadata for docker.io/sonarsource/sonar-scanner-cli:11.0.1.1589_6.1.0                                                                                                                               0.0s
 => [internal] load .dockerignore                                                                                                                                                                                        0.1s
 => => transferring context: 2B                                                                                                                                                                                          0.0s
 => [internal] load build context                                                                                                                                                                                        0.1s
 => => transferring context: 161.93kB                                                                                                                                                                                    0.0s
 => [1/2] FROM docker.io/sonarsource/sonar-scanner-cli:11.0.1.1589_6.1.0                                                                                                                                                 0.2s
 => [2/2] COPY cacerts /opt/sonar-scanner/jre/lib/security/cacerts                                                                                                                                                       0.1s
 => exporting to image                                                                                                                                                                                                   0.1s
 => => exporting layers                                                                                                                                                                                                  0.1s
 => => writing image sha256:92b1338867237e1331bf5719d666b8aef4ab554b25c2760af420f028a3cd4c37                                                                                                                             0.0s
 => => naming to docker.io/our-custom/sonar-scanner-cli   `

Then check the contents:

[azureuser@InterviewFirstStage java]$ sudo docker container ls
CONTAINER ID   IMAGE                          COMMAND                  CREATED         STATUS         PORTS     NAMES
87387d5e448d   our-custom/sonar-scanner-cli   "/usr/bin/entrypoint…"   5 seconds ago   Up 4 seconds             great_mayer
[azureuser@InterviewFirstStage java]$ sudo docker exec -ti 87387d5e448d sh
sh-5.2$ cd /opt/sonar-scanner/jre/lib/security
sh-5.2$ ls -la
total 400
dr-xr-xr-x. 1 scanner-cli scanner-cli     21 Sep  2 06:08 .
dr-xr-xr-x. 1 scanner-cli scanner-cli     22 Jun 26 15:33 ..
-r-xr-xr-x. 1 scanner-cli scanner-cli   2488 Apr 17 06:07 blocked.certs
-r--r--r--. 1 root        root        161817 May  1 14:31 cacerts
-r-xr-xr-x. 1 scanner-cli scanner-cli  10129 Apr 17 06:07 default.policy
-r-xr-xr-x. 1 scanner-cli scanner-cli 228598 Apr 17 06:07 public_suffix_list.dat

Note the file size of 161817, which is the size of my own local cacerts. If you don’t modify the container’s cacerts with your own truststore, then the size is different, which indicates that the cacerts was not replaced:

sudo docker run \
    --rm \
    -v /home/azureuser/Projects/jojo-simple:/usr/src \
    -e SONAR_HOST_URL="https://your-own-SQ-URL" \
    sonarsource/sonar-scanner-cli:11.0.1.1589_6.1.0 sleep infinity

In another window

[azureuser@InterviewFirstStage jojo-simple]$ sudo docker exec -ti 0689d90a44b3 sh
sh-5.2$  ls -la /opt/sonar-scanner/jre/lib/security/cacerts 
-r-xr-xr-x. 1 scanner-cli scanner-cli 171578 Apr 17 06:07 /opt/sonar-scanner/jre/lib/security/cacerts`

I hope this helps.

Colin

2 Likes