Hey again @Paulien_van_Alst .
As mentioned in the docs, you must build a new Docker image if you want to use your own cacerts trust store.
If running the scanner with Docker
If you need to configure a self-signed certificate for the scanner to communicate with your SonarQube instance, you can use a volume under /tmp/cacerts
to add it to the containers java trust store:
docker run \
--rm \
-v ${YOUR_CERTS_DIR}/cacerts:/tmp/cacerts \
-v ${YOUR_CACHE_DIR}:/opt/sonar-scanner/.sonar/cache \
-v ${YOUR_REPO}:/usr/src \
-e SONAR_HOST_URL="http://${SONARQUBE_URL}" \
sonarsource/sonar-scanner-cli`
Then, assuming both the cacerts
and Dockerfile
are in the current directory, create the new image with a command such as:
docker build --tag our-custom/sonar-scanner-cli
My colleagues (@Joe and @wayne.khan) has shown me a simple example, with a custom Dockerfile based on the sonar-scanner-cli DockerHub page (or its GitHub source):
ARG TAG=11.0.1.1589_6.1.0 # Specify a different tag if needed
FROM sonarsource/sonar-scanner-cli:${TAG}
# Copy a local, known good truststore
COPY cacerts /opt/sonar-scanner/jre/lib/security/cacerts`
Then build the custom sonar-scanner-cli image:
[azureuser@InterviewFirstStage java]$ sudo docker build --tag our-custom/sonar-scanner-cli .
[+] Building 0.7s (7/7) FINISHED docker:default
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 294B 0.0s
=> [internal] load metadata for docker.io/sonarsource/sonar-scanner-cli:11.0.1.1589_6.1.0 0.0s
=> [internal] load .dockerignore 0.1s
=> => transferring context: 2B 0.0s
=> [internal] load build context 0.1s
=> => transferring context: 161.93kB 0.0s
=> [1/2] FROM docker.io/sonarsource/sonar-scanner-cli:11.0.1.1589_6.1.0 0.2s
=> [2/2] COPY cacerts /opt/sonar-scanner/jre/lib/security/cacerts 0.1s
=> exporting to image 0.1s
=> => exporting layers 0.1s
=> => writing image sha256:92b1338867237e1331bf5719d666b8aef4ab554b25c2760af420f028a3cd4c37 0.0s
=> => naming to docker.io/our-custom/sonar-scanner-cli `
Then check the contents:
[azureuser@InterviewFirstStage java]$ sudo docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
87387d5e448d our-custom/sonar-scanner-cli "/usr/bin/entrypoint…" 5 seconds ago Up 4 seconds great_mayer
[azureuser@InterviewFirstStage java]$ sudo docker exec -ti 87387d5e448d sh
sh-5.2$ cd /opt/sonar-scanner/jre/lib/security
sh-5.2$ ls -la
total 400
dr-xr-xr-x. 1 scanner-cli scanner-cli 21 Sep 2 06:08 .
dr-xr-xr-x. 1 scanner-cli scanner-cli 22 Jun 26 15:33 ..
-r-xr-xr-x. 1 scanner-cli scanner-cli 2488 Apr 17 06:07 blocked.certs
-r--r--r--. 1 root root 161817 May 1 14:31 cacerts
-r-xr-xr-x. 1 scanner-cli scanner-cli 10129 Apr 17 06:07 default.policy
-r-xr-xr-x. 1 scanner-cli scanner-cli 228598 Apr 17 06:07 public_suffix_list.dat
Note the file size of 161817
, which is the size of my own local cacerts. If you don’t modify the container’s cacerts with your own truststore, then the size is different, which indicates that the cacerts was not replaced:
sudo docker run \
--rm \
-v /home/azureuser/Projects/jojo-simple:/usr/src \
-e SONAR_HOST_URL="https://your-own-SQ-URL" \
sonarsource/sonar-scanner-cli:11.0.1.1589_6.1.0 sleep infinity
In another window
[azureuser@InterviewFirstStage jojo-simple]$ sudo docker exec -ti 0689d90a44b3 sh
sh-5.2$ ls -la /opt/sonar-scanner/jre/lib/security/cacerts
-r-xr-xr-x. 1 scanner-cli scanner-cli 171578 Apr 17 06:07 /opt/sonar-scanner/jre/lib/security/cacerts`
I hope this helps.
Colin