Custom Java path for SonarScanner for .NET

Hey,

I was wondering if anyone can help?

SonarQube 10.3, SonarScanner for .NET - SonarScanner.MSbuild.exe v. 5.15.0.15354
Deployment from ZIP directly on Windows Server 2019 Standard (no VM)

Problem - SonarScanner can’t reach SonarQube server.
Logs from Bamboo CI/CD build log, edited for brevity:

error	01-Feb-2024 09:08:53	ERROR: SonarQube server [https://host:443] can not be reached
error	01-Feb-2024 09:08:53	ERROR: Error during SonarScanner execution
error	01-Feb-2024 09:08:53	org.sonarsource.scanner.api.internal.ScannerException: Unable to execute SonarScanner analysis
(...)
error	01-Feb-2024 09:08:53	Caused by: java.lang.IllegalStateException: Fail to get bootstrap index from server
(...)
error	01-Feb-2024 09:08:53	Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
error	01-Feb-2024 09:08:53		at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
error	01-Feb-2024 09:08:53		at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:360)
(...)
error	01-Feb-2024 09:08:53	Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
(...)
error	01-Feb-2024 09:08:53	Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
(...)
error	01-Feb-2024 09:08:53	ERROR: 
error	01-Feb-2024 09:08:53	The SonarScanner did not complete successfully
error	01-Feb-2024 09:08:53	09:08:53.743  Post-processing failed. Exit code: 1
(...)

I suspect, the reason is - we have a self-signed certificate signed by non-trusted certificate authority. We did not need certificate from trusted root, as we trust our root authority, and SonarQube is not available outside our local network.

Our Bamboo CI/CD server seems to use JAVA_PATH. Because of this, I do not want to touch Java from JAVA_PATH, because I am not willing to risk breaking our CI/CD for entire team.

Our SonarQube happily uses separate SONAR_JAVA_PATH, and it’s working. I would like to be able to provide custom Java path to SonarScanner, so it executes on a different Java version, than is set in JAVA_Path environment variable. I can control it’s keystore, and add our certificate as trusted to this SonarScanner - specific Java version.

Similar request is here:

but it was dismissed as Jenkins - specific.

Is there a way to run SonarScanner on specific Java version?

Kind regards,
Michal

Hi Michal,

Welcome to the community!

Yes, this is because you’re using a self-signed cert.

The docs might help.

 
Ann

Hi Ann,

Thanks for the reply. I know, that self-signed certificate is the issue. That’s not the point :slight_smile:

We solved it. We have kept our self-signed certificate, because our root authority is trusted within our network, and this setup worked for us fine for quite some years. Well, except for Java, of course.

The solution was - just tell Java to use Windows cert store.

In our PowerShell script, just above the line, where we call SonarScanner end scan step, I added a line:

$env:JAVA_TOOL_OPTIONS = "-Djavax.net.ssl.trustStore=NUL -Djavax.net.ssl.trustStoreType=Windows-ROOT"

… and Java trusts our root authority.

Hope it’s going to help those of us who work in Windows environments.

Bests,
Michal Gruda

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.