Failed to import the sonar.scanner.truststorePath

SonarQube Server / Community Build
1

Error message: Failed to import the sonar.scanner.truststorePath file ..\ssl\truststore.p12: The specified network password is not correct

Using Sonarqube Server Enterprise v2025.1
Azure DevOps pipeline with Sonarqube Server extension task
Sonarqube Server is deployed using zip

The error started appearing in our pipelines just now. I see in the history of the extension that a new version 7.2.0 of the extension was installed 2 hours ago, but on GitHub there is no sign of a new release since 7.1.1 26th nov 2024

4

Hi @meanmfmachine ,

The releases should be visible on GitHub: Releases · SonarSource/sonar-scanner-azdo · GitHub

Regarding your issue, can you let me know what scanner mode you are using in your pipeline?

Assuming you are analyzing a .NET project, then you can revert to the previous Scanner for .NET (9.0.2.104486) version in your pipeline, to see if this is fixing your issue:

  - task: SonarQubePrepare@3
    inputs:
      SonarQube: <your service endpoint>
      scannerMode: dotnet
      projectKey: xxx
      projectName: yyy
      msBuildVersion: 9.0.2.104486
5

We are using the .NET scanner for MSBuild, for now we are pointing our tasks to the 7.1.1 version to workaround the issue

Starting: Prepare analysis on SonarQube

Task : Prepare Analysis Configuration
Description : Prepare SonarQube Server analysis configuration
Version : 7.2.0
Author : sonarsource
Help : More Information

[INFO] SonarQube Server: Server version: 2025.1.0.102418

SonarScanner for MSBuild 10.1.1
Using the .NET Framework version of the Scanner for MSBuild
Pre-processing started.
Preparing working directories…
13:19:06.534 Updating build integration targets…
##[error]13:19:06.565 Failed to import the sonar.scanner.truststorePath file g:\sonar-home\ssl\truststore.p12: The specified network password is not correct.
13:19:06.565 Failed to import the sonar.scanner.truststorePath file g:\sonar-home\ssl\truststore.p12: The specified network password is not correct.

##[error]Unhandled Exception:
##[error]System.Security.Cryptography.CryptographicException: The specified network password is not correct.

7

Hello @meanmfmachine,

Could you share with me your SonarQubePrepare task configuration?
Did you manually select the version of the Scanner for .NET in your configuration?

The sonar.scanner.truststorePath property is not available before Scanner for .NET 10 which is not the default in the extension before 7.2.0.

Starting the version 10, if you set sonar.scanner.truststorePath, the scanner will expect you to set the sonar.scanner.truststorePassword as well, otherwise it will try using the default password as documented here.

8

Sure, this is our configuration template

  - task: sonarsource.sonarqube.15B84CA1-B62F-4A2A-A403-89B77A063157.SonarQubePrepare@7
    displayName: Prepare analysis on SonarQube
    inputs:
      SonarQube: Sonarqube-$(System.TeamProject)
      projectKey: $(System.TeamProject)_$(Build.DefinitionName)
      projectName: $(System.TeamProject) - $(Build.DefinitionName)
      extraProperties: |
        ${{ parameters.extraProps }}
        sonar.log.level=${{ parameters.logLevel }}
        sonar.verbose=${{ parameters.verbose }}
    condition: ${{ parameters.condition }}

and parameters.extraProps =

  parameters:
    extraProps: |
      sonar.projectVersion=$(Build.BuildNumber)
      sonar.exclusions=$(SonarQube.Exclusions)
      sonar.coverage.exclusions=$(SonarQube.Coverage.Exclusions)
9

From what I can get here, you have a truststore in your SONAR_HOME folder that you are using to access SonarQube Server behind https.

However, the password of this truststore is not the default one (aka. changeit).
To fix this issue, while using the latest version of the extension, would be to set the sonar.scanner.truststorePassword to both SonarQubePrepare and SonarQubeAnalyze steps.

Now, I would like to have more details about your setup:

  • Are sour accessing your SonarQube Server instance behind https?
  • Do you expect the truststore found in g:\sonar-home\ssl\truststore.p12 to be used?
  • If relevant, how was previously your SSL/TLS configuration/setup (when using the 7.1.1 extension version)?
10

Hi @sebastien.marichal,

We are observing the same on our end after the task changed to version 7.2.0
Changing the scanner to 9.0.2.104486 works but isn’t an ideal solution.

The issue itself is a breaking change on your end:
SonarQube instances that were using version 10.7 and lower had the default password which is not “changeit” but “sonar”

  • The default password for the truststore is “sonar”. This password can be overridden using the property sonar.scanner.truststorePassword*

Which has now changed to “changeit” since version 10.8 and higher, but the pre-existing version still have the old password.

  • The default password for the TrustStore is changeit. This password can be overridden using the property sonar.scanner.truststorePassword*

Changing the store password to “changeit” will make the prepare task succeed but the analysis task will fail with the error: “java.io.IOException: keystore password was incorrect”, likely because it is still expecing “sonar” as the default password…

11

We are also facing some issues with truststore password.

One thing that looks strange is that the Jira ticket clearly states that sonar is still supported as a fallback:

Let’s change the default to changeit like in the default JRE truststore, and keep supporting sonar as a fallback for backward compatibility

12

Hello @LTCell,

I am not sure I understand, both tasks should use the same default password.
Could you share your pipeline configuration that lead to this error?

13

Hello @Philippe_Formulain,

This is an overlook on our side.
The Scanner for .NET does not implement this fallback.

I have create a bug ticket.

Thank you,

15

Sure,

Here is the tasks setup we use (edited for brevity):

- task: SonarSource.sonarqube.15B84CA1-B62F-4A2A-A403-89B77A063157.SonarQubePrepare@7
  displayName: 'Prepare analysis on SonarQube'
  inputs:
    SonarQube: Sonarqube
    projectKey: 'ProjectKey'
    projectVersion: '$(version)'
    extraProperties: |
     sonar.scanner.skipJreProvisioning=true

- task: DotNetCoreCLI@2
  displayName: 'dotnet build'
  inputs:
    projects: '**/*.sln'
    arguments: '-c Release --no-restore'

- task: SonarSource.sonarqube.6D01813A-9589-4B15-8491-8164AEB38055.SonarQubeAnalyze@7
  displayName: 'Run Code Analysis'

- task: SonarSource.sonarqube.291ed61f-1ee4-45d3-b1b0-bf822d9095ef.SonarQubePublish@7
  displayName: 'Publish Quality Gate Result'

We are currently using SonarQube Developer Edition v10.6 with Azure Devops.

This setup exist since before SonarQube 8.9 and has seen every LTA and a few non-LTA updates depending on our needs.

The issue started on the 9th of April.

If we use the given yaml with out current configuration (truststore.p12 password is “sonar” as defined in the doc for this version) we get the following error in the log of the SonarQubePrepare task (“The specified network password is not correct”):

2025-04-09T11:57:18.7434594Z ##[section]Starting: Prepare analysis on SonarQube
2025-04-09T11:57:18.7516853Z ==============================================================================
2025-04-09T11:57:18.7517064Z Task         : Prepare Analysis Configuration
2025-04-09T11:57:18.7517216Z Description  : Prepare SonarQube Server analysis configuration
2025-04-09T11:57:18.7517592Z Version      : 7.2.0
2025-04-09T11:57:18.7517669Z Author       : sonarsource
2025-04-09T11:57:18.7517770Z Help         : [More Information](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarqube-extension-for-azure-devops/)
2025-04-09T11:57:18.7518236Z ==============================================================================
2025-04-09T11:57:19.0017840Z [INFO]  SonarQube Server: Server version: 10.6.0.92116
2025-04-09T11:57:19.0076835Z [command]"C:\Program Files\VSTSAgent\_work\_tasks\SonarQubePrepare_15b84ca1-b62f-4a2a-a403-89b77a063157\7.2.0\classic-sonar-scanner-msbuild\SonarScanner.MSBuild.exe" begin /k:ProjectKey
2025-04-09T11:57:19.0634062Z SonarScanner for MSBuild 10.1.1
2025-04-09T11:57:19.0635617Z Using the .NET Framework version of the Scanner for MSBuild
2025-04-09T11:57:19.0949592Z Pre-processing started.
2025-04-09T11:57:19.0967902Z Preparing working directories...
2025-04-09T11:57:19.1311421Z 19:57:19.13  Updating build integration targets...
2025-04-09T11:57:19.1689954Z ##[error]19:57:19.165  Failed to import the sonar.scanner.truststorePath file C:\Users\Administrator\.sonar\ssl\truststore.p12: The specified network password is not correct.
2025-04-09T11:57:19.1696030Z 19:57:19.165  Failed to import the sonar.scanner.truststorePath file C:\Users\Administrator\.sonar\ssl\truststore.p12: The specified network password is not correct.

if we change the truststore.p12 password from “sonar” to “changeit” then we get the following error in the SonarQubeAnalyze task (“keystore password was incorrect”):

2025-04-14T07:55:34.4490926Z ##[section]Starting: Run Code Analysis
2025-04-14T07:55:34.4573338Z ==============================================================================
2025-04-14T07:55:34.4573519Z Task         : Run Code Analysis
2025-04-14T07:55:34.4573615Z Description  : Run scanner and upload the results to the SonarQube Server.
2025-04-14T07:55:34.4573813Z Version      : 7.2.0
2025-04-14T07:55:34.4573876Z Author       : sonarsource
2025-04-14T07:55:34.4573974Z Help         : This task is not needed for Maven and Gradle projects since the scanner should be run as part of the build.

[More Information](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarqube-extension-for-azure-devops/)
2025-04-14T07:55:34.4574681Z ==============================================================================
2025-04-14T07:55:34.6835172Z [command]"C:\Program Files\VSTSAgent\_work\_tasks\SonarQubePrepare_15b84ca1-b62f-4a2a-a403-89b77a063157\7.2.0\classic-sonar-scanner-msbuild\SonarScanner.MSBuild.exe" end
2025-04-14T07:55:34.7365798Z SonarScanner for MSBuild 10.1.1
2025-04-14T07:55:34.7367611Z Using the .NET Framework version of the Scanner for MSBuild
2025-04-14T07:55:34.7670629Z Post-processing started.
2025-04-14T07:55:35.5932043Z Calling the TFS Processor executable...
2025-04-14T07:55:35.7113287Z Property 'sonar.cs.vstest.reportsPaths' provided, skipping the search for TRX files in default folders...
2025-04-14T07:55:35.8002191Z Did not find any binary coverage files in the expected location.
2025-04-14T07:55:35.8009885Z Falling back on locating coverage files in the agent temp directory.
2025-04-14T07:55:35.8013446Z Searching for coverage files in C:\Program Files\VSTSAgent\_work\_temp
2025-04-14T07:55:35.8027686Z All matching files: count=4
2025-04-14T07:55:35.8029039Z 	C:\Program Files\VSTSAgent\_work\_temp\098b5c3c-f057-48d5-ae1e-03b4a761e1ac\Administrator_<redacted>_2025-04-14.15_55_22.coverage
2025-04-14T07:55:35.8030830Z 	C:\Program Files\VSTSAgent\_work\_temp\1c4662c7-1426-478b-86fd-1bf6e6339a8b\Administrator_<redacted>_2025-04-14.15_55_20.coverage
2025-04-14T07:55:35.8032633Z 	C:\Program Files\VSTSAgent\_work\_temp\Administrator_<redacted>_2025-04-14_15_55_21\In\<redacted>\Administrator_<redacted>_2025-04-14.15_55_20.coverage
2025-04-14T07:55:35.8033809Z 	C:\Program Files\VSTSAgent\_work\_temp\Administrator_<redacted>_2025-04-14_15_55_24\In\<redacted>\Administrator_<redacted>_2025-04-14.15_55_22.coverage
2025-04-14T07:55:35.8143348Z Unique coverage files: count=2
2025-04-14T07:55:35.8144240Z 	C:\Program Files\VSTSAgent\_work\_temp\098b5c3c-f057-48d5-ae1e-03b4a761e1ac\Administrator_<redacted>_2025-04-14.15_55_22.coverage
2025-04-14T07:55:35.8145336Z 	C:\Program Files\VSTSAgent\_work\_temp\1c4662c7-1426-478b-86fd-1bf6e6339a8b\Administrator_<redacted>_2025-04-14.15_55_20.coverage
2025-04-14T07:55:35.8218650Z Converting coverage file 'C:\Program Files\VSTSAgent\_work\_temp\098b5c3c-f057-48d5-ae1e-03b4a761e1ac\Administrator_<redacted>_2025-04-14.15_55_22.coverage' to 'C:\Program Files\VSTSAgent\_work\_temp\098b5c3c-f057-48d5-ae1e-03b4a761e1ac\Administrator_<redacted>_2025-04-14.15_55_22.coveragexml'.
2025-04-14T07:55:36.0060824Z Converting coverage file 'C:\Program Files\VSTSAgent\_work\_temp\1c4662c7-1426-478b-86fd-1bf6e6339a8b\Administrator_<redacted>_2025-04-14.15_55_20.coverage' to 'C:\Program Files\VSTSAgent\_work\_temp\1c4662c7-1426-478b-86fd-1bf6e6339a8b\Administrator_<redacted>_2025-04-14.15_55_20.coveragexml'.
2025-04-14T07:55:36.0087500Z Coverage report conversion completed successfully.
2025-04-14T07:55:36.0159432Z The TFS Processor has finished
2025-04-14T07:55:36.0190154Z Calling the SonarScanner CLI...
2025-04-14T07:55:36.1217438Z INFO: Scanner configuration file: C:\Program Files\VSTSAgent\_work\_tasks\SonarQubePrepare_15b84ca1-b62f-4a2a-a403-89b77a063157\7.2.0\classic-sonar-scanner-msbuild\sonar-scanner-5.0.1.3006\bin\..\conf\sonar-scanner.properties
2025-04-14T07:55:36.1226900Z INFO: Project root configuration file: C:\Program Files\VSTSAgent\_work\215\.sonarqube\out\sonar-project.properties
2025-04-14T07:55:36.1643532Z INFO: SonarScanner 5.0.1.3006
2025-04-14T07:55:36.1644319Z INFO: Java 17.0.2 Oracle Corporation (64-bit)
2025-04-14T07:55:36.1644661Z INFO: Windows Server 2022 10.0 amd64
2025-04-14T07:55:36.1669291Z INFO: SONAR_SCANNER_OPTS=-Djavax.net.ssl.trustStore="C:/Users/Administrator/.sonar/ssl/truststore.p12" -D<sensitive data removed>
2025-04-14T07:55:36.3581307Z INFO: User cache: C:\Users\Administrator\.sonar\cache
2025-04-14T07:55:36.5130132Z INFO: Analyzing on SonarQube server 10.6.0.92116
2025-04-14T07:55:36.5133994Z INFO: Default locale: "en_US", source code encoding: "windows-1252" (analysis is platform dependent)
2025-04-14T07:55:36.8980646Z INFO: ------------------------------------------------------------------------
2025-04-14T07:55:36.8981037Z INFO: EXECUTION FAILURE
2025-04-14T07:55:36.9005083Z INFO: ------------------------------------------------------------------------
2025-04-14T07:55:36.9011505Z INFO: Total time: 0.784s
2025-04-14T07:55:36.9084596Z INFO: Final Memory: 5M/40M
2025-04-14T07:55:36.9086646Z INFO: ------------------------------------------------------------------------
2025-04-14T07:55:36.9090678Z ##[error]ERROR: Error during SonarScanner execution
2025-04-14T07:55:36.9095677Z ERROR: Error during SonarScanner execution
2025-04-14T07:55:36.9108446Z ##[error]org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.sonarsource.scanner.api.internal.IsolatedClassloader@8dbdac1-org.sonar.scanner.bootstrap.ScannerPluginRepository': Unsatisfied dependency expressed through constructor parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.sonarsource.scanner.api.internal.IsolatedClassloader@8dbdac1-org.sonar.scanner.bootstrap.ScannerPluginInstaller': Unsatisfied dependency expressed through constructor parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.sonarsource.scanner.api.internal.IsolatedClassloader@8dbdac1-org.sonar.scanner.bootstrap.PluginFiles': Unsatisfied dependency expressed through constructor parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'DefaultScannerWsClient' defined in org.sonar.scanner.http.ScannerWsClientProvider: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.sonar.scanner.http.DefaultScannerWsClient]: Factory method 'provide' threw exception; nested exception is nl.altindag.ssl.exception.GenericKeyStoreException: nl.altindag.ssl.exception.GenericKeyStoreException: java.io.IOException: keystore password was incorrect
	at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:801)
	at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:224)
2025-04-14T07:55:36.9118556Z org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.sonarsource.scanner.api.internal.IsolatedClassloader@8dbdac1-org.sonar.scanner.bootstrap.ScannerPluginRepository': Unsatisfied dependency expressed through constructor parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.sonarsource.scanner.api.internal.IsolatedClassloader@8dbdac1-org.sonar.scanner.bootstrap.ScannerPluginInstaller': Unsatisfied dependency expressed through constructor parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.sonarsource.scanner.api.internal.IsolatedClassloader@8dbdac1-org.sonar.scanner.bootstrap.PluginFiles': Unsatisfied dependency expressed through constructor parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'DefaultScannerWsClient' defined in org.sonar.scanner.http.ScannerWsClientProvider: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.sonar.scanner.http.DefaultScannerWsClient]: Factory method 'provide' threw exception; nested exception is nl.altindag.ssl.exception.GenericKeyStoreException: nl.altindag.ssl.exception.GenericKeyStoreException: java.io.IOException: keystore password was incorrect
18

Hello @LTCell,

I am bit surprised, if you don’t provide a password during the Analysis task, we should force the default password changeit.

Do you have the SONAR_SCANNER_OPTS already set in you environment by any chance?
With the -Djavax.net.ssl.trustStorePassword property set?

That could explain why the analysis step is not working.

If you don’t have the SONAR_SCANNER_OPTS environment variable set, could share your verbose logs for both your Prepare and Analysis task?

You can enable by setting the sonar.verbose=true property in the extraProperties field.

Thank you,

19

Hello @sebastien.marichal

I can confirm we do not have SONAR_SCANNER_OPTS set in our environment.

Here are the prepare and analysis verbose logs:
SQPreprareTask.txt (10.9 KB)
SQAnalysisTask.txt (421.9 KB)

20

Hello @LTCell, @Philippe_Formulain,

We just released a new version of the SonarScanner for .NET.
This release adds the support of sonar as a default password alongside changeit.

It is not yet embedded in the Azure DevOps extensions, so you will have to select it by setting the new version 10.1.2.114627 in the msBuildVersion property of your pipeline config:

- task: SonarQubePrepare@7
  inputs:
    # ... Omitted for brevity
    scannerMode: 'dotnet'
    msBuildVersion: 10.1.2.114627

Please let me know if it fixes your issues.

21

Hi @sebastien.marichal,

Thank you for the quick update.

The good news:
With version 10.1.2.114627 everything is working correctly when the password for truststore.p12 is sonar.

The bad news:
With version 10.1.2.114627 if the password for truststore.p12 is changeit I am facing the same issue I reported previously: the analysis task fail mentionning a wrong password.

Here are the verbose logs for the Prepare and Analysis task:
SQPreprareTask-2.txt (10.9 KB)
SQAnalysisTask-2.txt (421.5 KB)

Note that if the password for truststore.p12 is changeit and I manually specify the changeit password in the extra properties of the Prepare task, then the Analysis task is working correctly:
sonar.scanner.truststorePassword=changeit
So it seems to me that the issue is how the default password is passed along from the Prepare Task to the Analysis task.

22

Hello @LTCell,

We are using the same mechanism to detect the default password in the PrepareTask and AnalysisTask. Based on the logs you provided, I see that we are able to determine that the password is changeit, in both tasks.

However, for a reason I don’t understand yet, it does not propagate correctly during the AnalysisTask.
It seems also that at least one request to the server is successful:

2025-04-17T03:17:35.8269429Z 11:17:35.826 DEBUG: Get bootstrap index...
2025-04-17T03:17:35.8269829Z 11:17:35.826 DEBUG: Download: https://<redacted>/batch/index
2025-04-17T03:17:35.9572028Z 11:17:35.956 DEBUG: Get bootstrap completed

I tried to reproduce it locally to no avail. There must be something in your environment that alter the behavior somehow.
Since you skip the JRE provisioning, my guess would be that you have some configuration in your environment for your local JRE that would override the password.
Although, it does not explain why it works when you explicitly specify the sonar.scanner.truststorePassword=changeit property…

I will continue to look into it.