Jspawnhelper executes sh -c security find-certificate -a -p to open login keychain-db

There is a file jspawnhelper at below path in macOS:

why does it executes below command on macOS:
sh -c security find-certificate -a -p

Hi @nexi,

This behavior is expected from SonarLint.

Since version 8.5 (SonarLint IntelliJ) or version 3.20.2 (SonarLint VSCode), we moved to a ‘unified’ HTTP client management across VSCode, IntelliJ, and Eclipse, whereas previously, we were relying on each IDE specifications to benefit from the proxy and SSL configuration already present (IDEs have their own truststore/keystore).

It means that we now handle our own truststore on SonarLint (the default path of our truststore should be ~/.sonarlint/ssl). At initialization, we retrieve JDK and OS certificates. Depending on the OS, there are multiple ways to retrieve them:

  • For MacOS, we will look into the keychain by running the bash command security find-certificate
  • For Linux, we search into the most commons certificates directories such as /etc/ssl/certs
  • For Windows, we look into keystore such as Windows-ROOT or Windows-MY for example

Then, once the user is asked to trust a new certificate not already present in those mentioned above, it will be stored under the SonarLint truststore if accepted.

I hope this makes it more transparent and clearer to you.

Edit: We are looking into other solutions to avoid triggering security alerts

1 Like

Hey Nicolos, thanks for the update. I was just about to ask the same question. Then I came across this question. I noticed someone else also had the same query, which you can find here.

It seems that some antivirus programs are flagging this as potential secret theft. I appreciate the clarification.

Please let me know if you need any further assistance or modifications to the text!

We modified the retrieval of certificates on MacOS by removing the shell layer and excluding a specific keychain file that was not useful to us and that was triggering some security alerts.

The fix should be available on the next release for each IDEs at the end of the month. Do not hesitate to come back to us if there are still any issues after the SonarLint update.