Hi @nexi,
This behavior is expected from SonarLint.
Since version 8.5 (SonarLint IntelliJ) or version 3.20.2 (SonarLint VSCode), we moved to a ‘unified’ HTTP client management across VSCode, IntelliJ, and Eclipse, whereas previously, we were relying on each IDE specifications to benefit from the proxy and SSL configuration already present (IDEs have their own truststore/keystore).
It means that we now handle our own truststore on SonarLint (the default path of our truststore should be ~/.sonarlint/ssl). At initialization, we retrieve JDK and OS certificates. Depending on the OS, there are multiple ways to retrieve them:
- For MacOS, we will look into the keychain by running the bash command
security find-certificate - For Linux, we search into the most commons certificates directories such as
/etc/ssl/certs - For Windows, we look into keystore such as
Windows-ROOTorWindows-MYfor example
Then, once the user is asked to trust a new certificate not already present in those mentioned above, it will be stored under the SonarLint truststore if accepted.
I hope this makes it more transparent and clearer to you.
Edit: We are looking into other solutions to avoid triggering security alerts