Keystore errors in Sonar Gradle Scanner 6.x

  • Environment: GitHub Actions, Large Ubuntu Runner
  • JDK = 17 (Temurin)
  • Gradle: 7.5 (AGP 7.4.2)
  • Server: Sonar Developer 10.3 (Yeah, I know)
  • Sonar Gradle Plugin: 6.1.0.5360

Hey folks, having some issues with the Sonar Gradle plugin in our CI setup, was hoping to get some assistance. We’re building an Android app that’s a little behind current but not catastrophically so.

The Sonar 5.x Gradle plugin started failing in our CI setup where it had previously worked OK, array-out-of-bounds stuff. Seemed like a bug (codebase got too big?) and I saw that the 6.x scanner was available, so I figured it would be smarter to upgrade the plugin instead.

This has itself caused me problems because the system cacerts file is in JKS format.

Original error message:

Caused by: nl.altindag.ssl.exception.GenericKeyStoreException: Unable to read truststore from '/usr/lib/jvm/temurin-17-jdk-amd64/lib/security/cacerts'
	at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.configureSsl(OkHttpClientFactory.java:146)
	at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.create(OkHttpClientFactory.java:80)
	at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.init(ScannerHttpClient.java:52)
	at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:147)
	at org.sonarqube.gradle.SonarTask.run(SonarTask.java:134)
	... 144 more
Caused by: java.io.IOException: stream does not represent a PKCS12 key store

I tried providing overrides to tell Sonar that the keystore is in JKS, but the flags I found for that on the net didn’t seem to work. Turns out that the Sonar Scanner’s Java library is now hard-coded to only accept PKCS12 stores.

So I tried converting the store:

        keytool \
          -importkeystore \
          -srckeystore "$JKS_TRUST_STORE" \
          -srcstoretype jks \
          -destkeystore "$PKCS12_TRUST_STORE" \
          -deststoretype pkcs12 \
          -srcstorepass changeit \
          -deststorepass changeit \
          -noprompt

And then providing the new store location to the build:

./gradlew androidBuildNameHere sonar -x lint --profile --stacktrace \
  -Dsonar.token=${{ secrets.SONAR_SECRET_TOKEN }} \
  -Dsonar.host.url=${{ secrets.SONAR_HOST_URL }} \
  -Dsonar.scanner.truststorePath=${{ env.TRUST_STORE }} \
  -Dsonar.scanner.truststorePassword=changeit \
  -Dsonar.scanner.keystorePath=${{ env.TRUST_STORE }} \
  -Dsonar.scanner.keystorePassword=changeit

Now the scanner can access the store, but still doesn’t like it:

Caused by: nl.altindag.ssl.exception.GenericKeyStoreException: Unable to read truststore from '~/.sonar/ssl/truststore.p12'
	at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.configureSsl(OkHttpClientFactory.java:146)
	at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.create(OkHttpClientFactory.java:80)
	at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.init(ScannerHttpClient.java:52)
	at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:147)
	at org.sonarqube.gradle.SonarTask.run(SonarTask.java:134)
	... 116 more
Caused by: java.io.IOException: exception decrypting data - java.security.InvalidKeyException: Wrong algorithm: AES or Rijndael required
	at org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.cryptData(Unknown Source)
	at org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineLoad(Unknown Source)
	at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.loadKeyStoreWithPassword(OkHttpClientFactory.java:185)
	at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.loadTrustStoreWithBouncyCastle(OkHttpClientFactory.java:169

I must admit, the various moving parts of cryptography aren’t my strength. What do I need to be doing here to make Sonar happy when executing? Every piece of documentation I can find is on creating a store to hold self-signed certificates, but the server has a proper 3rd party signed certificate. Sonar just doesn’t like the system keystore. Would appreciate any assistance you can provide.

Hi,

Welcome to the community!

This SO answer may help.

 
Ann