- Environment: GitHub Actions, Large Ubuntu Runner
- JDK = 17 (Temurin)
- Gradle: 7.5 (AGP 7.4.2)
- Server: Sonar Developer 10.3 (Yeah, I know)
- Sonar Gradle Plugin:
6.1.0.5360
Hey folks, having some issues with the Sonar Gradle plugin in our CI setup, was hoping to get some assistance. We’re building an Android app that’s a little behind current but not catastrophically so.
The Sonar 5.x Gradle plugin started failing in our CI setup where it had previously worked OK, array-out-of-bounds stuff. Seemed like a bug (codebase got too big?) and I saw that the 6.x scanner was available, so I figured it would be smarter to upgrade the plugin instead.
This has itself caused me problems because the system cacerts file is in JKS format.
Original error message:
Caused by: nl.altindag.ssl.exception.GenericKeyStoreException: Unable to read truststore from '/usr/lib/jvm/temurin-17-jdk-amd64/lib/security/cacerts'
at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.configureSsl(OkHttpClientFactory.java:146)
at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.create(OkHttpClientFactory.java:80)
at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.init(ScannerHttpClient.java:52)
at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:147)
at org.sonarqube.gradle.SonarTask.run(SonarTask.java:134)
... 144 more
Caused by: java.io.IOException: stream does not represent a PKCS12 key store
I tried providing overrides to tell Sonar that the keystore is in JKS, but the flags I found for that on the net didn’t seem to work. Turns out that the Sonar Scanner’s Java library is now hard-coded to only accept PKCS12 stores.
So I tried converting the store:
keytool \
-importkeystore \
-srckeystore "$JKS_TRUST_STORE" \
-srcstoretype jks \
-destkeystore "$PKCS12_TRUST_STORE" \
-deststoretype pkcs12 \
-srcstorepass changeit \
-deststorepass changeit \
-noprompt
And then providing the new store location to the build:
./gradlew androidBuildNameHere sonar -x lint --profile --stacktrace \
-Dsonar.token=${{ secrets.SONAR_SECRET_TOKEN }} \
-Dsonar.host.url=${{ secrets.SONAR_HOST_URL }} \
-Dsonar.scanner.truststorePath=${{ env.TRUST_STORE }} \
-Dsonar.scanner.truststorePassword=changeit \
-Dsonar.scanner.keystorePath=${{ env.TRUST_STORE }} \
-Dsonar.scanner.keystorePassword=changeit
Now the scanner can access the store, but still doesn’t like it:
Caused by: nl.altindag.ssl.exception.GenericKeyStoreException: Unable to read truststore from '~/.sonar/ssl/truststore.p12'
at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.configureSsl(OkHttpClientFactory.java:146)
at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.create(OkHttpClientFactory.java:80)
at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.init(ScannerHttpClient.java:52)
at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:147)
at org.sonarqube.gradle.SonarTask.run(SonarTask.java:134)
... 116 more
Caused by: java.io.IOException: exception decrypting data - java.security.InvalidKeyException: Wrong algorithm: AES or Rijndael required
at org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.cryptData(Unknown Source)
at org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineLoad(Unknown Source)
at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.loadKeyStoreWithPassword(OkHttpClientFactory.java:185)
at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.loadTrustStoreWithBouncyCastle(OkHttpClientFactory.java:169
I must admit, the various moving parts of cryptography aren’t my strength. What do I need to be doing here to make Sonar happy when executing? Every piece of documentation I can find is on creating a store to hold self-signed certificates, but the server has a proper 3rd party signed certificate. Sonar just doesn’t like the system keystore. Would appreciate any assistance you can provide.