Maven build Error: Fail to decrypt the property x. Please check your secret key

I have been using this for a while and not why all of a sudden I am getting an error on a property when it contains {aes} and the property is not related to sonar running in anyway.

Configuration

  • Maven 3.8.4 (also tried 3.6.3)
  • Java 17 (also tried 8 and 11)
  • Sonar Maven Plugin 3.9.1.2184 (also tried 3.9.0.2155, 3.8.0.2131)

Maven Command

mvn verify sonar:sonar

Maven Output

[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  3.570 s
[INFO] Finished at: 2022-02-07T11:53:45-05:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.9.1.2184:sonar (default-cli) on project sonar-secret-issue: Fail to decrypt the property org.example.password. Please check your
 secret key.: The property sonar.secretKeyPath does not link to a valid file: [excluded].sonar\sonar-secret.txt -> [Help 1]
[ERROR]

Maven Output with -e Swtich

[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  2.286 s
[INFO] Finished at: 2022-02-07T11:58:30-05:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.9.1.2184:sonar (default-cli) on project sonar-secret-issue: Fail to decrypt the property org.example.password. Please check your
 secret key.: The property sonar.secretKeyPath does not link to a valid file: [excluded].sonar\sonar-secret.txt -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.9.1.2184:sonar (default-cli) on project sonar-secret-issue: Fail to decrypt the 
property org.example.password. Please check your secret key.
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:972)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:293)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:196)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:77)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:568)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Caused by: org.apache.maven.plugin.MojoExecutionException: Fail to decrypt the property org.example.password. Please check your secret key.
    at org.sonarsource.scanner.maven.bootstrap.ScannerBootstrapper.execute (ScannerBootstrapper.java:67)
    at org.sonarsource.scanner.maven.SonarQubeMojo.execute (SonarQubeMojo.java:108)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:972)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:293)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:196)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:77)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:568)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Caused by: java.lang.IllegalStateException: Fail to decrypt the property org.example.password. Please check your secret key.
    at org.sonar.scanner.bootstrap.ScannerProperties.<init> (ScannerProperties.java:49)
    at org.sonar.scanner.bootstrap.GlobalContainer.doBeforeStart (GlobalContainer.java:78)
    at org.sonar.core.platform.ComponentContainer.startComponents (ComponentContainer.java:135)
    at org.sonar.core.platform.ComponentContainer.execute (ComponentContainer.java:123)
    at org.sonar.batch.bootstrapper.Batch.doExecute (Batch.java:72)
    at org.sonar.batch.bootstrapper.Batch.execute (Batch.java:66)
    at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute (BatchIsolatedLauncher.java:46)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:77)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:568)
    at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke (IsolatedLauncherProxy.java:60)
    at jdk.proxy3.$Proxy24.execute (Unknown Source)
    at org.sonarsource.scanner.api.EmbeddedScanner.doExecute (EmbeddedScanner.java:189)
    at org.sonarsource.scanner.api.EmbeddedScanner.execute (EmbeddedScanner.java:138)
    at org.sonarsource.scanner.maven.bootstrap.ScannerBootstrapper.execute (ScannerBootstrapper.java:65)
    at org.sonarsource.scanner.maven.SonarQubeMojo.execute (SonarQubeMojo.java:108)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:972)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:293)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:196)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:77)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:568)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Caused by: java.lang.IllegalStateException: The property sonar.secretKeyPath does not link to a valid file: [excluded]\.sonar\sonar-secret.txt
    at org.sonar.api.config.internal.AesCipher.loadSecretFileFromFile (AesCipher.java:71)
    at org.sonar.api.config.internal.AesCipher.loadSecretFile (AesCipher.java:62)
    at org.sonar.api.config.internal.AesECBCipher.decrypt (AesECBCipher.java:57)
    at org.sonar.api.config.internal.Encryption.decrypt (Encryption.java:86)
    at org.sonar.scanner.bootstrap.ScannerProperties.<init> (ScannerProperties.java:47)
    at org.sonar.scanner.bootstrap.GlobalContainer.doBeforeStart (GlobalContainer.java:78)
    at org.sonar.core.platform.ComponentContainer.startComponents (ComponentContainer.java:135)
    at org.sonar.core.platform.ComponentContainer.execute (ComponentContainer.java:123)
    at org.sonar.batch.bootstrapper.Batch.doExecute (Batch.java:72)
    at org.sonar.batch.bootstrapper.Batch.execute (Batch.java:66)
    at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute (BatchIsolatedLauncher.java:46)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:77)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:568)
    at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke (IsolatedLauncherProxy.java:60)
    at jdk.proxy3.$Proxy24.execute (Unknown Source)
    at org.sonarsource.scanner.api.EmbeddedScanner.doExecute (EmbeddedScanner.java:189)
    at org.sonarsource.scanner.api.EmbeddedScanner.execute (EmbeddedScanner.java:138)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:568)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
[ERROR]

Steps to Reproduce

  1. Create project with pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>org.example</groupId>
    <artifactId>sonar-secret-issue</artifactId>
    <version>1.0-SNAPSHOT</version>

    <name>sonar-secret-issue</name>

    <properties>
        <maven.compiler.source>17</maven.compiler.source>
        <maven.compiler.target>17</maven.compiler.target>
        <org.example.password>{aes}something-would-be-here-but-not-for-sonar</org.example.password>

        <sonar.host.url>http://localhost:9000/</sonar.host.url>
        <sonar.language>java</sonar.language>
        <sonar.projectKey>${project.name}</sonar.projectKey>
    </properties>
</project>
  1. Run maven command mvn verify sonar:sonar

Potential Workaround
Using sonar-project.properties and the manual sonar-scanner command line utility it run and works properly. Not very ideal in a CI/CD environment and would expect the same results from the maven plugin.

Potential Workaround 2
I am not sure if I read all the code properly, however, potentially this line sonarqube/ScannerProperties.java at ca4aa60e6e087819e2c1445ef49b8c5ab8e82b76 · SonarSource/sonarqube · GitHub could change to only look for “sonar.” properties or provide an override to not test encryption.

Expectation
I would expect that SonarSource Scanner would disregard any properties that are not related to Sonar directly or that don’t start with sonar.

I am sure I have used this previously and not sure why all of sudden this behavior would be encountered. I am willing to do additional steps to capture more information if necessary.

Bruce

Hi Bruce,

Welcome to the community!

This error is about a server-side change. It looks like your SonarQube admin is experimenting with encryption on the server side, and has configured a bad path to the key file. (Docs reference.)

Why would this suddenly affect a previously-working analysis? Because sometimes sensitive values are needed during analysis, so the ability to decrypt is required.

To sort this out, you’ll need to ping the SonarQube admin.

 
HTH,
Ann

Hello G Ann,

In this case I am the SonarQube admin! I am running it locally with Docker and have not made any encryption settings in SonarQube.

image

From what I see Sonar is picking up any “potentially” encrypted property even if the property is not in correlation to running anything related to sonar.

So if I reading what you saying if we had any property unrelated to Sonar it has to go through sonar and have a valid decryption through Sonar even if it is necessary for a different plugin?

Seems just odd because it has the term “{aes}” that Sonar must be able to decrypt it. If the property name began with sonar and had “{aes}” in the value then I would expect that Sonar should be able to decrypt it. I wouldn’t want Sonar to be able to decrypt all my potential properties.

I even just went through and did a fresh clean install of SonarQube and only changed default admin password and created login token. I still receive the same issue.

I also recently updated from 9.2.4 to 9.3 so I even went back and tried 9.2.4 again but get the same error.

I also want to point out from my original post if I use the sonnar-scanner from command line I receive no such error and the results are posted to SonarQube with no issues.

Thanks
Bruce

Hi, i’m experiencing the exact same issue with some non-related passwords.
I’m running a sonarqube 9.1 server and have the same behaviour with a sonarqube 6.7.4 (so old).

I tried with different versions of sonar-maven-plugin (3.8 to 3.9) but got the issue.

Pierre