Maven Sonar Scanner 5.0.0.4389 certs issue

SonarQube Server / Community Build
, , , ,
1

Versions

  • SonarQube Version 2025.1 LTA Enterprise

  • Maven 3.9

  • SonarLint 5.0.0.4389

  • SonarQube deployed: Docker

  • what are you trying to achieve

  • Trying to scan a java project with SonarLint 5.0.0.4389 without using skip.jre.provisioning=true in Bitbucket Pipelines

  • what have you tried so far to achieve this

    note** for privacy I have replace private information with <…some text…>

          - echo $CA1 | base64 -di > CA1.crt
          - echo $CA2 | base64 -di >CA2.crt
          - echo $MAVEN_SETTINGS > settings.xml 
          
          - cp $JAVA_HOME/lib/security/cacerts $BITBUCKET_CLONE_DIR/cacerts
          - keytool -noprompt -storepass changeit -keystore $BITBUCKET_CLONE_DIR/cacerts -import -file CA1.crt -alias CA1
          - keytool -noprompt -storepass changeit -keystore $BITBUCKET_CLONE_DIR/cacerts -import -file CA2.crt -alias CA2    
          - export SONAR_SCANNER_OPTS="-Djavax.net.ssl.trustStore=$BITBUCKET_CLONE_DIR/cacerts -Djavax.net.ssl.trustStorePassword=changeit"
          - mvn  -B  org.sonarsource.scanner.maven:sonar-maven-plugin:$MAVEN_SONAR_PLUGIN_VERSION:sonar -s settings.xml --file pom.xml -P${SONAR_MAVEN_PROFILE_PRD}  -Dsonar.token=${SONAR_TOKEN} -Dsonar.projectKey=${SONAR_PROJECT_KEY} -Dsonar.branch.name=${BIBUCKET_BRANCH} -Dsonar.projectName='<project name here>' -Dsonar.exclusions=<file exclusion here>

Log:


`+ mvn  -B  org.sonarsource.scanner.maven:sonar-maven-plugin:$MAVEN_SONAR_PLUGIN_VERSION:sonar -s settings.xml --file pom.xml -P${SONAR_MAVEN_PROFILE_PRD}  -Dsonar.token=${SONAR_TOKEN} -Dsonar.projectKey=${SONAR_PROJECT_KEY} -Dsonar.branch.name=${BIBUCKET_BRANCH} -Dsonar.projectName='<project name here>' -Dsonar.exclusions=<file exclusion here>`


`[INFO] Scanning for projects...`
`[INFO] Downloading from nexus: <private url to nexus>

`[INFO] ------------------------------------------------------------------------`

`[INFO] BUILD FAILURE`

`[INFO] ------------------------------------------------------------------------`

`[INFO] Total time:  0.488 s`

`[INFO] Finished at: 2025-02-25T20:03:04Z`

`[INFO] ------------------------------------------------------------------------`

`[ERROR] Plugin org.sonarsource.scanner.maven:sonar-maven-plugin:5.0.0.4389 or one of its dependencies could not be resolved:`

`[ERROR] 	The following artifacts could not be resolved: org.sonarsource.scanner.maven:sonar-maven-plugin:pom:5.0.0.4389 (absent): Could not transfer artifact org.sonarsource.scanner.maven:sonar-maven-plugin:pom:5.0.0.4389 from/to nexus <private nexus url>: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target`

If I use the skip provision, I am able to use the scanner. Currently this solution works but for future pipelines I would like to not use the skip provision.

2

Hey there.

You’re on the right path by configuring a keystone and passing that keystore to SONAR_SCANNER_OPTS.

I suggest you remove the scanner itself from the equation and use a tool like SSLPoke to see if you’ve got the keystone configured correctly.

Typically, I also suggest using openssl to download a website’s certificates using a self-signed certificate and then adding that to my trust store. How to save a remote server SSL certificate locally as a file - Super User