.NET SonarScanner failing on latest .NET 8 Docker image

Matthew_Ricks_USBE · March 13, 2025, 11:46pm

Must-share information (formatted with Markdown):

dotnet-sonarscanner versions 9.2.1/10
Acquired through dotnet CLI, preserved through Docker volume.
Scanning in TeamCity with Docker image.
Docker image mcr.microsoft.com/dotnet/sdk:8.0.406-windowsservercore-ltsc2019 works, but the 8.0.407 and new 8.0 versions fail.

TeamCity build logs (lightly sanitized) from failure:

[15:45:44] 14:45:44.178 DEBUG: Download: https://sonarqube.mydomain.com/batch/index
[15:45:44] 14:45:44.379 ERROR: SonarQube server [https://sonarqube.mydomain.com] can not be reached
[15:45:44] 14:45:44.400 ERROR: Error during SonarScanner execution
[15:45:44] org.sonarsource.scanner.api.internal.ScannerException: Unable to execute SonarScanner analysis
[15:45:44]  at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.lambda$createLauncher$0(IsolatedLauncherFactory.java:85)
[15:45:44]  at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
[15:45:44]  at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLauncher(IsolatedLauncherFactory.java:74)
[15:45:44]  at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLauncher(IsolatedLauncherFactory.java:70)
[15:45:44]  at org.sonarsource.scanner.api.EmbeddedScanner.doStart(EmbeddedScanner.java:185)
[15:45:44]  at org.sonarsource.scanner.api.EmbeddedScanner.start(EmbeddedScanner.java:123)
[15:45:44]  at org.sonarsource.scanner.cli.Main.execute(Main.java:74)
[15:45:44]  at org.sonarsource.scanner.cli.Main.main(Main.java:62)
[15:45:44] Caused by: java.lang.IllegalStateException: Fail to get bootstrap index from server
[15:45:44]  at org.sonarsource.scanner.api.internal.BootstrapIndexDownloader.getIndex(BootstrapIndexDownloader.java:42)
[15:45:44]  at org.sonarsource.scanner.api.internal.JarDownloader.getScannerEngineFiles(JarDownloader.java:58)
[15:45:44]  at org.sonarsource.scanner.api.internal.JarDownloader.download(JarDownloader.java:53)
[15:45:44]  at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.lambda$createLauncher$0(IsolatedLauncherFactory.java:76)
[15:45:44]  ... 7 more
[15:45:44] Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[15:45:44]  at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
[15:45:44]  at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
[15:45:44]  at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
[15:45:44]  at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
[15:45:44]  at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
[15:45:44]  at java.base/sun.security.ssl.CertificateStatus$CertificateStatusConsumer.consume(CertificateStatus.java:293)
[15:45:44]  at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
[15:45:44]  at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
[15:45:44]  at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
[15:45:44]  at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
[15:45:44]  at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
[15:45:44]  at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)
[15:45:44]  at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)
[15:45:44]  at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
[15:45:44]  at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
[15:45:44]  at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.connectTls(RealConnection.java:336)
[15:45:44]  at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
[15:45:44]  at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.connect(RealConnection.java:185)
[15:45:44]  at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
[15:45:44]  at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
[15:45:44]  at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
[15:45:44]  at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.Transmitter.newExchange(Transmitter.java:169)
[15:45:44]  at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
[15:45:44]  at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
[15:45:44]  at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
[15:45:44]  at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
[15:45:44] 14:45:44.379 INFO: ------------------------------------------------------------------------
[15:45:44]  at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
[15:45:44] 14:45:44.380 INFO: EXECUTION FAILURE
[15:45:44]  at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
[15:45:44] 14:45:44.380 INFO: ------------------------------------------------------------------------
[15:45:44]  at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
[15:45:44] 14:45:44.380 INFO: Total time: 1.285s
[15:45:44]  at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
[15:45:44] 14:45:44.399 INFO: Final Memory: 3M/14M
[15:45:44] 14:45:44.400 INFO: ------------------------------------------------------------------------
[15:45:44]  at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
[15:45:44]  at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
[15:45:44]  at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
[15:45:44]  at org.sonarsource.scanner.api.internal.shaded.okhttp.RealCall.getResponseWithInterceptorChain(RealCall.java:221)
[15:45:44]  at org.sonarsource.scanner.api.internal.shaded.okhttp.RealCall.execute(RealCall.java:81)
[15:45:44]  at org.sonarsource.scanner.api.internal.ServerConnection.callUrl(ServerConnection.java:115)
[15:45:44]  at org.sonarsource.scanner.api.internal.ServerConnection.downloadString(ServerConnection.java:99)
[15:45:44]  at org.sonarsource.scanner.api.internal.BootstrapIndexDownloader.getIndex(BootstrapIndexDownloader.java:39)
[15:45:44]  ... 10 more
[15:45:44] Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[15:45:44]  at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
[15:45:44]  at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
[15:45:44]  at java.base/sun.security.validator.Validator.validate(Validator.java:264)
[15:45:44]  at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
[15:45:44]  at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
[15:45:44]  at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
[15:45:44]  ... 43 more
[15:45:44] Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[15:45:44]  at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
[15:45:44]  at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:127)
[15:45:44]  at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
[15:45:44]  at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
[15:45:44]  ... 48 more
[15:45:44]  at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.lambda$createLauncher$0(IsolatedLauncherFactory.java:85)
[15:45:44]  at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
[15:45:44]  at org.sonarsource.scanner.api.inter
[15:45:44] Process returned exit code 1
[15:45:44] The SonarScanner did not complete successfully
[15:45:44] 14:45:44.438 Post-processing failed. Exit code: 1

Let me know what else I can provide that would be helpful.

Matthew_Ricks_USBE · March 14, 2025, 11:59pm

FYI Same seems to be happening with the .NET 9 images as well.

Colin · March 17, 2025, 12:20pm

Hey @Matthew_Ricks_USBE

Thanks for the report.

Just to confirm:

SonarScanner for .NET 9.2.1/10 works for 8.0.406 and not 8.0.407? I just want to make sure the issue is isolated from the Scanner for .NET.
Is your SonarQube server using a self-signed certificate?

Matthew_Ricks_USBE · March 17, 2025, 3:03pm

Correct; 9.2.1/10 work on 8.0.406 but not 8.0.407. The same issue occurs on the .NET 9 images: working on 9.0.200 but not 9.0.201.

Our instance does not use a self-signed certificate.

Colin · March 17, 2025, 4:07pm

Hey @Matthew_Ricks_USBE

I’ve been trying it out, and something seems very wrong with the latest images, even outside of executing the SonarScanner!

Take this simple docker image:

FROM mcr.microsoft.com/dotnet/sdk:9.0.201 AS build
WORKDIR /src
# Copy the csproj and restore as distinct layers
COPY *.csproj ./
RUN dotnet restore
COPY . ./
RUN dotnet tool install --global dotnet-sonarscanner
RUN dotnet build

If I execute docker build --tag 'testdocker' . --no-cache, I get these errors:

 => [4/7] RUN dotnet restore                                                                                                                                15.7s
 => => # /src/dockerdotnet.csproj : error NU1301: Unable to load the service index for source https://api.nuget.org/v3/index.json.                               
 => => # /src/dockerdotnet.csproj : error NU1301:   The SSL connection could not be established, see inner exception.                                            
 => => # /src/dockerdotnet.csproj : error NU1301:   The remote certificate is invalid because of errors in the certificate chain: PartialChain                   
 => => # /src/dockerdotnet.csproj : error NU1301: Unable to load the service index for source https://api.nuget.org/v3/index.json.                               
 => => # /src/dockerdotnet.csproj : error NU1301:   The SSL connection could not be established, see inner exception.                                            
 => => # /src/dockerdotnet.csproj : error NU1301:   The remote certificate is invalid because of errors in the certificate chain: PartialChain

But as soon as I switch to 9.0.200, it runs fine.

 => [4/7] RUN dotnet restore                                                                                                                                 5.7s
 => [5/7] COPY . ./                                                                                                                                          0.0s
 => [6/7] RUN dotnet tool install --global dotnet-sonarscanner                                                                                               1.6s
 => [7/7] RUN dotnet build                                                                                                                                   1.4s
 => exporting to image                                                                                                                                       0.1s
 => => exporting layers                                                                                                                                      0.1s
 => => writing image sha256:47597db95d0b33180443f9a937a63f51bb33c3169d1b0b99daeaee99eebdac3a                                                                 0.0s
 => => naming to docker.io/library/testdocker                                                                                                                0.0s

So it’s not just you, but I’m still not sure what could be going on. I’ll have a look again tomorrow, or maybe someone from our team will be along to take a look!

Matthew_Ricks_USBE · March 18, 2025, 9:15pm

Your findings line up with my suspicions, but I’m not the best at Docker stuff. I’ll take your example and post it to the .NET Docker repository and ask if they know what’s up.

Matthew_Ricks_USBE · March 18, 2025, 9:28pm

FYI The .NET Docker issue opened with these details: https://github.com/dotnet/dotnet-docker/issues/6325#issue-2929903655

Topic		Replies	Views
Latest SonarScanner failed on .net 4.8 project SonarQube Server / Community Build scanner , dotnet	10	985	March 4, 2024
Sonar Scanner not able to download scanner engine shaded JAR SonarQube Server / Community Build sonarqube , scanner , dotnet	5	1800	January 3, 2023
ERROR: Error during SonarScanner execution after upgrading to Sonarqube 8.9LTS SonarQube Server / Community Build csharp , java , sonarqube , scanner , dotnet	3	902	October 18, 2022
Scan Execution Failure (Docker SonaQube) SonarQube Server / Community Build sonarqube , scanner , dotnet , dotnet6	3	3261	July 12, 2022
Dotnet analysis fails on TeamCity - Error during SonarScanner execution: Not inside a Git work tree SonarQube Server / Community Build sonarqube , scanner , dotnet , teamcity	11	1220	April 27, 2023

.NET SonarScanner failing on latest .NET 8 Docker image

Related topics