Release Sonar-Scanner with keytool executable

Version:

  • sonar-scanner-cli-4.2.0.1873-linux.zip

What are you trying to achieve:

I would like to scan a JS project using node:8-stretch or similar image due to the fact that SonarJS requires NodeJS to be on the path (I would not like to create & maintain my own pet image).
However when performing a scan against our instance, I need certain TLS certificates added to the cacerts keystore. To do this, the sonar-scanner is lacking the keytool executable in the zip file.

Would it be possible to release the keytool along with the provided JRE in the zip?

hello @CCFenner,

did you try to use our docker image for scanner https://hub.docker.com/r/sonarsource/sonar-scanner-cli ?
Is there something why it’s not suitable for your use?

Hi @saberduck

I’ve looked for such an image some time ago and didn’t find any. Great that there is one available now!

But it’s the same issue, to connect to our Sonar Enterprise instance I need a TLS certificate in the Java cert store. And the keytool executable is unfortunately not in the Docker image.

I think a simple change like this would be sufficient?

Isn’t it much easier to simply prepare your cacerts and mount it in the proper place inside the docker image?

No matter what, this is certainly not something that has anything to do with Sonar. Keytool is provided by Java.

@edu Yes, this works for a Docker environment. But in our K8s env we prevent mounting anything else beside the workspace for security reasons. And due to insufficient permissions I can’t copy the file from workspace into the jre folder.

@ChrisC the JVM is filtered & bundled by Sonar-Scanner-CLI, see here.

By now I use node:lts and download the scanner on the fly. This way I can replace the cacerts file in the JRE.

I think cacerts can be stored in a ConfigMap, no mounts needed: https://stackoverflow.com/questions/39420102/how-can-i-store-a-binary-file-in-a-kubernetes-configmap

@saberduck could I get a reply on sonar-scanner-cli#79 regarding this topic?

@CCFenner I pinged the team owning this repo

1 Like

I found a proper workaround by copying a prepared cacerts file into the Docker container and passing -Djavax.net.ssl.trustStore=path/to/custom/cacerts within SONAR_SCANNER_OPTS to the Sonar scanner.