SCM file info via svn+ssh raises java.io.IOException: Cannot negotiate, proposals do not match

astauber · January 17, 2022, 4:58pm

Description

The SonarScanner raises an exception when trying to get file information via svn+ssh . The exception is thrown when the ssh server on the svn server only allows more secure KexAlgorithms.
The Exception is:
java.io.IOException: Cannot negotiate, proposals do not match.

Several svn tools (e.g. Linux, TortoiseSVN) uses more secure KexAlgorithms and work with our svn server.

Workaround

Enable unsecure diffie-hellman-group-exchange-sha1 KexAlgorithms in ssh server configuration.

Version

SonarScanner CLI Windows 4.6.2.2472
SonarQube Developer Edition 8.9.6.50800

Log Snippet

  java.lang.IllegalStateException: Error when executing blame for file src/socket/test_socket_simple.cpp
  	at org.sonar.scm.svn.SvnBlameCommand.blame(SvnBlameCommand.java:85)
  	at org.sonar.scm.svn.SvnBlameCommand.blame(SvnBlameCommand.java:58)
  	at org.sonar.scanner.scm.ScmPublisher.publish(ScmPublisher.java:84)
  	at org.sonar.scanner.scan.ProjectScanContainer.doAfterStart(ProjectScanContainer.java:362)
  	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:137)
  	at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:123)
  	at org.sonar.scanner.bootstrap.GlobalContainer.doAfterStart(GlobalContainer.java:150)
  	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:137)
  	at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:123)
  	at org.sonar.batch.bootstrapper.Batch.doExecute(Batch.java:72)
  	at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:66)
  	at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46)
  	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
  	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
  	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
  	at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60)
  	at com.sun.proxy.$Proxy0.execute(Unknown Source)
  	at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:189)
  	at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:138)
  	at org.sonarsource.scanner.cli.Main.execute(Main.java:112)
  	at org.sonarsource.scanner.cli.Main.execute(Main.java:75)
  	at org.sonarsource.scanner.cli.Main.main(Main.java:61)
  Caused by: org.tmatesoft.svn.core.SVNException: svn: E210002: There was a problem while connecting to svn.horizont-it.de:22
  	at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.error(SVNErrorManager.java:70)
  	at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.error(SVNErrorManager.java:57)
  	at org.tmatesoft.svn.core.internal.io.svn.SVNSSHConnector.open(SVNSSHConnector.java:145)
  	at org.tmatesoft.svn.core.internal.io.svn.SVNConnection.open(SVNConnection.java:79)
  	at org.tmatesoft.svn.core.internal.io.svn.SVNRepositoryImpl.openConnection(SVNRepositoryImpl.java:1282)
  	at org.tmatesoft.svn.core.internal.io.svn.SVNRepositoryImpl.hasCapability(SVNRepositoryImpl.java:1590)
  	at org.tmatesoft.svn.core.io.SVNRepository.assertServerIsMergeInfoCapable(SVNRepository.java:790)
  	at org.tmatesoft.svn.core.io.SVNRepository.getFileRevisions(SVNRepository.java:759)
  	at org.tmatesoft.svn.core.internal.wc2.remote.SvnRemoteAnnotate.run(SvnRemoteAnnotate.java:109)
  	at org.tmatesoft.svn.core.internal.wc2.remote.SvnRemoteAnnotate.run(SvnRemoteAnnotate.java:30)
  	at org.tmatesoft.svn.core.internal.wc2.SvnOperationRunner.run(SvnOperationRunner.java:21)
  	at org.tmatesoft.svn.core.wc2.SvnOperationFactory.run(SvnOperationFactory.java:1239)
  	at org.tmatesoft.svn.core.wc2.SvnOperation.run(SvnOperation.java:294)
  	at org.tmatesoft.svn.core.wc.SVNLogClient.doAnnotate(SVNLogClient.java:295)
  	at org.sonar.scm.svn.SvnBlameCommand.blame(SvnBlameCommand.java:83)
  	... 22 more
  Caused by: java.io.IOException: There was a problem while connecting to svn.horizont-it.de:22
  	at com.trilead.ssh2.Connection.connect(Connection.java:817)
  	at org.tmatesoft.svn.core.internal.io.svn.ssh.SshHost.openConnection(SshHost.java:225)
  	at org.tmatesoft.svn.core.internal.io.svn.ssh.SshHost.openSession(SshHost.java:153)
  	at org.tmatesoft.svn.core.internal.io.svn.ssh.SshSessionPool.openSession(SshSessionPool.java:85)
  	at org.tmatesoft.svn.core.internal.io.svn.SVNSSHConnector.open(SVNSSHConnector.java:122)
  	... 34 more
  Caused by: java.io.IOException: Key exchange was not finished, connection is closed.
  	at com.trilead.ssh2.transport.KexManager.getOrWaitForConnectionInfo(KexManager.java:92)
  	at com.trilead.ssh2.transport.TransportManager.getConnectionInfo(TransportManager.java:231)
  	at com.trilead.ssh2.Connection.connect(Connection.java:769)
  	... 38 more
  Caused by: java.io.IOException: Cannot negotiate, proposals do not match.
  	at com.trilead.ssh2.transport.KexManager.handleMessage(KexManager.java:413)
  	at com.trilead.ssh2.transport.TransportManager.receiveLoop(TransportManager.java:765)
  	at com.trilead.ssh2.transport.TransportManager$1.run(TransportManager.java:480)
  	at java.base/java.lang.Thread.run(Unknown Source)

astauber · October 5, 2022, 3:27pm

Hi,

just an update to this issue.

The current CLI SonarScanner for Windows still has this problem:
https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.7.0.2747-windows.zip

The ssh server on our subversion server (Ubuntu 22.04 LTS) reports the following:

sshd[1622957]: Unable to negotiate with 10.58.47.100 port 58486: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]

As a workaround we allow the obsolete algos in the sshd config:

KexAlgorithms +diffie-hellman-group-exchange-sha1
HostKeyAlgorithms +ssh-rsa

Maybe the internal Trilead SSH-2 Java Library of the SonarScanner needs an update.

Regards, Armin

Colin · October 6, 2022, 8:29am

Hey there.

Thanks for the follow-up.

SonarQube itself houses the implementation of SVN integration (not the scanner), and the problem is well summarized in this post – essentially, SonarQube uses SVNKit, which uses Trilead (which doesn’t support the algorithms you were using)

So there’re 2 solutions: 1) configure server to allow algorithms supported by the client; 2) fix the client (‘trilead’) to support those algorithms.

There might be a third option – in v1.10.5 of SVNKit, the maintainers introduced support for an Apache sshd based implementation of svn+ssh:// (SVNKIT-759) which supports newer algorithms.

While SonarQube v8.9 LTS uses an older version (v1.10.1), the latest version of SonarQube (v9.6) uses v1.10.7. It is meant to be enabled using -Dsvnkit.ssh.client=apache – which would have to be passed to the scanner… and I’m not 100% sure it would be recognized.

I don’t have an SVN server to test this with – but you might be able to try it out when you arrive at a v9.x version. I’ll also flag this for some expert attention to see if it sounds feasible (or if we want to consider making this the default).

astauber · October 10, 2022, 2:18pm

Hi Colin,

many thanks for your reply.
We have already the workaround mentioned by 1)

If the new LTS v9.x Version is available I test if enabling the apache implementation is possible and if it fixes the problem.

Regards, Armin