Setting trustStoreType in SonarScanner for .NET not working

SonarQube Server / Community Build
, ,
1

Must-share information (formatted with Markdown):

  • which versions are you using: SonarQube Enterprise Server 9.9
  • Scanner: sonar-scanner-10.1.1.111189-net-framework
  • how is SonarQube deployed: zip
  • what are you trying to achieve: Use our internally created certificates, via java’s truststore cacerts.
  • what have you tried so far to achieve this:

We are working on updating the SonarScanner for .NET on our build servers. They are currently running with “SonarScanner for MSBuild 5.11” and we want to update to the new “SonarScanner for .NET 10.1.1”.

The default cacerts in our java installation contains certificates that are needed to contact our sonarqube server. This works fine with the old scanner, but when we update to the new scanner, we get certificate issues.
Using the certificates in Windows is currently an option we want to avoid if possible.

I have tried to set SONAR_SCANNER_OPTS to tell java what truststore to use.
I have set it to this:

Djavax.net.ssl.trustStoreType=JKS -Djavax.net.ssl.trustStore="%env.JAVA_HOME%\lib\security\cacerts" -Djavax.net.ssl.trustStorePassword=*****

Running with debug information for the scanner and for java.net it seems like the trustStoreType stays on Windows-ROOT, eventhough I have set that parameter in SONAR_SCANNER_OPTS.

This is some output from running “SonarScanner for .NET 10.1.1” where it fails.
Notice “trustStore type is: Windows-ROOT” and “Reloaded 49 trust certs” which is what is in our Windows certificates.

INFO: Scanner configuration file: c:\Tools\sonar-scanner-msbuild\sonar-scanner-5.0.1.3006\bin\..\conf\sonar-scanner.properties
INFO: Project root configuration file: C:\Bwork\193635fd7c72026a\.sonarqube\out\sonar-project.properties
INFO: SonarScanner 5.0.1.3006
INFO: Java 17.0.12 Oracle Corporation (64-bit)
INFO: Windows Server 2022 10.0 amd64
INFO: SONAR_SCANNER_OPTS=-Djavax.net.debug=all:verbose -Djavax.net.ssl.trustStoreType=JKS -Djavax.net.ssl.trustStore="C:\tools\jdk-17.0.12\lib\security\cacerts" -D<sensitive data removed>
javax.net.ssl|DEBUG|10|main|2025-04-11 08:02:43.872 CEST|TrustStoreManager.java:113|trustStore is: C:\tools\jdk-17.0.12\lib\security\cacerts
trustStore type is: Windows-ROOT
trustStore provider is:
the last modified time is: Wed Apr 09 08:54:41 CEST 2025
javax.net.ssl|DEBUG|10|main|2025-04-11 08:02:43.876 CEST|TrustStoreManager.java:334|Reload the trust store
javax.net.ssl|DEBUG|10|main|2025-04-11 08:02:43.943 CEST|TrustStoreManager.java:342|Reload trust certs
javax.net.ssl|DEBUG|10|main|2025-04-11 08:02:43.945 CEST|TrustStoreManager.java:347|Reloaded 49 trust certs

This is the output from running “SonarScanner for MSBuild 5.11”
Notice “trustStore type is: JKS” and “Reloaded 112 trust certs” which is what is in our cacerts.

INFO: Scanner configuration file: c:\Tools\sonar-scanner-msbuild\sonar-scanner-4.8.0.2856\bin\..\conf\sonar-scanner.properties
INFO: Project root configuration file: C:\Bwork\193635fd7c72026a\.sonarqube\out\sonar-project.properties
INFO: SonarScanner 4.8.0.2856
INFO: Java 17.0.12 Oracle Corporation (64-bit)
INFO: Windows Server 2022 10.0 amd64
INFO: SONAR_SCANNER_OPTS=-Djavax.net.debug=all:verbose -Djavax.net.ssl.trustStoreType=JKS -Djavax.net.ssl.trustStore="C:\tools\jdk-17.0.12\lib\security\cacerts" -Djavax.net.ssl.trustStorePassword=*******
javax.net.ssl|DEBUG|10|main|2025-04-11 08:35:12.527 CEST|TrustStoreManager.java:113|trustStore is: C:\tools\jdk-17.0.12\lib\security\cacerts
trustStore type is: JKS
trustStore provider is:
the last modified time is: Wed Apr 09 08:54:41 CEST 2025
javax.net.ssl|DEBUG|10|main|2025-04-11 08:35:12.532 CEST|TrustStoreManager.java:334|Reload the trust store
javax.net.ssl|DEBUG|10|main|2025-04-11 08:35:12.574 CEST|TrustStoreManager.java:342|Reload trust certs
javax.net.ssl|DEBUG|10|main|2025-04-11 08:35:12.576 CEST|TrustStoreManager.java:347|Reloaded 112 trust certs

So the question is, am I missing something to get it to use the java cacerts, or is there something in the scanner that is overwriting the trustStore type, or?

2

Hi,

Welcome to the community!

5.11 to 10.1.1 is a big jump, and some things have changed in the interim.

Take a look at /d:sonar.scanner.truststorePath in the docs. You’ll need it in both begin and end, BTW.

 
HTH,
Ann

3

Hi Ann,

Thank you for getting back to me.

I tried setting that truststorePath value, and it gave me a message that it couldn’t find the cacerts file. So I kind of gave up on using that parameter, and I hoped to set the parameter directly on the java part where it is needed.

Failed to import the sonar.scanner.truststorePath file C:\tools\jdk-17.0.12\lib\security\cacerts: Cannot find the requested object

When I read on that parameter in here, it also seems like it is expecting a PKCS#12 file. I was hoping that we can continue using the cacerts file, as this is the one we currently have set up correctly on our build pipelines and using a new file is a lot of extra setup for this one step.

Do you know if it should work with a cacerts file when using that parameter?
I guess our alternative is to either use such a PKCS#12 file or getting our Windows certificates setup correctly.

Regards,
Rasmus

4

Hi Rasmus,

Yes, that’s one of the things that’s changed.

 
HTH,
Ann