Updating SonarQube scanner maven plugin from v3.9.1.2184 to v3.10.0.2594 breaks authentication towards SonarQube Community 9.9 LTS (9.9.4)
Error in regular build:
[INFO] --- sonar:3.10.0.2594:sonar (default) @ tngreview ---
[INFO] User cache: **redacted user.home**/.sonar/cache
[INFO] SonarQube version: 9.9.4.87374
[INFO] Default locale: "en_GB", source code encoding: "iso-8859-1"
[INFO] Load global settings
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 4.554 s
[INFO] Finished at: 2024-03-03T14:34:27+01:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.10.0.2594:sonar (default) on project tngreview: Not authorized. Please check the properties sonar.login and sonar.password. -> [Help 1]
Running in debug shows the root cause
[DEBUG] 13:33:53.284 Unable to decrypt property sonar.login
org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException: org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException: java.io.FileNotFoundException:**redacted user.home**/.settings-security.xml (No such file or directory)
Up to 3.9.1.2184 it decrypted the token (using redacted user.home/.m2/settings-security.xml as it should, since it’s a maven plugin it should be expected to decrypt encrypted values using Maven’s master-password)
The sonar.login token is stored in mvn -ep encrypted form as a property in my user-settings (redacted user.home/.m2/settings.xml)
To be clear, you’re generating a token then encrypting the token and storing it in .settings-security.xml. Previous versions of SonarScanner for Maven decrypted the token and used it just fine, but the latest version does not?
No, I’m generating a token, then encrypt it with Maven (mvn -ep followed by pasting the token at the prompt). The encrypted token output I then store as the sonar.login property in my user ~/.m2/settings.xml.
Maven uses ~/.m2/settings-security.xml to hold the master-password used for encryption, which is properly used by sonar-maven-plugin v3.9.1.2184 to decrypt the token on usage in a Sonar analysis.
For some reason as of v3.10.0.2594 Sonar plugin suddenly starts attempting to use the non-existent ~/.settings-security.xml as the source for the master-password used for secret encryption, which obviously makes it fail as it cannot obtain the masterpassword for decryption of encrypted secrets.
for the record: also applicable to the recently released 3.11.0.3922 (hadn’t expected otherwise based on the release notes, but wanted to share the feedback anyhow as I just validated whether the issue was still present)
Yep, we haven’t started looking into the issue. Could you please provide a minimal reproducer so I can debug it and search for the root cause? in 3.10 we dropped some leftovers of Maven 2 compatibility, maybe we dropped too much.
Anyway, in order to investigate the issue I need a minimal reproducer.