Sonar-maven-plugin 3.6.0 seems to break https verification of server url

maven

(Michalis Adamidis) #1

We have an SonarQube 7.3 Server running on https with a certificate created by our internal CA.The issuer ceritificate is added to the truststore of the JVM used to execute the maven calls. This worked nicely up until sonar-maven-plugin 3.5.0.1254. With 3.6.0.1398 however we get the error, that the URL could not be verified:

Caused by: javax.net.ssl.SSLPeerUnverifiedException: Hostname <our.server.url> not verified:
    certificate: <removed-cert-info>
    DN: <removed-cert-info>
    subjectAltNames: <removed-cert-info>
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.connectTls(RealConnection.java:329)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.establishProtocol(RealConnection.java:282)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.connect(RealConnection.java:167)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:257)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:135)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.StreamAllocation.newStream(StreamAllocation.java:114)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:126)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.RealCall.getResponseWithInterceptorChain(RealCall.java:200)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.RealCall.execute(RealCall.java:77)
        at org.sonarsource.scanner.api.internal.ServerConnection.callUrl(ServerConnection.java:113)
        at org.sonarsource.scanner.api.internal.ServerConnection.downloadString(ServerConnection.java:98)
        at org.sonarsource.scanner.api.internal.BootstrapIndexDownloader.getIndex(BootstrapIndexDownloader.java:39)
        ... 32 more

I couldn’t find any release notes for the scanner so I’m not sure if there was an intentional change, requiring me to change something in our setup, or if this is a regression (like not correctly passing the truststore or whatever).

EDIT: I intenionally removed all URL and certificate information from the stack-trace, they seemed to be valid to me though.