We have integrated Sonar with our Bitbucket Server instance and executed scan from Jenkins multibranch pipeline (like mentioned in the guide).
Though scan just works fine its unable to decorate Pull Request in Bitbucket server, there is below analysis warning for project,
Pull request decoration did not happen. Failed to access Bitbucket Server, the repository or the pull request
At the same time I see below in the Sonar container logs
2022.05.05 14:02:21 INFO ce[AYCUh1Zs21sFk0FIvlSr][o.s.a.c.b.BitbucketServerRestClient] Unable to contact Bitbucket server: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:352)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:295)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:290)
...........
2022.05.05 14:02:21 WARN ce[AYCUh1Zs21sFk0FIvlSr][c.s.G.D.B.E] Pull request decoration did not happen. Failed to access Bitbucket Server, the repository or the pull request: Unable to contact Bitbucket server
We had certificate issue while configuring the Bitbucket server earlier, so we have started the docker container with env variable with jks file details. After that we managed to connect successfully and import projects from it,
So the question is how is it managed to connect for import operation with SSL but not to decorate ? Does it mean it does not use these JVM option while running decorating PR ? Is there a some other
JVM property which I am missing ?
Just to check connectivity from inside the container I have run SSLPoke with the JKS file and its just works fine.
Ok, So after adding certificate manually into /etc/ssl/certs/ca-certificates.crt like mentioned earlier I had to restart SonarQube server from UI and after the PR decoration worked fine.
But these changes will be lost once the container recreated, So I am still looking for permanent way of adding certificate.
Ok, after many trial and error and going thorough the docs managed to fix it.
As per the SonarQube docs Sonar runs in two different java processes, one for the Web Server and other for Compute Engine which is responsible for all background tasks.
Env variable SONARQUBE_WEB_JVM_OPTS is only used by WebServer and that’s why it worked earlier to load repo from Bitbucket etc.
But since ComputeEngine is the one doing PR decoration (in the background) and it does not have ca cert it was failing with SSL unknown cert issue. To fix we can add Compute Engine env variable SONAR_CE_JAVAADDITIONALOPTS with same jks details.
That’s it and after docker container restart it works for PR decoration as well.
I wish Sonar team adds docs specially on how to handle selfsigned or internally generated CA certificates. Since its kind of very common in many organizations.
