Hello everyone,
I’m trying to setup SonarQube pipeline in Azure DevOps server to scan code from a repository and publish it to SonarQube.
The version I’m using is: Community Edition, version 10.8
Deployment type: with Helm in a K8 cluster
Pipeline Agent: Self-Hosted Windows Server
I’m trying to trigger the basic pipeline that SonarQube suggests after creating a new project. I’ve downloaded the necessary extension, configured the service connection and used the relevant tasks: SonarQubePrepare@7, SonarQubeAnalyze@7, SonarQubePublish@7.
The necessary certificates for the Azure DevOps Server are added to the SonarQube java trust store via the CaCerts argument in the values.yaml
file of the Helm chart. When I try to run the pipeline I get the following error:
javax.net.ssl.SSLHandshakeException: None of the TrustManagers trust this certificate chain
I’ve added sonar’s certificate chain manually to the java jre that the SonarQubeAnalyze@7 task uses to connect from the agent to the SonarQube Server. I also enabled sonar.verbose=true in the extra properties of the SonarQubePrepare@7 task to get more detailed logs.
When I did that I saw that some requests to the server actually go through:
11:44:42.217 DEBUG --> GET https://sonarqube.my-company.com/api/v2/analysis/version
11:44:42.491 DEBUG <-- 200 https://sonarqube.my-company.com/api/v2/analysis/version (273ms, 14-byte body)
11:44:42.494 INFO JRE provisioning: os[windows], arch[amd64]
11:44:42.497 DEBUG --> GET https://sonarqube.my-company.com/api/v2/analysis/jres?os=windows&arch=amd64
11:44:42.531 DEBUG <-- 200 https://sonarqube.my-company.com/api/v2/analysis/jres?os=windows&arch=amd64 (33ms, unknown-length body)
...
11:44:43.529 DEBUG --> GET https://sonarqube.my-company.com/api/v2/analysis/engine
11:44:43.647 DEBUG <-- 200 https://sonarqube.my-company.com/api/v2/analysis/engine (117ms, unknown-length body)
11:44:43.656 DEBUG Download https://sonarqube.my-company.com/api/v2/analysis/engine to C:\<path on agent>
11:44:43.656 DEBUG --> GET https://sonarqube.my-company.com/api/v2/analysis/engine
11:44:43.710 DEBUG <-- 200 https://sonarqube.my-company.com/api/v2/analysis/engine
But when the task decides to download the values.protobuf
file I get this error in the same log:
11:44:48.329 DEBUG --> GET https://sonarqube.my-company.com/api/settings/values.protobuf
11:44:48.614 DEBUG <-- HTTP FAILED: javax.net.ssl.SSLHandshakeException: None of the TrustManagers trust this certificate chain
I logged on to the agent to try to make the query from the agent’s browser and I got HTTP 401 error. But after that I logged in to the SonarQube Server from the agent and ran the query in the browser again (with me being logged into SonarQube) and the file was downloaded successfully.
This is the pipeline I used:
steps:
- task: SonarQubePrepare@7
inputs:
SonarQube: '<my-service-connection>'
scannerMode: 'cli'
configMode: 'manual'
cliProjectKey: '<my-project-key>'
cliProjectName: '<my-project-name>'
cliSources: '.'
extraProperties: |
# Additional properties that will be passed to the scanner,
# Put one key=value per line, example:
# sonar.exclusions=**/*.bin
sonar.verbose=true
- task: SonarQubeAnalyze@7
inputs:
jdkversion: 'JAVA_HOME_17_X64'
- task: SonarQubePublish@7
inputs:
pollingTimeoutSec: '300'
So what seems to be the problem with the pipeline then? Am I missing some configuration in it?