SonarQube scan action (GitHub) v4.0.0 failing - keytool command not found

Currently we’re using v3.0.0 of the GitHub Action sonarsource/sonarqube-scan-action and are providing a custom root cert through the env-var SONAR_ROOT_CERT. I’ve now tried to upgrade to the new v4.0.0 action of the action since this no longer uses a docker-image and therefore we won’t hit any dockerhub ratelimits anymore.

After updating to the new v4.0.0-version i get the following error:

> Run ${GITHUB_ACTION_PATH}/run-sonar-scanner.sh -Dsonar.pullrequest.key=665 -Dsonar.pullrequest.branch=redacted-patch-1 -Dsonar.pullrequest.base=master
Adding SSL certificate to the Scanner truststore
/__w/_actions/sonarsource/sonarqube-scan-action/v4.0.0/run-sonar-scanner.sh: line 32: keytool: command not found
Error: Process completed with exit code 127.

According to the release-notes the update from v3.0.0 to v4.0.0 shoudln’t cause any issues. Can anyone help me?

Must-share information (formatted with Markdown):

  • GitHub Action sonarsource/sonarqube-scan-action@v4.0.0, sonar scanner cli 6.2.1.4610
  • running from GitHub Workflow inside container node:20
  • trigger a scan on our sonarqube instance with a custom root certificate
  • worked on v3.0.0, broken on v4.0.0

Hi @higgs01,
Thanks for reporting your issue to our community.

The new major version of the GitHub action requires the JDK to be installed and the keytool tool to be in the path. This was always the case with previous versions of the action, as the Docker container had all the dependencies baked into it. Moving from Docker to a composite action, we tested the behavior with all GitHub-hosted runners and didn’t encounter issues since those come equipped with Java.

The environment you are running in (the node:20 docker container), however, doesn’t include Java. Hence the issue.

We have identified a possible for the issue and started working on it. You can follow our progress at the resolution via this ticket in our tracking system.

We will ping you here once the issue is addressed. If your current issue with DockerHub rate limits are particularly annoying, we can share a working solution with you before the final release. That would greatly help us to validate the fix before releasing the new version.

Waiting for the fix to be available, you can:

  • either stay on the previous major version: v3.0.0 is still fully functional
  • or install the jdk or just the keytool, and ensure it’s in the path, before running the action

Hope it helps,
Antonio

Thank you for your quick response. For now we’ll stay on v3.0.0.

Hi @higgs01
We have good news! We have just released a new version of sonarqube-scan-action, v4.1.0, which should fix your issue.

We now use the keytool embedded in the JRE that we ship with the SonarScanner CLI, instead of expecting the command to be available in the runner environment.

You can read more about the new release of the action here.

Give it a try and let us know if that fixes your problem.

Best regards,
Antonio

Hi @antonio.aversa
Thank you for the quick update. I’ve tested it with the Version v4.1.0 and the keytool-error doesn’t occur anymore.

However the custom root-cert still doesn’t seem to work as now I get the following error while running the action:

2024-12-02T11:05:19.0073976Z ##[group]Run ${GITHUB_ACTION_PATH}/run-sonar-scanner.sh -Dsonar.pullrequest.key=665 -Dsonar.pullrequest.branch=patch-1 -Dsonar.pullrequest.base=master
2024-12-02T11:05:19.0075515Z e[36;1m${GITHUB_ACTION_PATH}/run-sonar-scanner.sh -Dsonar.pullrequest.key=665 -Dsonar.pullrequest.branch=patch-1 -Dsonar.pullrequest.base=mastere[0m
2024-12-02T11:05:19.0076537Z shell: bash --noprofile --norc -e -o pipefail {0}
2024-12-02T11:05:19.0076907Z env:
2024-12-02T11:05:19.0077138Z   BUILD_IMAGE: false
2024-12-02T11:05:19.0077416Z   TAG_IMAGE_AS_LATEST: false
2024-12-02T11:05:19.0077719Z   DEPLOYMENT_INSTANCE: 
2024-12-02T11:05:19.0077987Z   NOTIFY_ON_ERROR: false
2024-12-02T11:05:19.0078341Z   SONAR_HOST_URL: https://***
2024-12-02T11:05:19.0078872Z   SONAR_TOKEN: ***
2024-12-02T11:05:19.0090995Z   SONAR_ROOT_CERT: -----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
2024-12-02T11:05:19.0103360Z   ARTIFACT_VERSION: 
2024-12-02T11:05:19.0103648Z   INPUT_PROJECTBASEDIR: app
2024-12-02T11:05:19.0104138Z   SONAR_SCANNER_JRE: /home/runner/_work/_temp/sonar-scanner-cli-6.2.1.4610-Linux-X64/jre
2024-12-02T11:05:19.0104654Z ##[endgroup]
2024-12-02T11:05:19.0560310Z Adding SSL certificate to the Scanner truststore
2024-12-02T11:05:19.2017806Z Certificate was added to keystore
2024-12-02T11:05:19.3351996Z + sonar-scanner -Dsonar.projectBaseDir=app -Dsonar.scanner.truststorePassword=changeit -Dsonar.pullrequest.key=665 -Dsonar.pullrequest.branch=patch-1 -Dsonar.pullrequest.base=master
2024-12-02T11:05:19.5679366Z 11:05:19.565 INFO  Scanner configuration file: /__w/_temp/sonar-scanner-cli-6.2.1.4610-Linux-X64/conf/sonar-scanner.properties
2024-12-02T11:05:19.5682511Z 11:05:19.567 INFO  Project root configuration file: /__w/fs-pkv-neon-ui/fs-pkv-neon-ui/app/sonar-project.properties
2024-12-02T11:05:19.5848720Z 11:05:19.584 INFO  SonarScanner CLI 6.2.1.4610
2024-12-02T11:05:19.5865841Z 11:05:19.586 INFO  Java 17.0.12 Eclipse Adoptium (64-bit)
2024-12-02T11:05:19.5872632Z 11:05:19.586 INFO  Linux 6.1.112-122.189.amzn2023.x86_64 amd64
2024-12-02T11:05:19.6150616Z 11:05:19.614 INFO  User cache: /root/.sonar/cache
2024-12-02T11:05:20.3269357Z 11:05:20.326 INFO  EXECUTION FAILURE
2024-12-02T11:05:20.3279865Z 11:05:20.327 INFO  Total time: 0.765s
2024-12-02T11:05:20.3321862Z 11:05:20.327 ERROR Error during SonarScanner CLI execution
2024-12-02T11:05:20.3322756Z java.lang.IllegalStateException: Failed to get server version
2024-12-02T11:05:20.3323850Z 	at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.getServerVersion(ScannerEngineBootstrapper.java:194)
2024-12-02T11:05:20.3325165Z 	at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:117)
2024-12-02T11:05:20.3326392Z 	at org.sonarsource.scanner.cli.Main.analyze(Main.java:75)
2024-12-02T11:05:20.3327275Z 	at org.sonarsource.scanner.cli.Main.main(Main.java:63)
2024-12-02T11:05:20.3328338Z 	Suppressed: java.lang.IllegalStateException: Call to URL [https://***/api/v2/analysis/version] failed
2024-12-02T11:05:20.3329573Z 		at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callUrl(ScannerHttpClient.java:159)
2024-12-02T11:05:20.3330762Z 		at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callApi(ScannerHttpClient.java:126)
2024-12-02T11:05:20.3331950Z 		at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callRestApi(ScannerHttpClient.java:104)
2024-12-02T11:05:20.3333231Z 		at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.getServerVersion(ScannerEngineBootstrapper.java:189)
2024-12-02T11:05:20.3334148Z 		... 3 common frames omitted
2024-12-02T11:05:20.3335013Z 	Caused by: javax.net.ssl.SSLHandshakeException: None of the TrustManagers trust this certificate chain
2024-12-02T11:05:20.3335987Z 		at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
2024-12-02T11:05:20.3336819Z 		at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
2024-12-02T11:05:20.3337636Z 		at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
2024-12-02T11:05:20.3338446Z 		at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
2024-12-02T11:05:20.3339759Z 		at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(Unknown Source)
2024-12-02T11:05:20.3340975Z 		at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(Unknown Source)
2024-12-02T11:05:20.3342133Z 		at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(Unknown Source)
2024-12-02T11:05:20.3343066Z 		at java.base/sun.security.ssl.SSLHandshake.consume(Unknown Source)
2024-12-02T11:05:20.3343896Z 		at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
2024-12-02T11:05:20.3344744Z 		at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
2024-12-02T11:05:20.3345591Z 		at java.base/sun.security.ssl.TransportContext.dispatch(Unknown Source)
2024-12-02T11:05:20.3346410Z 		at java.base/sun.security.ssl.SSLTransport.decode(Unknown Source)
2024-12-02T11:05:20.3347202Z 		at java.base/sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
2024-12-02T11:05:20.3348083Z 		at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
2024-12-02T11:05:20.3348990Z 		at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
2024-12-02T11:05:20.3349874Z 		at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
2024-12-02T11:05:20.3350800Z 		at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:379)
2024-12-02T11:05:20.3351949Z 		at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337)
2024-12-02T11:05:20.3352961Z 		at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:209)
2024-12-02T11:05:20.3353935Z 		at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:226)
2024-12-02T11:05:20.3354995Z 		at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:106)
2024-12-02T11:05:20.3356006Z 		at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:74)
2024-12-02T11:05:20.3356916Z 		at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:255)
2024-12-02T11:05:20.3357898Z 		at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32)
2024-12-02T11:05:20.3358916Z 		at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
2024-12-02T11:05:20.3359878Z 		at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95)
2024-12-02T11:05:20.3360843Z 		at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
2024-12-02T11:05:20.3361813Z 		at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83)
2024-12-02T11:05:20.3362782Z 		at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
2024-12-02T11:05:20.3363875Z 		at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76)
2024-12-02T11:05:20.3364963Z 		at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
2024-12-02T11:05:20.3365975Z 		at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.kt:221)
2024-12-02T11:05:20.3366979Z 		at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
2024-12-02T11:05:20.3368058Z 		at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201)
2024-12-02T11:05:20.3369026Z 		at okhttp3.internal.connection.RealCall.execute(RealCall.kt:154)
2024-12-02T11:05:20.3370047Z 		at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callUrl(ScannerHttpClient.java:157)
2024-12-02T11:05:20.3370828Z 		... 6 common frames omitted
2024-12-02T11:05:20.3371708Z 	Caused by: java.security.cert.CertificateException: None of the TrustManagers trust this certificate chain
2024-12-02T11:05:20.3372934Z 		at nl.altindag.ssl.trustmanager.CombinableX509TrustManager.checkTrusted(CombinableX509TrustManager.java:61)
2024-12-02T11:05:20.3374419Z 		at nl.altindag.ssl.trustmanager.CompositeX509ExtendedTrustManager.checkServerTrusted(CompositeX509ExtendedTrustManager.java:86)
2024-12-02T11:05:20.3375550Z 		... 38 common frames omitted
2024-12-02T11:05:20.3376949Z 		Suppressed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2024-12-02T11:05:20.3378693Z 			at java.base/sun.security.validator.PKIXValidator.doBuild(Unknown Source)
2024-12-02T11:05:20.3379627Z 			at java.base/sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
2024-12-02T11:05:20.3380529Z 			at java.base/sun.security.validator.Validator.validate(Unknown Source)
2024-12-02T11:05:20.3381422Z 			at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
2024-12-02T11:05:20.3382389Z 			at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
2024-12-02T11:05:20.3383684Z 			at nl.altindag.ssl.trustmanager.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:48)
2024-12-02T11:05:20.3385910Z 			at nl.altindag.ssl.trustmanager.CompositeX509ExtendedTrustManager.lambda$checkServerTrusted$4(CompositeX509ExtendedTrustManager.java:86)
2024-12-02T11:05:20.3387197Z 			at nl.altindag.ssl.trustmanager.CombinableX509TrustManager.checkTrusted(CombinableX509TrustManager.java:41)
2024-12-02T11:05:20.3387910Z 			... 39 common frames omitted
2024-12-02T11:05:20.3388881Z 		Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2024-12-02T11:05:20.3389916Z 			at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
2024-12-02T11:05:20.3390773Z 			at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
2024-12-02T11:05:20.3391542Z 			at java.base/java.security.cert.CertPathBuilder.build(Unknown Source)
2024-12-02T11:05:20.3392035Z 			... 47 common frames omitted
2024-12-02T11:05:20.3393227Z 		Suppressed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2024-12-02T11:05:20.3394535Z 			at java.base/sun.security.validator.PKIXValidator.doBuild(Unknown Source)
2024-12-02T11:05:20.3395270Z 			at java.base/sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
2024-12-02T11:05:20.3395983Z 			at java.base/sun.security.validator.Validator.validate(Unknown Source)
2024-12-02T11:05:20.3396693Z 			at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
2024-12-02T11:05:20.3397475Z 			at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
2024-12-02T11:05:20.3398582Z 			at nl.altindag.ssl.trustmanager.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:48)
2024-12-02T11:05:20.3399973Z 			at nl.altindag.ssl.trustmanager.CompositeX509ExtendedTrustManager.lambda$checkServerTrusted$4(CompositeX509ExtendedTrustManager.java:86)
2024-12-02T11:05:20.3401208Z 			at nl.altindag.ssl.trustmanager.CombinableX509TrustManager.checkTrusted(CombinableX509TrustManager.java:41)
2024-12-02T11:05:20.3401908Z 			... 39 common frames omitted
2024-12-02T11:05:20.3402712Z 		Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2024-12-02T11:05:20.3403730Z 			at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
2024-12-02T11:05:20.3404588Z 			at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
2024-12-02T11:05:20.3405351Z 			at java.base/java.security.cert.CertPathBuilder.build(Unknown Source)
2024-12-02T11:05:20.3405841Z 			... 47 common frames omitted
2024-12-02T11:05:20.3406601Z Caused by: java.lang.IllegalStateException: Call to URL [https://***/api/server/version] failed
2024-12-02T11:05:20.3407601Z 	at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callUrl(ScannerHttpClient.java:159)
2024-12-02T11:05:20.3408680Z 	at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callApi(ScannerHttpClient.java:126)
2024-12-02T11:05:20.3409685Z 	at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callWebApi(ScannerHttpClient.java:112)
2024-12-02T11:05:20.3410769Z 	at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.getServerVersion(ScannerEngineBootstrapper.java:192)
2024-12-02T11:05:20.3411472Z 	... 3 common frames omitted
2024-12-02T11:05:20.3412167Z Caused by: javax.net.ssl.SSLHandshakeException: None of the TrustManagers trust this certificate chain
2024-12-02T11:05:20.3412953Z 	at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
2024-12-02T11:05:20.3413599Z 	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
2024-12-02T11:05:20.3414317Z 	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
2024-12-02T11:05:20.3414944Z 	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
2024-12-02T11:05:20.3415772Z 	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(Unknown Source)
2024-12-02T11:05:20.3416797Z 	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(Unknown Source)
2024-12-02T11:05:20.3417764Z 	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(Unknown Source)
2024-12-02T11:05:20.3418517Z 	at java.base/sun.security.ssl.SSLHandshake.consume(Unknown Source)
2024-12-02T11:05:20.3419237Z 	at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
2024-12-02T11:05:20.3419903Z 	at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
2024-12-02T11:05:20.3420567Z 	at java.base/sun.security.ssl.TransportContext.dispatch(Unknown Source)
2024-12-02T11:05:20.3421203Z 	at java.base/sun.security.ssl.SSLTransport.decode(Unknown Source)
2024-12-02T11:05:20.3421819Z 	at java.base/sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
2024-12-02T11:05:20.3422510Z 	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
2024-12-02T11:05:20.3423238Z 	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
2024-12-02T11:05:20.3423934Z 	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
2024-12-02T11:05:20.3424671Z 	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:379)
2024-12-02T11:05:20.3425491Z 	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337)
2024-12-02T11:05:20.3426294Z 	at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:209)
2024-12-02T11:05:20.3427079Z 	at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:226)
2024-12-02T11:05:20.3427947Z 	at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:106)
2024-12-02T11:05:20.3428748Z 	at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:74)
2024-12-02T11:05:20.3429468Z 	at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:255)
2024-12-02T11:05:20.3430265Z 	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32)
2024-12-02T11:05:20.3431095Z 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
2024-12-02T11:05:20.3431874Z 	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95)
2024-12-02T11:05:20.3432651Z 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
2024-12-02T11:05:20.3433436Z 	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83)
2024-12-02T11:05:20.3434221Z 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
2024-12-02T11:05:20.3435133Z 	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76)
2024-12-02T11:05:20.3436030Z 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
2024-12-02T11:05:20.3436848Z 	at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.kt:221)
2024-12-02T11:05:20.3437762Z 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
2024-12-02T11:05:20.3438656Z 	at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201)
2024-12-02T11:05:20.3439447Z 	at okhttp3.internal.connection.RealCall.execute(RealCall.kt:154)
2024-12-02T11:05:20.3440242Z 	at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callUrl(ScannerHttpClient.java:157)
2024-12-02T11:05:20.3441127Z 	... 6 common frames omitted
2024-12-02T11:05:20.3442071Z Caused by: java.security.cert.CertificateException: None of the TrustManagers trust this certificate chain
2024-12-02T11:05:20.3443123Z 	at nl.altindag.ssl.trustmanager.CombinableX509TrustManager.checkTrusted(CombinableX509TrustManager.java:61)
2024-12-02T11:05:20.3444352Z 	at nl.altindag.ssl.trustmanager.CompositeX509ExtendedTrustManager.checkServerTrusted(CompositeX509ExtendedTrustManager.java:86)
2024-12-02T11:05:20.3445169Z 	... 38 common frames omitted
2024-12-02T11:05:20.3446362Z 	Suppressed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2024-12-02T11:05:20.3447675Z 		at java.base/sun.security.validator.PKIXValidator.doBuild(Unknown Source)
2024-12-02T11:05:20.3448418Z 		at java.base/sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
2024-12-02T11:05:20.3449209Z 		at java.base/sun.security.validator.Validator.validate(Unknown Source)
2024-12-02T11:05:20.3449922Z 		at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
2024-12-02T11:05:20.3450714Z 		at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
2024-12-02T11:05:20.3451826Z 		at nl.altindag.ssl.trustmanager.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:48)
2024-12-02T11:05:20.3453214Z 		at nl.altindag.ssl.trustmanager.CompositeX509ExtendedTrustManager.lambda$checkServerTrusted$4(CompositeX509ExtendedTrustManager.java:86)
2024-12-02T11:05:20.3454546Z 		at nl.altindag.ssl.trustmanager.CombinableX509TrustManager.checkTrusted(CombinableX509TrustManager.java:41)
2024-12-02T11:05:20.3455245Z 		... 39 common frames omitted
2024-12-02T11:05:20.3456048Z 	Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2024-12-02T11:05:20.3457072Z 		at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
2024-12-02T11:05:20.3457929Z 		at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
2024-12-02T11:05:20.3458698Z 		at java.base/java.security.cert.CertPathBuilder.build(Unknown Source)
2024-12-02T11:05:20.3459196Z 		... 47 common frames omitted
2024-12-02T11:05:20.3460379Z 	Suppressed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2024-12-02T11:05:20.3461675Z 		at java.base/sun.security.validator.PKIXValidator.doBuild(Unknown Source)
2024-12-02T11:05:20.3462412Z 		at java.base/sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
2024-12-02T11:05:20.3463127Z 		at java.base/sun.security.validator.Validator.validate(Unknown Source)
2024-12-02T11:05:20.3463831Z 		at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
2024-12-02T11:05:20.3464612Z 		at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
2024-12-02T11:05:20.3465722Z 		at nl.altindag.ssl.trustmanager.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:48)
2024-12-02T11:05:20.3467107Z 		at nl.altindag.ssl.trustmanager.CompositeX509ExtendedTrustManager.lambda$checkServerTrusted$4(CompositeX509ExtendedTrustManager.java:86)
2024-12-02T11:05:20.3468341Z 		at nl.altindag.ssl.trustmanager.CombinableX509TrustManager.checkTrusted(CombinableX509TrustManager.java:41)
2024-12-02T11:05:20.3469119Z 		... 39 common frames omitted
2024-12-02T11:05:20.3469931Z 	Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2024-12-02T11:05:20.3470958Z 		at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
2024-12-02T11:05:20.3471818Z 		at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
2024-12-02T11:05:20.3472592Z 		at java.base/java.security.cert.CertPathBuilder.build(Unknown Source)
2024-12-02T11:05:20.3473097Z 		... 47 common frames omitted
2024-12-02T11:05:20.3473417Z 11:05:20.331 ERROR 
2024-12-02T11:05:20.3473985Z 11:05:20.331 ERROR Re-run SonarScanner CLI using the -X switch to enable full debug logging.
2024-12-02T11:05:20.3584513Z ##[error]Process completed with exit code 1.

The workflow-runs using the old action (via docker) are still working fine and looking at the git-diff in my PR all that has changed is the version-tag of the action (now v4.1.0). Everything else including certificate/url has remained the same.

I know that this is a different issue than the one I initially opened this thread for. Could you still take a look at it? or should I open a new one for this?

Hi @higgs01,
Thanks a lot for your super-quick update!

Yes, technically we should create a new ticket for this issue specifically, but let’s just continue here for convenience.

From your logs, it seems that the keytool is invoked correctly, and that
~/.sonar/ssl/truststore.p12 has been created. But somehow the p12 is not taken into account by the SonarScanner CLI, in the actual scan.

Could you please run the SonarScanner CLI in debug mode and report the logs here?

You can either add RUNNER_DEBUG: 1 to your environment variables, like so:

    - name: SonarQube Scan
      uses: sonarsource/sonarqube-scan-action@v4.1.0
      env:
        RUNNER_DEBUG: 1

or -Dsonar.verbose=true to the args parameter of the GitHub action, like so:

- uses: sonarsource/sonarqube-scan-action@v4.1.0
  with:
    args: >
      -Dsonar.verbose=true

Whatever comes easier to you.

This should gives us more information about the execution of the scan by the SonarScanner CLI. In particular, we are looking for a log line like the following:

DEBUG Using truststore: /home/runner/.sonar/ssl/truststore.p12

Thanks,
Antonio

@antonio.aversa as requested the log with “RUNNER_DEBUG=1” configured:

2024-12-02T13:53:37.6775336Z ##[group]Run ${GITHUB_ACTION_PATH}/run-sonar-scanner.sh 
2024-12-02T13:53:37.6776224Z e[36;1m${GITHUB_ACTION_PATH}/run-sonar-scanner.sh e[0m
2024-12-02T13:53:37.6777027Z shell: bash --noprofile --norc -e -o pipefail {0}
2024-12-02T13:53:37.6777627Z env:
2024-12-02T13:53:37.6778133Z   SONAR_HOST_URL: https://***
2024-12-02T13:53:37.6778879Z   SONAR_TOKEN: ***
2024-12-02T13:53:37.6791421Z   SONAR_ROOT_CERT: -----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
2024-12-02T13:53:37.6804740Z   GIT_SSH_COMMAND: ssh -o StrictHostKeyChecking=accept-new
2024-12-02T13:53:37.6805385Z   RUNNER_DEBUG: 1
2024-12-02T13:53:37.6805882Z   INPUT_PROJECTBASEDIR: ./
2024-12-02T13:53:37.6806623Z   SONAR_SCANNER_JRE: /home/runner/_work/_temp/sonar-scanner-cli-6.2.1.4610-Linux-X64/jre
2024-12-02T13:53:37.6807397Z ##[endgroup]
2024-12-02T13:53:37.7261681Z Adding SSL certificate to the Scanner truststore
2024-12-02T13:53:37.8735710Z Certificate was added to keystore
2024-12-02T13:53:37.9777008Z + sonar-scanner --debug -Dsonar.projectBaseDir=./ -Dsonar.scanner.truststorePassword=changeit
2024-12-02T13:53:38.2080584Z 13:53:38.205 INFO  Scanner configuration file: /__w/_temp/sonar-scanner-cli-6.2.1.4610-Linux-X64/conf/sonar-scanner.properties
2024-12-02T13:53:38.2085759Z 13:53:38.208 INFO  Project root configuration file: /__w/fs-pkv-neon-ui-common/fs-pkv-neon-ui-common/sonar-project.properties
2024-12-02T13:53:38.2207968Z 13:53:38.220 INFO  SonarScanner CLI 6.2.1.4610
2024-12-02T13:53:38.2219934Z 13:53:38.221 INFO  Java 17.0.12 Eclipse Adoptium (64-bit)
2024-12-02T13:53:38.2226697Z 13:53:38.222 INFO  Linux 6.1.112-122.189.amzn2023.x86_64 amd64
2024-12-02T13:53:38.2289985Z 13:53:38.228 DEBUG Scanner max available memory: 3 GB
2024-12-02T13:53:38.2505172Z 13:53:38.250 DEBUG uname -m returned 'x86_64'
2024-12-02T13:53:38.2517333Z 13:53:38.251 DEBUG Create: /root/.sonar/cache
2024-12-02T13:53:38.2522593Z 13:53:38.252 INFO  User cache: /root/.sonar/cache
2024-12-02T13:53:38.2523381Z 13:53:38.252 DEBUG Create: /root/.sonar/cache/_tmp
2024-12-02T13:53:38.5311467Z 13:53:38.530 DEBUG Loaded [420] system trusted certificates
2024-12-02T13:53:38.6732934Z 13:53:38.672 DEBUG --> GET https://***/api/v2/analysis/version
2024-12-02T13:53:38.8236249Z 13:53:38.823 DEBUG <-- HTTP FAILED: javax.net.ssl.SSLHandshakeException: None of the TrustManagers trust this certificate chain
2024-12-02T13:53:38.8239801Z 13:53:38.823 DEBUG --> GET https://***/api/server/version
2024-12-02T13:53:38.8963155Z 13:53:38.895 DEBUG <-- HTTP FAILED: javax.net.ssl.SSLHandshakeException: None of the TrustManagers trust this certificate chain
2024-12-02T13:53:38.8964228Z 13:53:38.895 INFO  EXECUTION FAILURE
2024-12-02T13:53:38.8976358Z 13:53:38.897 INFO  Total time: 0.695s
2024-12-02T13:53:38.9016384Z 13:53:38.897 ERROR Error during SonarScanner CLI execution
2024-12-02T13:53:38.9017786Z java.lang.IllegalStateException: Failed to get server version
2024-12-02T13:53:38.9019525Z 	at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.getServerVersion(ScannerEngineBootstrapper.java:194)
2024-12-02T13:53:38.9021155Z 	at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:117)
2024-12-02T13:53:38.9022205Z 	at org.sonarsource.scanner.cli.Main.analyze(Main.java:75)
2024-12-02T13:53:38.9022986Z 	at org.sonarsource.scanner.cli.Main.main(Main.java:63)
2024-12-02T13:53:38.9024424Z 	Suppressed: java.lang.IllegalStateException: Call to URL [https://***/api/v2/analysis/version] failed
2024-12-02T13:53:38.9025744Z 		at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callUrl(ScannerHttpClient.java:159)
2024-12-02T13:53:38.9027003Z 		at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callApi(ScannerHttpClient.java:126)
2024-12-02T13:53:38.9028289Z 		at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callRestApi(ScannerHttpClient.java:104)
2024-12-02T13:53:38.9029646Z 		at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.getServerVersion(ScannerEngineBootstrapper.java:189)
2024-12-02T13:53:38.9030612Z 		... 3 common frames omitted
2024-12-02T13:53:38.9031489Z 	Caused by: javax.net.ssl.SSLHandshakeException: None of the TrustManagers trust this certificate chain
2024-12-02T13:53:38.9032548Z 		at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
2024-12-02T13:53:38.9033472Z 		at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
2024-12-02T13:53:38.9034388Z 		at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
2024-12-02T13:53:38.9035295Z 		at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
2024-12-02T13:53:38.9036712Z 		at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(Unknown Source)
2024-12-02T13:53:38.9038183Z 		at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(Unknown Source)
2024-12-02T13:53:38.9039854Z 		at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(Unknown Source)
2024-12-02T13:53:38.9041541Z 		at java.base/sun.security.ssl.SSLHandshake.consume(Unknown Source)
2024-12-02T13:53:38.9043123Z 		at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
2024-12-02T13:53:38.9044832Z 		at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
2024-12-02T13:53:38.9046553Z 		at java.base/sun.security.ssl.TransportContext.dispatch(Unknown Source)
2024-12-02T13:53:38.9048037Z 		at java.base/sun.security.ssl.SSLTransport.decode(Unknown Source)
2024-12-02T13:53:38.9049014Z 		at java.base/sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
2024-12-02T13:53:38.9050038Z 		at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
2024-12-02T13:53:38.9051131Z 		at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
2024-12-02T13:53:38.9052176Z 		at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
2024-12-02T13:53:38.9053251Z 		at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:379)
2024-12-02T13:53:38.9054416Z 		at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337)
2024-12-02T13:53:38.9055557Z 		at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:209)
2024-12-02T13:53:38.9056684Z 		at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:226)
2024-12-02T13:53:38.9058153Z 		at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:106)
2024-12-02T13:53:38.9059308Z 		at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:74)
2024-12-02T13:53:38.9060378Z 		at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:255)
2024-12-02T13:53:38.9061506Z 		at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32)
2024-12-02T13:53:38.9062662Z 		at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
2024-12-02T13:53:38.9063759Z 		at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95)
2024-12-02T13:53:38.9064863Z 		at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
2024-12-02T13:53:38.9065968Z 		at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83)
2024-12-02T13:53:38.9067087Z 		at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
2024-12-02T13:53:38.9068445Z 		at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76)
2024-12-02T13:53:38.9069686Z 		at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
2024-12-02T13:53:38.9070823Z 		at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.kt:221)
2024-12-02T13:53:38.9071967Z 		at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
2024-12-02T13:53:38.9073192Z 		at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201)
2024-12-02T13:53:38.9074297Z 		at okhttp3.internal.connection.RealCall.execute(RealCall.kt:154)
2024-12-02T13:53:38.9075430Z 		at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callUrl(ScannerHttpClient.java:157)
2024-12-02T13:53:38.9076475Z 		... 6 common frames omitted
2024-12-02T13:53:38.9077459Z 	Caused by: java.security.cert.CertificateException: None of the TrustManagers trust this certificate chain
2024-12-02T13:53:38.9078854Z 		at nl.altindag.ssl.trustmanager.CombinableX509TrustManager.checkTrusted(CombinableX509TrustManager.java:61)
2024-12-02T13:53:38.9080420Z 		at nl.altindag.ssl.trustmanager.CompositeX509ExtendedTrustManager.checkServerTrusted(CompositeX509ExtendedTrustManager.java:86)
2024-12-02T13:53:38.9081550Z 		... 38 common frames omitted
2024-12-02T13:53:38.9083052Z 		Suppressed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2024-12-02T13:53:38.9084688Z 			at java.base/sun.security.validator.PKIXValidator.doBuild(Unknown Source)
2024-12-02T13:53:38.9085766Z 			at java.base/sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
2024-12-02T13:53:38.9086816Z 			at java.base/sun.security.validator.Validator.validate(Unknown Source)
2024-12-02T13:53:38.9087854Z 			at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
2024-12-02T13:53:38.9089366Z 			at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
2024-12-02T13:53:38.9107766Z 			at nl.altindag.ssl.trustmanager.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:48)
2024-12-02T13:53:38.9110288Z 			at nl.altindag.ssl.trustmanager.CompositeX509ExtendedTrustManager.lambda$checkServerTrusted$4(CompositeX509ExtendedTrustManager.java:86)
2024-12-02T13:53:38.9111925Z 			at nl.altindag.ssl.trustmanager.CombinableX509TrustManager.checkTrusted(CombinableX509TrustManager.java:41)
2024-12-02T13:53:38.9112957Z 			... 39 common frames omitted
2024-12-02T13:53:38.9114104Z 		Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2024-12-02T13:53:38.9115486Z 			at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
2024-12-02T13:53:38.9116800Z 			at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
2024-12-02T13:53:38.9118117Z 			at java.base/java.security.cert.CertPathBuilder.build(Unknown Source)
2024-12-02T13:53:38.9118927Z 			... 47 common frames omitted
2024-12-02T13:53:38.9120436Z 		Suppressed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2024-12-02T13:53:38.9122079Z 			at java.base/sun.security.validator.PKIXValidator.doBuild(Unknown Source)
2024-12-02T13:53:38.9123149Z 			at java.base/sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
2024-12-02T13:53:38.9124202Z 			at java.base/sun.security.validator.Validator.validate(Unknown Source)
2024-12-02T13:53:38.9125239Z 			at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
2024-12-02T13:53:38.9126360Z 			at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
2024-12-02T13:53:38.9127809Z 			at nl.altindag.ssl.trustmanager.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:48)
2024-12-02T13:53:38.9129685Z 			at nl.altindag.ssl.trustmanager.CompositeX509ExtendedTrustManager.lambda$checkServerTrusted$4(CompositeX509ExtendedTrustManager.java:86)
2024-12-02T13:53:38.9131286Z 			at nl.altindag.ssl.trustmanager.CombinableX509TrustManager.checkTrusted(CombinableX509TrustManager.java:41)
2024-12-02T13:53:38.9132292Z 			... 39 common frames omitted
2024-12-02T13:53:38.9133398Z 		Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2024-12-02T13:53:38.9135091Z 			at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
2024-12-02T13:53:38.9136294Z 			at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
2024-12-02T13:53:38.9137393Z 			at java.base/java.security.cert.CertPathBuilder.build(Unknown Source)
2024-12-02T13:53:38.9138200Z 			... 47 common frames omitted
2024-12-02T13:53:38.9139316Z Caused by: java.lang.IllegalStateException: Call to URL [https://***/api/server/version] failed
2024-12-02T13:53:38.9140670Z 	at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callUrl(ScannerHttpClient.java:159)
2024-12-02T13:53:38.9141995Z 	at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callApi(ScannerHttpClient.java:126)
2024-12-02T13:53:38.9143344Z 	at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callWebApi(ScannerHttpClient.java:112)
2024-12-02T13:53:38.9144759Z 	at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.getServerVersion(ScannerEngineBootstrapper.java:192)
2024-12-02T13:53:38.9145770Z 	... 3 common frames omitted
2024-12-02T13:53:38.9146773Z Caused by: javax.net.ssl.SSLHandshakeException: None of the TrustManagers trust this certificate chain
2024-12-02T13:53:38.9147885Z 	at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
2024-12-02T13:53:38.9148850Z 	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
2024-12-02T13:53:38.9149819Z 	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
2024-12-02T13:53:38.9150767Z 	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
2024-12-02T13:53:38.9151920Z 	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(Unknown Source)
2024-12-02T13:53:38.9153284Z 	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(Unknown Source)
2024-12-02T13:53:38.9154597Z 	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(Unknown Source)
2024-12-02T13:53:38.9155761Z 	at java.base/sun.security.ssl.SSLHandshake.consume(Unknown Source)
2024-12-02T13:53:38.9156732Z 	at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
2024-12-02T13:53:38.9157720Z 	at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
2024-12-02T13:53:38.9158725Z 	at java.base/sun.security.ssl.TransportContext.dispatch(Unknown Source)
2024-12-02T13:53:38.9159825Z 	at java.base/sun.security.ssl.SSLTransport.decode(Unknown Source)
2024-12-02T13:53:38.9160774Z 	at java.base/sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
2024-12-02T13:53:38.9161776Z 	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
2024-12-02T13:53:38.9162823Z 	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
2024-12-02T13:53:38.9163837Z 	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
2024-12-02T13:53:38.9164903Z 	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:379)
2024-12-02T13:53:38.9166066Z 	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337)
2024-12-02T13:53:38.9167195Z 	at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:209)
2024-12-02T13:53:38.9168314Z 	at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:226)
2024-12-02T13:53:38.9169618Z 	at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:106)
2024-12-02T13:53:38.9170746Z 	at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:74)
2024-12-02T13:53:38.9171787Z 	at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:255)
2024-12-02T13:53:38.9172913Z 	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32)
2024-12-02T13:53:38.9174079Z 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
2024-12-02T13:53:38.9175187Z 	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95)
2024-12-02T13:53:38.9176284Z 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
2024-12-02T13:53:38.9177398Z 	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83)
2024-12-02T13:53:38.9178508Z 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
2024-12-02T13:53:38.9179751Z 	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76)
2024-12-02T13:53:38.9180982Z 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
2024-12-02T13:53:38.9182122Z 	at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.kt:221)
2024-12-02T13:53:38.9183273Z 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
2024-12-02T13:53:38.9184493Z 	at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201)
2024-12-02T13:53:38.9185602Z 	at okhttp3.internal.connection.RealCall.execute(RealCall.kt:154)
2024-12-02T13:53:38.9186740Z 	at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callUrl(ScannerHttpClient.java:157)
2024-12-02T13:53:38.9187720Z 	... 6 common frames omitted
2024-12-02T13:53:38.9189125Z Caused by: java.security.cert.CertificateException: None of the TrustManagers trust this certificate chain
2024-12-02T13:53:38.9190523Z 	at nl.altindag.ssl.trustmanager.CombinableX509TrustManager.checkTrusted(CombinableX509TrustManager.java:61)
2024-12-02T13:53:38.9192126Z 	at nl.altindag.ssl.trustmanager.CompositeX509ExtendedTrustManager.checkServerTrusted(CompositeX509ExtendedTrustManager.java:86)
2024-12-02T13:53:38.9193301Z 	... 38 common frames omitted
2024-12-02T13:53:38.9195093Z 	Suppressed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2024-12-02T13:53:38.9197057Z 		at java.base/sun.security.validator.PKIXValidator.doBuild(Unknown Source)
2024-12-02T13:53:38.9198212Z 		at java.base/sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
2024-12-02T13:53:38.9199748Z 		at java.base/sun.security.validator.Validator.validate(Unknown Source)
2024-12-02T13:53:38.9201102Z 		at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
2024-12-02T13:53:38.9202996Z 		at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
2024-12-02T13:53:38.9205185Z 		at nl.altindag.ssl.trustmanager.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:48)
2024-12-02T13:53:38.9207344Z 		at nl.altindag.ssl.trustmanager.CompositeX509ExtendedTrustManager.lambda$checkServerTrusted$4(CompositeX509ExtendedTrustManager.java:86)
2024-12-02T13:53:38.9209289Z 		at nl.altindag.ssl.trustmanager.CombinableX509TrustManager.checkTrusted(CombinableX509TrustManager.java:41)
2024-12-02T13:53:38.9210433Z 		... 39 common frames omitted
2024-12-02T13:53:38.9211683Z 	Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2024-12-02T13:53:38.9213397Z 		at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
2024-12-02T13:53:38.9215279Z 		at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
2024-12-02T13:53:38.9216698Z 		at java.base/java.security.cert.CertPathBuilder.build(Unknown Source)
2024-12-02T13:53:38.9217706Z 		... 47 common frames omitted
2024-12-02T13:53:38.9219173Z 	Suppressed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2024-12-02T13:53:38.9220768Z 		at java.base/sun.security.validator.PKIXValidator.doBuild(Unknown Source)
2024-12-02T13:53:38.9221775Z 		at java.base/sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
2024-12-02T13:53:38.9222767Z 		at java.base/sun.security.validator.Validator.validate(Unknown Source)
2024-12-02T13:53:38.9223740Z 		at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
2024-12-02T13:53:38.9224802Z 		at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
2024-12-02T13:53:38.9226193Z 		at nl.altindag.ssl.trustmanager.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:48)
2024-12-02T13:53:38.9227905Z 		at nl.altindag.ssl.trustmanager.CompositeX509ExtendedTrustManager.lambda$checkServerTrusted$4(CompositeX509ExtendedTrustManager.java:86)
2024-12-02T13:53:38.9229439Z 		at nl.altindag.ssl.trustmanager.CombinableX509TrustManager.checkTrusted(CombinableX509TrustManager.java:41)
2024-12-02T13:53:38.9230400Z 		... 39 common frames omitted
2024-12-02T13:53:38.9231471Z 	Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2024-12-02T13:53:38.9232799Z 		at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
2024-12-02T13:53:38.9233933Z 		at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
2024-12-02T13:53:38.9234968Z 		at java.base/java.security.cert.CertPathBuilder.build(Unknown Source)
2024-12-02T13:53:38.9235807Z 		... 47 common frames omitted
2024-12-02T13:53:38.9245938Z ##[error]Process completed with exit code 1.

I can’t find the line you’ve mentioned in there anywhere.

and to give you a complete picture of our workflow, this is the github-action workflow (reduced to the relevant parts):

name: Build, check & publish

jobs:
  build-check-publish:
    name: Build, test & publish
    container:
      image: ***/node:20

    defaults:
      run:
        shell: bash

    env:
      SONAR_HOST_URL: "https://${{ vars.SONARQUBE_URL }}"
      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
      SONAR_ROOT_CERT: ${{ vars.PRIVATE_ROOT_PEM }}
      GIT_SSH_COMMAND: "ssh -o StrictHostKeyChecking=accept-new"

    steps:
      - name: Checkout code
        id: checkout
        uses: actions/checkout@v3
        with:
          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis

      - name: Run sonar analysis
        id: sonar-analysis
        uses: sonarsource/sonarqube-scan-action@v4.1.0
        env:
          RUNNER_DEBUG: 1
        with:
          projectBaseDir: ./

Hi @higgs01,

Thanks for your quick feedback!

The presence of DEBUG logs indicates that you have configured debug logs correctly. The absence of the line log mentioned above (DEBUG Using truststore: /home/runner/.sonar/ssl/truststore.p12) indicates that, somehow, ~/.sonar/ssl/truststore.p12 is not found by the SonarScanner CLI, despite the keytool seems to have generated it, as we can see from the following two log lines:

2024-12-02T11:05:19.0560310Z Adding SSL certificate to the Scanner truststore
2024-12-02T11:05:19.2017806Z Certificate was added to keystore

I suspect that the issue may come from container.image: ***/node:20, that executes the action in a Docker container powering Node 20. Maybe, when running in such environment, ~/.sonar/ssl/truststore.p12 cannot be generated, for some reason.

In order to validate or reject the hypothesis, could you please try running in the environment of your runner, by removing container and having runs-on: ubuntu-latest only.

If you need to run in such a containerized environment, it would be very useful for us to understand why (security constraints or other).

Thanks,
Antonio

Hi @antonio.aversa

I’ve now tested it without the container and there it works without any issues. Thanks for your input.

The reason we use a containerized environment is that there were some version-constraints on our self-hosted runners preventing us from installing node-20 (can’t recall what exactly anymore). These constraints have since been resolved and there isn’t any reason that prevents us from using a normal environment anymore. We’ll migrate our workflows away from this containerized environment.

Thanks again for your help :smiley:

Hi @higgs01,

Glad to have been of help :slight_smile:

In the meantime I have run more tests and I think I now have good understanding of the reason why the p12 file was not picked up.

It has to do with the way HOME is dealt with when running a job in a containerized environment (see here).
Basically, we put the p12 under /github/home/.sonar/ssh/truststore.p12, but the scanner is looking for it under /root/.sonar/ssh/ (the actions inside the container run as root).
Therefore, the SonarScanner doesn’t find it.

I have initiated an internal discussion of how to best approach this problem, which is going to be fixed in the next release of the GitHub action.

Best regards,
Antonio

2 Likes

Hi @higgs01,

For your info, should you need to reintroduce container in your workflow for any reason: we have identified the root cause, as well as a workaround to the problem.

We have documented it here, under the “When running the SonarQube scan GitHub Action”:

Due to a known GitHub issue, if your GitHub Action v4 and above

  • uses SONAR_ROOT_CERT
  • and is executed in a containerized environment, for example when the job running the action declares container: <docker-image-name>

you need to explicitly set the SONAR_USER_HOME environment variable to be the "$HOME/.sonar".

You can do that by adding the following step before executing the action:

# Workaround for https://github.com/actions/runner/issues/863
- name: Workaround for containerized environments
 run: echo "SONAR_USER_HOME=$HOME/.sonar" >> $GITHUB_ENV
- name: Run sonar analysis
 uses: SonarSource/sonarqube-scan-action@<action version>
 ...

Best regards,
Antonio

3 Likes

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.