Hi there, fellow .NET developers,
We have released version 9.2 of the scanner for .NET (actually, 9.2.0 and then 9.2.1 shortly after).
This new version aims to address the pain points associated with “private” certificates and JRE auto-provisioning on SonarQube Server.
Concretely, we addressed the following:
If you are migrating from a pre-10.6 version of SonarQube:
You should see no issue, and you should not need to touch your existing pipelines.
On Windows, you should have installed your private certificates in the Windows certificate store, and this will work transparently.
On Linux, we do our best to find your existing certificates (in the OS trust store and in the existing java installation, taking into account the parameters you used to pass in such as the javax.net.ssl.* properties passed in through the SONAR_SCANNER_OPTSenvironment variable) and use them.
There might be cases where we fail to find the existing certificates in the local Java Runtime Environment (JRE). Please do not hesitate to report those cases with a description of the actual paths so we can investigate what we missed.
If you are setting up a fresh new pipeline
You can now specify a file containing the private certificates using the sonar.scanner.truststorePath and sonar.scanner.truststorePassword properties. Please refer to the documentation on how to set that up.
When using those parameters, you do not need to install the certificates in the OS trust store anymore. Of course, on Windows, you can still use the Windows certificate store if you so choose.
One point of vigilance: when you rely on the second option (local trust store passed in through analysis parameters), we, unfortunately, cannot enforce the Certificate Revocation List (CRL) when the issuing certificate authority is given via the TrustStore file. This means that revoked certificates will still be trusted when the issuing certificate is given via the TrustStore file.
Once we have had time to gather feedback, we will publish an updated Azure DevOps extension that targets version 9.2 by default. In the meantime, you can use the task inputs to manually select this version if you so choose.
As always, we hope this will work for you and await your feedback on how to improve it.
Denis