Sonarscanner not finding java

We have a need to spawn fresh VM’s to run sonarscanner via GitLab CI. We’re almost there. Our last challenge is getting a private-CA-generated certificate to work. There’s a handful of solutions I can think of, but I’m not sure what the correct solution is.

Primary question

• How does “JreResolver” work? If I can pre-install java, that will solve everything, cause then I can pre-update the keystore. I’ve got both PATH and JAVA_HOME set correctly, and that seems to have no effect.

Details

I believe the issue is due to sonarscanner failing to find the java installed on the template machine, and so it downloads a fresh JRE from our SonarQube server, which of course doesn’t have the keystore updated in whatever JRE it downloaded. If the machine was persistent, I’d run the sonarscanner once, let it fail, then manually update the java keystore that’s deep in the ~/.sonar/cache/ area. Seems like a messy solution though.

Here’s the original error

> dotnet-sonarscanner end /d:sonar.token=$SONARQUBE_TOKEN
...
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Here’s whats leading to that error

23:25:13.093  JreResolver: Resolving JRE path.
23:25:13.096  Downloading from https://<PRIVATE_DNS>.com/api/v2/analysis/jres?os=linux&arch=x64...
23:25:13.104  Response received from https://<PRIVATE_DNS>.com/api/v2/analysis/jres?os=linux&arch=x64...
23:25:13.25  JreResolver: Cache miss. Attempting to download JRE.
23:25:13.26  Starting the Java Runtime Environment download.
# THE FRESHLY DOWNLOADED JRE OBVIOUSLY WONT HAVE PRIVATE CERT INSTALLED

Bonus note: I see on our SonarQube server, there’s a directory “sonarqube\jres” with a bunch of zip/gz files. I’m guessing one of those are downloaded. So I’m kinda guessing I could unzip all those, update the keystores, and re-zip them if I wanted to. However, this doesn’t get what we REALLY want, which is a fresh VM where everything is already downloaded and ready to go. Since this is for CI, we really want everything as fast as possible.

I’ve already installed openjdk-17-jre on the template VM, and ensured PATH and JAVA_HOME both have the correct path to java, and that seems to do nothing.

Hi,

You could check the instructions on Managing the TLS certificates on the client side
under “If using SonarScanner for .NET”:

Add the self-signed server certificate to the operating system truststore:

• On Linux and MacOS:
  1. Copy the self-signed server certificate to /usr/local/share/ca-certificates
  2. Run sudo update-ca-certificates
• On Windows: use certutil.
  Example:

certutil -addstore -f "ROOT" <path/to/certificate>

Or if you really want to use the installed JRE, you may want to disable the JRE auto-provisioning. Setting the analysis property sonar.scanner.skipJreProvisioning to true for each project should do the trick (unfortunately the SonarScanner for .NET doesn’t support the SONAR_SCANNER_SKIP_JRE_PROVISIONING that would disable this feature in all analysis).

Hey Scott!

Thanks for the response.

We have already installed the cert to the OS, using the commands you gave:

sudo cp <cert> /usr/loca/share/ca-certificates
sudo update-ca-certificates

This still fails b/c it’s not in the java keystore for the java used by SonarQube, which is downloaded on-demand and looks like it’s cached.

However, your suggestion of skipping provisioning worked, so we can use that solution. This makes me believe SonarQube doesn’t default to liking pre-installed versions of java, regardless of version, and wants its own cached version. I think that’s fine, so long as there’s a flag to disable.

Thanks for the help.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.