Unable to read truststore error since macOS Sonar Scanner CLI since 7.0.0.4796

Our build servers (macOS 15.2) upgraded the sonar scanner cli to version 7.0.0.4796 via homebrew. Since this upgrade we get the following error while running the cli:

Is this a know problem?
Another strange thing is, that the version 7.x isn’t available via your download page:

but it is available via your GitHub repository:

2 Likes

Hi @Patrick_Steiner

Thanks for reporting the issue. I will investigate it.

The 7.0 release has been done yesterday, and all our documentation may not be updated yet.

1 Like

I fixed the problem by manually installing Java 17 via homebrew (brew install openjdk@17). In the build script I had to export the JAVA_HOME environment variable to: /opt/homebrew/opt/openjdk@17 before I call sonar-scanner.
Afaik the problem could be fixed if the homebrew sonar-scanner formula uses openjdk@17 instead of openjdk.

I created a ticket to fix the issue: Jira

2 Likes

Also raised on Upgrade scanner from `6.2.1.4610` to `7.0.0.4796` fail with `password supplied for keystore....` with Windows 10

Happen the same with homebrew for linux on WSL2.

Java is installed via SDKMAN (temurin21)

sonar-scanner -Dsonar.host.url=**** -Dsonar.login=****-Dsonar.projectKey=***** -Dsonar.branch.name=main
11:40:41.514 INFO  Scanner configuration file: /home/linuxbrew/.linuxbrew/Cellar/sonar-scanner/7.0.0.4796/libexec/conf/sonar-scanner.properties
11:40:41.518 INFO  Project root configuration file: NONE
11:40:41.530 INFO  SonarScanner CLI 7.0.0.4796
11:40:41.532 INFO  Java 21.0.5 Eclipse Adoptium (64-bit)
11:40:41.534 INFO  Linux 5.15.167.4-microsoft-standard-WSL2 amd64
11:40:41.570 INFO  User cache: /home/***/.sonar/cache
11:40:43.741 INFO  EXECUTION FAILURE
11:40:43.742 INFO  Total time: 2.231s
11:40:43.742 ERROR Error during SonarScanner CLI execution
nl.altindag.ssl.exception.GenericKeyStoreException: Unable to read truststore from '/home/****/.sdkman/candidates/java/21.0.5-tem/lib/security/cacerts'
        at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.configureSsl(OkHttpClientFactory.java:141)
        at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.create(OkHttpClientFactory.java:76)
        at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.init(ScannerHttpClient.java:52)
        at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:142)
        at org.sonarsource.scanner.cli.Main.analyze(Main.java:76)
        at org.sonarsource.scanner.cli.Main.main(Main.java:64)
Caused by: java.io.IOException: password supplied for keystore that does not require one

I had the same issue. I had to downgrade to Java 17 on my Macbook to get it to work.

Thanks, this works for me too:

brew install openjdk@17; echo 'export JAVA_HOME="/opt/homebrew/opt/openjdk@17"' >> ~/.zshrc

Can we expect a release soon?

Hi @Julien_HENRY, same issue here with OpenJDK 64-Bit Server VM (build 21.0.5+11-Ubuntu-1ubuntu122.04).
We would prefer not to downgrade from java 21 to java 17, how can we make sonarscanner 7.0 works with java 21?
Thanks

Hi,

I am preparing a bugfix release. Should be completed on Monday.

In the meantime, there is a workaround: set the two environment variables:

export SONAR_SCANNER_OPTS="-Dorg.bouncycastle.pkcs12.ignore_useless_passwd=true"
export SONAR_SCANNER_JAVA_OPTS="-Dorg.bouncycastle.pkcs12.ignore_useless_passwd=true"
4 Likes

Hi @Julien_HENRY, I just installed v7.0.1.4817, but unfortunately I still have errors on truststore; here’s the logs:

09:34:35.701 [xxx-srv] $ /opt/sonar-scanner/bin/sonar-scanner -X -Dsonar.host.url=https://sonarqube.xxx.ch ******** -Dsonar.projectKey=xxx-srv -Dsonar.projectName=xxx/xxx-srv -Dsonar.dependencyCheck.jsonReportPath=./dependency_check/dependency-check-report.json -Dsonar.python.bandit.reportPaths=./banditReport/bandit_report.json -Dsonar.token=**** -Dsonar.sources=. -Dsonar.dependencyCheck.htmlReportPath=./dependency_check/dependency-check-report.html -Dsonar.branch.name=dev -Dsonar.dependencyCheck.xmlReportPath=./dependency_check/dependency-check-report.xml -Dsonar.projectBaseDir=/var/lib/jenkins/workspace/xxx/xxx-srv
09:34:36.031 08:34:36.027 WARN  Property 'sonar.token' with value **** is overridden with value ****
09:34:36.035 08:34:36.034 INFO  Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties
09:34:36.036 08:34:36.035 INFO  Project root configuration file: NONE
09:34:36.054 08:34:36.053 INFO  SonarScanner CLI 7.0.1.4817
09:34:36.056 08:34:36.056 INFO  Java 21.0.5 Ubuntu (64-bit)
09:34:36.060 08:34:36.059 INFO  Linux 5.15.0-130-generic amd64
09:34:36.068 08:34:36.067 DEBUG Scanner max available memory: 978 MB
09:34:36.097 08:34:36.096 DEBUG uname -m returned 'x86_64'
09:34:36.097 08:34:36.096 DEBUG Mapping default scanner JVM truststore location '/usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts' to new properties
09:34:36.098 08:34:36.097 DEBUG Create: /home/jenkins/.sonar/cache
09:34:36.098 08:34:36.098 INFO  User cache: /home/jenkins/.sonar/cache
09:34:36.098 08:34:36.098 DEBUG Create: /home/jenkins/.sonar/cache/_tmp
09:34:36.100 08:34:36.099 DEBUG Using truststore: /usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts
09:34:36.191 08:34:36.190 DEBUG Loading OS trusted SSL certificates...
09:34:36.192 08:34:36.191 DEBUG This operation might be slow or even get stuck. You can skip it by passing the scanner property 'sonar.scanner.skipSystemTruststore=true'
09:34:36.386 08:34:36.384 DEBUG Loaded [438] system trusted certificates
09:34:36.518 08:34:36.517 INFO  EXECUTION FAILURE
09:34:36.519 08:34:36.518 INFO  Total time: 0.486s
09:34:36.521 08:34:36.519 ERROR Error during SonarScanner CLI execution
09:34:36.521 nl.altindag.ssl.exception.GenericKeyStoreException: Unable to read truststore from '/usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts'
09:34:36.521 	at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.configureSsl(OkHttpClientFactory.java:144)
09:34:36.521 	at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.create(OkHttpClientFactory.java:79)
09:34:36.521 	at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.init(ScannerHttpClient.java:52)
09:34:36.521 	at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:142)
09:34:36.521 	at org.sonarsource.scanner.cli.Main.analyze(Main.java:76)
09:34:36.521 	at org.sonarsource.scanner.cli.Main.main(Main.java:64)
09:34:36.521 Caused by: java.io.IOException: password incorrect or store tampered with
09:34:36.521 	at org.bouncycastle.jcajce.provider.keystore.util.JKSKeyStoreSpi.validateStream(Unknown Source)
09:34:36.521 	at org.bouncycastle.jcajce.provider.keystore.util.JKSKeyStoreSpi.engineLoad(Unknown Source)
09:34:36.521 	at org.bouncycastle.jcajce.provider.keystore.util.AdaptingKeyStoreSpi.engineLoad(Unknown Source)
09:34:36.521 	at java.base/java.security.KeyStore.load(KeyStore.java:1500)
09:34:36.521 	at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.loadKeyStoreWithPassword(OkHttpClientFactory.java:181)
09:34:36.521 	at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.loadTrustStoreWithBouncyCastle(OkHttpClientFactory.java:167)
09:34:36.522 	at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.configureSsl(OkHttpClientFactory.java:138)
09:34:36.522 	... 5 common frames omitted
09:34:36.567 WARN: Unable to locate 'report-task.txt' in the workspace. Did the SonarScanner succeed?
09:34:36.568 ERROR: SonarQube scanner exited with non-zero code: 1

Let me know if you need other info to troubleshoot the problem.
Thanks a lot

Hi @pdxeng

Thanks for the feedback.

Do you have changed the default password of your JRE cacerts? The Scanner CLI 7.0.1 is now supporting “changeit” or an empty password (this is the new default since Java 18). But if you have a different password for /usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts then you have to pass it to the scanner, using for example -Dsonar.scanner.truststorePassword=xxxx

Let me know if that helps.

1 Like

I tried to download locally the cacerts, and I confirm that the one used on the jenkins worker has an empty password

@Patrick_Steiner or @jonesbusy may I ask you to try 7.0.1 as well? I would like to see if this is the same issue, or something else.

@pdxeng any chance you could run the scanner with the parameter -Dsonar.scanner.internal.dumpToFile=out.properties and inspect the generated file for any property related to SSL that would indicate you are asking the scanner to read the truststore with a non empty password?

I updated our CI servers today (via homebrew) they now have 7.0.1.4817 installed.
I also removed the JAVA_HOME environment variable and sonar-scanner now works again without any problems.

Thanks for the quick fix.

Thanks @Patrick_Steiner !

Thanks. Also confirmed that it works on our CI and homebrew installation

Hi @Julien_HENRY, in the output file I can only see this:

sonar.scanner.truststorePath=/usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts```

[sonar-out.properties.txt|attachment](upload://3XG1beCwUShPD9Fcj3DGQq4SovE.txt) (3.5 KB)

A couple of info:

  • errors in execution with original cacert (blank password):
12:15:06.490 11:15:06.489 DEBUG Loaded [438] system trusted certificates
12:15:06.619 11:15:06.617 INFO  EXECUTION FAILURE
12:15:06.619 11:15:06.618 INFO  Total time: 0.470s
12:15:06.621 11:15:06.618 ERROR Error during SonarScanner CLI execution
12:15:06.621 nl.altindag.ssl.exception.GenericKeyStoreException: Unable to read truststore from '/usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts'
12:15:06.621 	at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.configureSsl(OkHttpClientFactory.java:144)
12:15:06.621 	at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.create(OkHttpClientFactory.java:79)
12:15:06.621 	at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.init(ScannerHttpClient.java:52)
12:15:06.621 	at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:142)
12:15:06.621 	at org.sonarsource.scanner.cli.Main.analyze(Main.java:76)
12:15:06.621 	at org.sonarsource.scanner.cli.Main.main(Main.java:64)
12:15:06.621 Caused by: java.io.IOException: password incorrect or store tampered with
12:15:06.621 	at org.bouncycastle.jcajce.provider.keystore.util.JKSKeyStoreSpi.validateStream(Unknown Source)
12:15:06.621 	at org.bouncycastle.jcajce.provider.keystore.util.JKSKeyStoreSpi.engineLoad(Unknown Source)
12:15:06.621 	at org.bouncycastle.jcajce.provider.keystore.util.AdaptingKeyStoreSpi.engineLoad(Unknown Source)
12:15:06.621 	at java.base/java.security.KeyStore.load(KeyStore.java:1500)
12:15:06.621 	at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.loadKeyStoreWithPassword(OkHttpClientFactory.java:181)
12:15:06.621 	at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.loadTrustStoreWithBouncyCastle(OkHttpClientFactory.java:167)
12:15:06.621 	at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.configureSsl(OkHttpClientFactory.java:138)
12:15:06.621 	... 5 common frames omitted
  • applied “changeme” password to cacert, new errors:
12:13:43.560 11:13:43.558 DEBUG Loaded [438] system trusted certificates
12:13:43.749 11:13:43.747 INFO  EXECUTION FAILURE
12:13:43.752 11:13:43.749 INFO  Total time: 0.592s
12:13:43.752 11:13:43.749 ERROR Error during SonarScanner CLI execution
12:13:43.752 nl.altindag.ssl.exception.GenericKeyStoreException: Unable to read truststore from '/usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts'
12:13:43.752 	at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.configureSsl(OkHttpClientFactory.java:144)
12:13:43.752 	at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.create(OkHttpClientFactory.java:79)
12:13:43.752 	at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.init(ScannerHttpClient.java:52)
12:13:43.752 	at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:142)
12:13:43.752 	at org.sonarsource.scanner.cli.Main.analyze(Main.java:76)
12:13:43.752 	at org.sonarsource.scanner.cli.Main.main(Main.java:64)
12:13:43.753 Caused by: java.io.IOException: BC JKS store is read-only and only supports certificate entries
12:13:43.753 	at org.bouncycastle.jcajce.provider.keystore.util.JKSKeyStoreSpi.engineLoad(Unknown Source)
12:13:43.753 	at org.bouncycastle.jcajce.provider.keystore.util.AdaptingKeyStoreSpi.engineLoad(Unknown Source)
12:13:43.753 	at java.base/java.security.KeyStore.load(KeyStore.java:1500)
12:13:43.753 	at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.loadKeyStoreWithPassword(OkHttpClientFactory.java:181)
12:13:43.753 	at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.loadTrustStoreWithBouncyCastle(OkHttpClientFactory.java:167)
12:13:43.753 	at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.configureSsl(OkHttpClientFactory.java:138)
12:13:43.753 	... 5 common frames omitted

Hum, that’s strange.

Is this a vanilla openjdk installation? Have you manually edited the cacerts file? If you are sure the cacerts is the one from the default openjdk and doesn’t contain sensitive data, would you be able to share it with me?

If you (or something in your infra) did some modifications to the keystore, I would be happy to know the commands that are run, to try to reproduce the issue on my side.