Our build servers (macOS 15.2) upgraded the sonar scanner cli to version 7.0.0.4796 via homebrew. Since this upgrade we get the following error while running the cli:
I fixed the problem by manually installing Java 17 via homebrew (brew install openjdk@17). In the build script I had to export the JAVA_HOME environment variable to: /opt/homebrew/opt/openjdk@17 before I call sonar-scanner.
Afaik the problem could be fixed if the homebrew sonar-scanner formula uses openjdk@17 instead of openjdk.
sonar-scanner -Dsonar.host.url=**** -Dsonar.login=****-Dsonar.projectKey=***** -Dsonar.branch.name=main
11:40:41.514 INFO Scanner configuration file: /home/linuxbrew/.linuxbrew/Cellar/sonar-scanner/7.0.0.4796/libexec/conf/sonar-scanner.properties
11:40:41.518 INFO Project root configuration file: NONE
11:40:41.530 INFO SonarScanner CLI 7.0.0.4796
11:40:41.532 INFO Java 21.0.5 Eclipse Adoptium (64-bit)
11:40:41.534 INFO Linux 5.15.167.4-microsoft-standard-WSL2 amd64
11:40:41.570 INFO User cache: /home/***/.sonar/cache
11:40:43.741 INFO EXECUTION FAILURE
11:40:43.742 INFO Total time: 2.231s
11:40:43.742 ERROR Error during SonarScanner CLI execution
nl.altindag.ssl.exception.GenericKeyStoreException: Unable to read truststore from '/home/****/.sdkman/candidates/java/21.0.5-tem/lib/security/cacerts'
at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.configureSsl(OkHttpClientFactory.java:141)
at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.create(OkHttpClientFactory.java:76)
at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.init(ScannerHttpClient.java:52)
at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:142)
at org.sonarsource.scanner.cli.Main.analyze(Main.java:76)
at org.sonarsource.scanner.cli.Main.main(Main.java:64)
Caused by: java.io.IOException: password supplied for keystore that does not require one
Hi @Julien_HENRY, same issue here with OpenJDK 64-Bit Server VM (build 21.0.5+11-Ubuntu-1ubuntu122.04).
We would prefer not to downgrade from java 21 to java 17, how can we make sonarscanner 7.0 works with java 21?
Thanks
Hi @Julien_HENRY, I just installed v7.0.1.4817, but unfortunately I still have errors on truststore; here’s the logs:
09:34:35.701 [xxx-srv] $ /opt/sonar-scanner/bin/sonar-scanner -X -Dsonar.host.url=https://sonarqube.xxx.ch ******** -Dsonar.projectKey=xxx-srv -Dsonar.projectName=xxx/xxx-srv -Dsonar.dependencyCheck.jsonReportPath=./dependency_check/dependency-check-report.json -Dsonar.python.bandit.reportPaths=./banditReport/bandit_report.json -Dsonar.token=**** -Dsonar.sources=. -Dsonar.dependencyCheck.htmlReportPath=./dependency_check/dependency-check-report.html -Dsonar.branch.name=dev -Dsonar.dependencyCheck.xmlReportPath=./dependency_check/dependency-check-report.xml -Dsonar.projectBaseDir=/var/lib/jenkins/workspace/xxx/xxx-srv
09:34:36.031 08:34:36.027 WARN Property 'sonar.token' with value **** is overridden with value ****
09:34:36.035 08:34:36.034 INFO Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties
09:34:36.036 08:34:36.035 INFO Project root configuration file: NONE
09:34:36.054 08:34:36.053 INFO SonarScanner CLI 7.0.1.4817
09:34:36.056 08:34:36.056 INFO Java 21.0.5 Ubuntu (64-bit)
09:34:36.060 08:34:36.059 INFO Linux 5.15.0-130-generic amd64
09:34:36.068 08:34:36.067 DEBUG Scanner max available memory: 978 MB
09:34:36.097 08:34:36.096 DEBUG uname -m returned 'x86_64'
09:34:36.097 08:34:36.096 DEBUG Mapping default scanner JVM truststore location '/usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts' to new properties
09:34:36.098 08:34:36.097 DEBUG Create: /home/jenkins/.sonar/cache
09:34:36.098 08:34:36.098 INFO User cache: /home/jenkins/.sonar/cache
09:34:36.098 08:34:36.098 DEBUG Create: /home/jenkins/.sonar/cache/_tmp
09:34:36.100 08:34:36.099 DEBUG Using truststore: /usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts
09:34:36.191 08:34:36.190 DEBUG Loading OS trusted SSL certificates...
09:34:36.192 08:34:36.191 DEBUG This operation might be slow or even get stuck. You can skip it by passing the scanner property 'sonar.scanner.skipSystemTruststore=true'
09:34:36.386 08:34:36.384 DEBUG Loaded [438] system trusted certificates
09:34:36.518 08:34:36.517 INFO EXECUTION FAILURE
09:34:36.519 08:34:36.518 INFO Total time: 0.486s
09:34:36.521 08:34:36.519 ERROR Error during SonarScanner CLI execution
09:34:36.521 nl.altindag.ssl.exception.GenericKeyStoreException: Unable to read truststore from '/usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts'
09:34:36.521 at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.configureSsl(OkHttpClientFactory.java:144)
09:34:36.521 at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.create(OkHttpClientFactory.java:79)
09:34:36.521 at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.init(ScannerHttpClient.java:52)
09:34:36.521 at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:142)
09:34:36.521 at org.sonarsource.scanner.cli.Main.analyze(Main.java:76)
09:34:36.521 at org.sonarsource.scanner.cli.Main.main(Main.java:64)
09:34:36.521 Caused by: java.io.IOException: password incorrect or store tampered with
09:34:36.521 at org.bouncycastle.jcajce.provider.keystore.util.JKSKeyStoreSpi.validateStream(Unknown Source)
09:34:36.521 at org.bouncycastle.jcajce.provider.keystore.util.JKSKeyStoreSpi.engineLoad(Unknown Source)
09:34:36.521 at org.bouncycastle.jcajce.provider.keystore.util.AdaptingKeyStoreSpi.engineLoad(Unknown Source)
09:34:36.521 at java.base/java.security.KeyStore.load(KeyStore.java:1500)
09:34:36.521 at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.loadKeyStoreWithPassword(OkHttpClientFactory.java:181)
09:34:36.521 at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.loadTrustStoreWithBouncyCastle(OkHttpClientFactory.java:167)
09:34:36.522 at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.configureSsl(OkHttpClientFactory.java:138)
09:34:36.522 ... 5 common frames omitted
09:34:36.567 WARN: Unable to locate 'report-task.txt' in the workspace. Did the SonarScanner succeed?
09:34:36.568 ERROR: SonarQube scanner exited with non-zero code: 1
Let me know if you need other info to troubleshoot the problem.
Thanks a lot
Do you have changed the default password of your JRE cacerts? The Scanner CLI 7.0.1 is now supporting “changeit” or an empty password (this is the new default since Java 18). But if you have a different password for /usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts then you have to pass it to the scanner, using for example -Dsonar.scanner.truststorePassword=xxxx
@Patrick_Steiner or @jonesbusy may I ask you to try 7.0.1 as well? I would like to see if this is the same issue, or something else.
@pdxeng any chance you could run the scanner with the parameter -Dsonar.scanner.internal.dumpToFile=out.properties and inspect the generated file for any property related to SSL that would indicate you are asking the scanner to read the truststore with a non empty password?
I updated our CI servers today (via homebrew) they now have 7.0.1.4817 installed.
I also removed the JAVA_HOME environment variable and sonar-scanner now works again without any problems.
errors in execution with original cacert (blank password):
12:15:06.490 11:15:06.489 DEBUG Loaded [438] system trusted certificates
12:15:06.619 11:15:06.617 INFO EXECUTION FAILURE
12:15:06.619 11:15:06.618 INFO Total time: 0.470s
12:15:06.621 11:15:06.618 ERROR Error during SonarScanner CLI execution
12:15:06.621 nl.altindag.ssl.exception.GenericKeyStoreException: Unable to read truststore from '/usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts'
12:15:06.621 at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.configureSsl(OkHttpClientFactory.java:144)
12:15:06.621 at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.create(OkHttpClientFactory.java:79)
12:15:06.621 at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.init(ScannerHttpClient.java:52)
12:15:06.621 at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:142)
12:15:06.621 at org.sonarsource.scanner.cli.Main.analyze(Main.java:76)
12:15:06.621 at org.sonarsource.scanner.cli.Main.main(Main.java:64)
12:15:06.621 Caused by: java.io.IOException: password incorrect or store tampered with
12:15:06.621 at org.bouncycastle.jcajce.provider.keystore.util.JKSKeyStoreSpi.validateStream(Unknown Source)
12:15:06.621 at org.bouncycastle.jcajce.provider.keystore.util.JKSKeyStoreSpi.engineLoad(Unknown Source)
12:15:06.621 at org.bouncycastle.jcajce.provider.keystore.util.AdaptingKeyStoreSpi.engineLoad(Unknown Source)
12:15:06.621 at java.base/java.security.KeyStore.load(KeyStore.java:1500)
12:15:06.621 at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.loadKeyStoreWithPassword(OkHttpClientFactory.java:181)
12:15:06.621 at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.loadTrustStoreWithBouncyCastle(OkHttpClientFactory.java:167)
12:15:06.621 at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.configureSsl(OkHttpClientFactory.java:138)
12:15:06.621 ... 5 common frames omitted
applied “changeme” password to cacert, new errors:
12:13:43.560 11:13:43.558 DEBUG Loaded [438] system trusted certificates
12:13:43.749 11:13:43.747 INFO EXECUTION FAILURE
12:13:43.752 11:13:43.749 INFO Total time: 0.592s
12:13:43.752 11:13:43.749 ERROR Error during SonarScanner CLI execution
12:13:43.752 nl.altindag.ssl.exception.GenericKeyStoreException: Unable to read truststore from '/usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts'
12:13:43.752 at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.configureSsl(OkHttpClientFactory.java:144)
12:13:43.752 at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.create(OkHttpClientFactory.java:79)
12:13:43.752 at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.init(ScannerHttpClient.java:52)
12:13:43.752 at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:142)
12:13:43.752 at org.sonarsource.scanner.cli.Main.analyze(Main.java:76)
12:13:43.752 at org.sonarsource.scanner.cli.Main.main(Main.java:64)
12:13:43.753 Caused by: java.io.IOException: BC JKS store is read-only and only supports certificate entries
12:13:43.753 at org.bouncycastle.jcajce.provider.keystore.util.JKSKeyStoreSpi.engineLoad(Unknown Source)
12:13:43.753 at org.bouncycastle.jcajce.provider.keystore.util.AdaptingKeyStoreSpi.engineLoad(Unknown Source)
12:13:43.753 at java.base/java.security.KeyStore.load(KeyStore.java:1500)
12:13:43.753 at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.loadKeyStoreWithPassword(OkHttpClientFactory.java:181)
12:13:43.753 at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.loadTrustStoreWithBouncyCastle(OkHttpClientFactory.java:167)
12:13:43.753 at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.configureSsl(OkHttpClientFactory.java:138)
12:13:43.753 ... 5 common frames omitted
Is this a vanilla openjdk installation? Have you manually edited the cacerts file? If you are sure the cacerts is the one from the default openjdk and doesn’t contain sensitive data, would you be able to share it with me?
If you (or something in your infra) did some modifications to the keystore, I would be happy to know the commands that are run, to try to reproduce the issue on my side.