Uninitialized keystore error in Sonar Gradle Scanner 6+

SonarQube Server / Community Build
1
  • Environment: Jenkins (running build on Windows Agent)
  • JDK: 21 (Corretto)
  • Gradle 8.14
  • Sonar Gradle Plugin 6.2.0.5505

Hi,
when running the “sonar” task with the Sonar Gradle Plugin (atleast for version 6+), I get the following keystore error:

org.gradle.api.tasks.TaskExecutionException: Execution failed for task ':sonar'.
at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.lambda$executeIfValid$1(ExecuteActionsTaskExecuter.java:130)	
at org.gradle.internal.Try$Failure.ifSuccessfulOrElse(Try.java:293)	
at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeIfValid(ExecuteActionsTaskExecuter.java:128)
...
Caused by: org.sonarqube.gradle.AnalysisException: nl.altindag.ssl.exception.GenericKeyStoreException: Unable to read truststore from 'D:\dev\.gradle\truststore'	
at org.sonarqube.gradle.SonarTask.run(SonarTask.java:148)	
at jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)	
at org.gradle.internal.reflect.JavaMethod.invoke(JavaMethod.java:125)
...
Caused by: nl.altindag.ssl.exception.GenericKeyStoreException: Unable to read truststore from 'D:\dev\.gradle\truststore'	
at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.configureSsl(OkHttpClientFactory.java:146)	
at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.create(OkHttpClientFactory.java:80)	
at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.init(ScannerHttpClient.java:52)	
at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:147)	
at org.sonarqube.gradle.SonarTask.run(SonarTask.java:134)
...
Caused by: java.security.KeyStoreException: Uninitialized keystore	
at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.configureSsl(OkHttpClientFactory.java:144)	
at org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory.create(OkHttpClientFactory.java:80)	
at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.init(ScannerHttpClient.java:52)	
at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:147)	
at org.sonarqube.gradle.SonarTask.run(SonarTask.java:134)

(Stacktrace is truncated for better readability)

Contrary to the exception above, when checking the truststore using keytool, I could see that the truststore is initialized. This is supported by the fact that other tools, including the Sonar Gradle Plugin up to and including major version 5 can read this truststore without any problems.

I also checked other minor versions of the Sonar Gradle Plugin 6.x, but they all fail with the same KeyStoreException.

Is there any sonar or system property that I might have missed? I tried the workarounds shared in Keystore errors in Sonar Gradle Scanner 6.x and Unable to read truststore error since macOS Sonar Scanner CLI since 7.0.0.4796 - #13 by pdxeng, but they didn’t resolve my issue at hand.

2

Hey @glu!

Thanks for the report. Can you tell me what version of SonarQube you’re pointing the scanner at?

4

Hey @Colin,

the SonarQube version is Community Build v25.1.0.102122.

6

Thanks. I’m not sure what could be causing the issue then. I’ve flagged this for attention, but I suggest continuing to use v5 for now until it gets sorted out!

1 Like
8

Hi @glu,

Did you manage to fix the issue?

Thanks a lot.

10

Hi @javier.garcia,

we’re currently using v5 as a workaround, but we probably have to drop that once Gradle 9 is released, since v5 is using lots of deprecated Gradle API that will be removed with Gradle 9.

So it’s not really a proper fix/solution for us.

11

Hi @glu ,

There is a new release of the plugin: 6.3.1.5724

Might you test if it works?

Cheers.

12

Hello Javier,

Using the Sonar Maven plugin and JDK 21, I came up with the same issue with sonar-maven-plugin 5.1.0.4751 and sonar-maven-plugin 5.2.0.4988. However it works with sonar-maven-plugin 5.0.0.4389. My SonarQube server is v24.12.0.100206. Do you have any clue?

Many thanks in advance.

13

Hey @ivandalbosco

Have you tried the latest version?

14

Hello Colin,

I am afraid you refer to the Sonar Gradle plugin, not to the Sonar Maven plugin. To my knowldege, 5.2.0.4988 is the latest version of the Sonar Maven plugin at this time.

15

Doh, sorry Ivan. My eyes were too focused on the "Sonar Gradle Scanner 6+ in the topic title!

Could you provide the full stacktrace? Are you explicitly passing sonar.scanner.truststorePath? Doing something else?

17

Yes Colin, you are right. With

-Djavax.net.ssl.trustStore=/path/to/file/jks

the error message is “Unable to read truststore from ‘/path/to/file/jks’: Uninitialized keystore” and is pretty vague.

Now with

-Dsonar.scanner.truststorePath=/path/to/file/jks

(as per your suggestion) the error message becomes “Unable to read truststore from ‘/path/to/file/jks’: password incorrect or store tampered with”, which is significantly more indicative.

Adding also

-Dsonar.scanner.truststorePassword=“”

the error message becomes “BC JKS store is read-only and only supports certificate entries”.

And finally your colleague Julien Henry brilliantly provided the last bit here : by removing a private key that was lying in my .jks truststore, I ended making my “mvn sonar:sonar” command work with version 5.2 of the Maven plugin.

Thank you very much for your help!

1 Like