Our Environment:
And a thorough description of the problem / question:
Our SonarQube Server has a self-signed certificate. With the latest version of the sonar-scanner-cli container, the container is no longer running as root so we can’t add our certificate to the cacert of the JRE using keytool.
What is our best path forward to fix this for our Maven application?
Hey there.
Check out the docs here (Providing a PKCS#12 keystore)
The Changelog for the SonarScanner CLI Docker Image states the following.
Version 10 has introduced a significant change that could potentially affect some users. In this version, the underlying SonarScanner CLI process is executed with a regular user (uid 1000), instead of the root user. You may encounter permission issues on your volumes or bind mounts.
This is why we can no longer just inject our certificate into the system cacerts file.
The way I see it we had 2 options.
Build a Docker image from the SonarScanner CLI Docker Image adding the required certificate(s) to the image.
Use alternative cacerts to system one, with the desired certificates injected.
Option 1 would be a lot of effort to maintain long term. If we could get it working, Option 2 is the simpler long term path.
We copied the system cacerts to our local directory, then using keytool added our certificate to it. Then following the instructions here, as shared by Colin, we followed the instructions for Maven to tell it an alternate path for the cacert file.
export SONAR_SCANNER_OPTS="-Djavax.net.ssl.trustStore=cacerts -Djavax.net.ssl.trustStorePassword=changeit"
After updating the cacerts and executing to set SONAR_SCANNER_OPTS, we were then able to execute Maven to compile the application and run the scan pushing the results to our SonarQube instance.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.