Use of azuredevops v2 tasks fails on self hosted agent

  • ALM used : Azure DevOps
  • CI system used Azure DevOps
  • Scanner command used when applicable (private details masked)
- task: SonarCloudPrepare@2
    displayName: Intialisation à l'analyse SonarCloud
    condition: and(succeeded(), ne('${{ parameters.IsSonarAnalysisToBeDone }}',false))
    inputs:
      SonarCloud: 'd282c99c-9a02-4d52-aefd-ba96838cbc01'
      organization: 'nicolas-courtiller19594'
      scannerMode: 'MSBuild'
      projectKey: '${{ parameters.SonarKey }}'
  • Languages of the repository
    .Net

  • Error observed (wrap logs/code around with triple quotes ``` for proper formatting)

Downloading: https://github.com/SonarSource/sonar-scanner-msbuild/releases/download/6.2.0.85879/sonar-scanner-6.2.0.85879-net-framework.zip
##[error]self signed certificate in certificate chain
##[warning]Can't find loc string for key: LIB_WhichNotFound_Win
##[warning]Error while executing SonarCloud:Prepare task: LIB_WhichNotFound_Win D:\AzDvOps_work\1\s\SonarScanner.MSBuild.exe
##[error]LIB_WhichNotFound_Win D:\AzDvOps_work\1\s\SonarScanner.MSBuild.exe

  • Steps to reproduce

A few words about this :
I have no problem when I use SonarCloud tasks V2 on Azure cloud agents (we tried the v2 tasks because of the deprecation of codecoverage.exe on thoses agents).

But when I try it on our self hosted agents, I have download errors…

We have add in our white list the 2 “new” url as asked in your v2 documentation :
SonarScanner for Azure DevOps & SonarCloud Docs (sonarsource.com)

When running @2 tasks, internet access is required by the pipelines calling the .NET or CLI scanners:

And our agent version is :

Current agent version: '3.220.2'

For users running on-premise or using self-hosted agents, the minimum agent version for SonarCloud v2 tasks is 3.218.0.

So I don’t know what to do to solve this problem … some help could be great please!

  • Potential workaround

Use v1 task version

1 Like

Hi,

This looks like a problem with your self-signed certificate:

This shows up with V2 of the tasks because they’re downloading the scanner from the internet (which we’re planning to change).

 
HTH,
Ann

Hello !

yes I think so too, but we added in our white list the url described in your documentation (github and binaries.sonarsource.com) and still got certificate issues.

So I think you also adress other url while downloading the scanner and we would like to know them so we can add them in our white list.

I will try to work with our IT department to see wich URLs are adressed with our certificate but it would be helpful to know them directly.

Thanks for your help,

Best regards

So, we’ve made some tries with our IT team and it appears that the URL that needs to be in the white list is :

objects.githubusercontent.com

because when we donwload sonar-scanner, this is the URL used :

https://objects.githubusercontent.com/github-production-release-asset-2e65be/34444711/701edd3d-8225-4afc-9aba-1723de42ea53?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240628%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240628T091946Z&X-Amz-Expires=300&X-Amz-Signature=6a66de5bfdf982eda77a31275eec879f48e90f6a8a0a11ed7829e64d6f415cac&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=34444711&response-content-disposition=attachment%3B%20filename%3Dsonar-scanner-6.2.0.85879-net-framework.zip&response-content-type=application%2Foctet-stream

and so, had “only” github.com in our white list is not enough.

Maybe had this on your documentation could be great for other people that might encounter the same problem.

Best regards

2 Likes

I added that “GitHub and objects.githubusercontent.com should also be whitelisted” to both the SonarQube and SonarCloud pages for the Sonar Extension for Azure DevOps.

It should be published in about 30 minutes.
Thank you for calling this to our attention, @AlexJulita !

5 Likes