Xcode Cloud - SSL Handshake error - DNS Poisoning? Server 18.198.129.210 / 18.157.93.34 / 3.75.3.234

SonarCloud
#1

Template for a good new topic, formatted with Markdown:

  • ALM used (GitHub)
  • CI system used (Xcode Cloud)
  • Scanner command used when applicable (private details masked)
sonar-scanner  \
    -Dsonar.projectBaseDir=${SONAR_WORSPACE} \
    -Dsonar.organization=${SONAR_ORG} \
    -Dsonar.pullrequest.provider=${SONAR_PRPROVIDER} \
    -Dsonar.host.url=${SONAR_HOST} \
    -Dsonar.projectVersion=${SONAR_BUILD_NUMBER} \
    -Dsonar.pullrequest.base=${SONAR_PULL_REQUEST_SOURCE_BRANCH}  \
    -Dsonar.pullrequest.key=${SONAR_PULL_REQUEST_NUMBER}

  • Languages of the repository
    Swift

  • Only if the SonarCloud project is public, the URL - PRIVATE

    • And if you need help with pull request decoration, then the URL to the PR too

  • Error observed (wrap logs/code around with triple quotes ``` for proper formatting)

2022-12-13T21:26:38.831047775Z	Caused by: java.lang.IllegalStateException: Fail to request https://sonarcloud.io/batch/project.protobuf?key=xxx&branch=main
.....
|2022-12-13T21:26:38.859855354Z|Caused by: javax.net.ssl.SSLPeerUnverifiedException: Hostname sonarcloud.io not verified:|
|---|---|
|2022-12-13T21:26:38.860342517Z|    certificate: sha256/T3dDhxmHiddtgKf6PZ09fe0T4T36ZcG7mUEZAu5/2OY=|
|2022-12-13T21:26:38.860581475Z|    DN: CN=bid.do|
|2022-12-13T21:26:38.860769670Z|    subjectAltNames: [bid.do, *.bid.do, www.bid.do]|

  • Steps to reproduce
    The SSL certificate may have different DN, here: bid.do

  • Potential workaround
    No workaround at this stage. Also created a ticket to Apple for investigation on the Xcode cloud runners…

FYI, I am also running an NSLOOKUP in the script and all seems correct…

2022-12-13T21:25:56.660394932Z --------------------------------------------------------------------------------------
2022-12-13T21:25:58.128679670Z
2022-12-13T21:25:58.129103200Z 🔎 nslookup sonarcloud.io...
2022-12-13T21:25:58.145709706Z Server: 10.173.216.5
2022-12-13T21:25:58.145921944Z Address: 10.173.216.5#53
2022-12-13T21:25:58.146396882Z
2022-12-13T21:25:58.146712626Z Non-authoritative answer:
2022-12-13T21:25:58.146863259Z Name: sonarcloud.io
2022-12-13T21:25:58.147294338Z Address: 18.198.129.210
2022-12-13T21:25:58.147562073Z Name: sonarcloud.io
2022-12-13T21:25:58.147865860Z Address: 18.157.93.34
2022-12-13T21:25:58.148021032Z Name: sonarcloud.io
2022-12-13T21:25:58.148379295Z Address: 3.75.3.234
2022-12-13T21:25:58.148514676Z
2022-12-13T21:25:58.148765480Z
...
2022-12-13T21:26:03.733095355Z	🔘 JAVA_OPTS -> -Djdk.tls.client.protocols=TLSv1.2
2022-12-13T21:26:03.733825879Z	💨 Submitting result to Sonarcloud
2022-12-13T21:26:03.734351201Z	🗜 Discovered a PR #119 | Send PR analyse to Sonarcloud
2022-12-13T21:26:06.769138883Z	INFO: Scanner configuration file: /Volumes/workspace/repository/ci_scripts/vendors/sonar/sonar-scanner-4.7.0.2747-macosx/conf/sonar-scanner.properties
2022-12-13T21:26:06.769657147Z	INFO: Project root configuration file: /Volumes/workspace/repository/ci_scripts/Sonar/sonar-project.properties
2022-12-13T21:26:06.770136298Z	INFO: SonarScanner 4.7.0.2747
2022-12-13T21:26:06.770507686Z	INFO: Java 11.0.14.1 Eclipse Adoptium (64-bit)
2022-12-13T21:26:06.770941627Z	INFO: Mac OS X 13.1 x86_64
2022-12-13T21:26:06.771392186Z	INFO: SONAR_SCANNER_OPTS=-server
2022-12-13T21:26:06.771651554Z	INFO: User cache: /Users/local/.sonar/cache
....
|2022-12-13T21:26:37.759410090Z|INFO: Load active rules (done) | time=7998ms|
|---|---|
|2022-12-13T21:26:37.760033791Z|INFO: Organization key: xxx|
|2022-12-13T21:26:37.760728798Z|INFO: Pull request 119 for merge into develop from feature/NO_JIRA_reports_services|
|2022-12-13T21:26:37.761123369Z|INFO: Load project repositories|
|2022-12-13T21:26:38.800621360Z|INFO: ------------------------------------------------------------------------|
|2022-12-13T21:26:38.801015627Z|INFO: EXECUTION FAILURE|
|2022-12-13T21:26:38.801644767Z|INFO: ------------------------------------------------------------------------|
|2022-12-13T21:26:38.801831488Z|INFO: Total time: 32.408s|
|2022-12-13T21:26:38.802104547Z|INFO: Final Memory: 20M/74M|
|2022-12-13T21:26:38.802363648Z|INFO: ------------------------------------------------------------------------|
|2022-12-13T21:26:38.802535511Z|ERROR: Error during SonarScanner execution|
2022-12-13T21:26:38.802880633Z	java.lang.IllegalStateException: Unable to load component class org.sonar.scanner.scan.filesystem.ProjectFileIndexer
2022-12-13T21:26:38.803176752Z		at org.sonar.core.platform.ComponentContainer$ExtendedDefaultPicoContainer.getComponent(ComponentContainer.java:52)
....
2022-12-13T21:26:38.831047775Z	Caused by: java.lang.IllegalStateException: Fail to request https://sonarcloud.io/batch/project.protobuf?key=xxx&branch=main
2022-12-13T21:26:38.831391301Z		at org.sonarqube.ws.client.HttpConnector.doCall(HttpConnector.java:202)
2022-12-13T21:26:38.831602741Z		at org.sonarqube.ws.client.HttpConnector.get(HttpConnector.java:118)
...
2022-12-13T21:26:38.859855354Z	Caused by: javax.net.ssl.SSLPeerUnverifiedException: Hostname sonarcloud.io not verified:
2022-12-13T21:26:38.860342517Z	    certificate: sha256/T3dDhxmHiddtgKf6PZ09fe0T4T36ZcG7mUEZAu5/2OY=
2022-12-13T21:26:38.860581475Z	    DN: CN=bid.do
2022-12-13T21:26:38.860769670Z	    subjectAltNames: [bid.do, *.bid.do, www.bid.do]
2022-12-13T21:26:38.861073637Z		at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:389)
2022-12-13T21:26:38.861299678Z		at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337)
#5

Hello @charlymr :wave:

Thanks for reaching out! I’ll be investigating your issue. So if you have new information from the moment you created the post to today, please feel free to share while I attempt to replicate the issue and/or investigate more deeply based on the details provided.

At the moment, I have some questions to see if I understand the problem and to isolate use cases:

  1. I understand you are running the scanner using Xcode Cloud, could you please confirm if the issue persists when you run manually the scanner in the terminal?
  2. When you say “Only if the SonarCloud project is public, the URL - PRIVATE”, what do you exactly mean? Is it that the issue happens when projects are public?

Additionally, I have found other similar entries in the community that could provide some help.

I’ll continue investigating as mentioned above.

#6

Hello again @charlymr !

Did you have time to check on my questions in my previous reply?