SonarSource/sonarqube-scan-action
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SQSCANGHA-76 Support self-hosted runners not clearing truststore after run (#165)

Browse Source
This commit is contained in:
Antonio Aversa
2024-12-17 09:19:42 +01:00
committed by GitHub
parent 0ab314b63d
commit 26c51824c8
3 changed files with 179 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
scripts/run-sonar-scanner-cli.sh
View File

@@ -21,16 +21,56 @@ if [[ -n "${INPUT_PROJECTBASEDIR}" ]]; then
scanner_args+=("-Dsonar.projectBaseDir=${INPUT_PROJECTBASEDIR}")
fi
# The SSL folder may exist on an uncleaned self-hosted runner
SONAR_SSL_FOLDER=~/.sonar/ssl
# Use keytool for now, as SonarQube 10.6 and below doesn't support openssl generated keystores
# keytool requires a password > 6 characters, so we won't use the default password 'sonar'
KEYTOOL_MAIN_CLASS=sun.security.tools.keytool.Main
SONAR_SSL_TRUSTSTORE_FILE="$SONAR_SSL_FOLDER/truststore.p12"
SONAR_SSL_TRUSTSTORE_PASSWORD=changeit
if [ -f "$SONAR_SSL_TRUSTSTORE_FILE" ]; then
ALIAS_SONAR_IS_PRESENT=true
"$SONAR_SCANNER_JRE/bin/java" "$KEYTOOL_MAIN_CLASS" \
-storetype PKCS12 \
-keystore "$SONAR_SSL_TRUSTSTORE_FILE" \
-storepass "$SONAR_SSL_TRUSTSTORE_PASSWORD" \
-noprompt \
-trustcacerts \
-list -v -alias sonar > /dev/null 2>&1 || {
ALIAS_SONAR_IS_PRESENT=false
echo "Existing Scanner truststore $SONAR_SSL_TRUSTSTORE_FILE does not contain 'sonar' alias"
}
if [[ $ALIAS_SONAR_IS_PRESENT == "true" ]]; then
echo "Removing 'sonar' alias from already existing Scanner truststore: $SONAR_SSL_TRUSTSTORE_FILE"
"$SONAR_SCANNER_JRE/bin/java" "$KEYTOOL_MAIN_CLASS" \
-storetype PKCS12 \
-keystore "$SONAR_SSL_TRUSTSTORE_FILE" \
-storepass "$SONAR_SSL_TRUSTSTORE_PASSWORD" \
-noprompt \
-trustcacerts \
-delete \
-alias sonar
fi
fi
if [[ -n "${SONAR_ROOT_CERT}" ]]; then
echo "Adding SSL certificate to the Scanner truststore"
rm -f $RUNNER_TEMP/tmpcert.pem
echo "${SONAR_ROOT_CERT}" > $RUNNER_TEMP/tmpcert.pem
# Use keytool for now, as SonarQube 10.6 and below doesn't support openssl generated keystores
# keytool require a password > 6 characters, so we wan't use the default password 'sonar'
store_pass=changeit
mkdir -p ~/.sonar/ssl
$SONAR_SCANNER_JRE/bin/java sun.security.tools.keytool.Main -storetype PKCS12 -keystore ~/.sonar/ssl/truststore.p12 -storepass $store_pass -noprompt -trustcacerts -importcert -alias sonar -file $RUNNER_TEMP/tmpcert.pem
scanner_args+=("-Dsonar.scanner.truststorePassword=$store_pass")
mkdir -p "$SONAR_SSL_FOLDER"
"$SONAR_SCANNER_JRE/bin/java" "$KEYTOOL_MAIN_CLASS" \
-storetype PKCS12 \
-keystore "$SONAR_SSL_TRUSTSTORE_FILE" \
-storepass "$SONAR_SSL_TRUSTSTORE_PASSWORD" \
-noprompt \
-trustcacerts \
-importcert \
-alias sonar \
-file "$RUNNER_TEMP/tmpcert.pem"
scanner_args+=("-Dsonar.scanner.truststorePassword=$SONAR_SSL_TRUSTSTORE_PASSWORD")
fi
scanner_args+=("$@")