Code review: remove alias from the truststore.p12, instead of removin…

…g the entire folder
SonarSource · Dec 16, 2024 · 8834ec6 · 8834ec6
1 parent 3a1a391
commit 8834ec6
Show file tree

Hide file tree

Showing 2 changed files with 69 additions and 11 deletions.
diff --git a/.github/workflows/qa-main.yml b/.github/workflows/qa-main.yml
@@ -643,9 +643,9 @@ jobs:
       - name: Run action with SONAR_SCANNER_TEMP
         uses: ./
         env:
+          NO_CACHE: true # force install-sonar-scanner-cli.sh execution
           SONAR_SCANNER_TEMP: /tmp/sonar-scanner
           SONAR_HOST_URL: http://not_actually_used
-          NO_CACHE: true # force install-sonar-scanner-cli.sh execution
         with:
           args: -Dsonar.scanner.internal.dumpToFile=./output.properties
           scannerVersion: ${{ env.SCANNER_VERSION }}
@@ -655,7 +655,7 @@ jobs:
           [ ! -f "$SCANNER_LOCAL_FOLDER/some_content.txt" ] || exit 1
   overridesSonarSslFolderWhenPresent: # can happen in uncleaned self-hosted runners
     name: >
-      'SONAR_SSL_FOLDER' is cleaned with warning when present
+      'SONAR_SSL_FOLDER' is NOT cleaned when present
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -668,16 +668,56 @@ jobs:
           touch "$SONAR_SSL_FOLDER/truststore.p12"
           # emit SONAR_SSL_FOLDER to be able to read it in the next steps
           echo "SONAR_SSL_FOLDER=$SONAR_SSL_FOLDER" >> $GITHUB_ENV
-      - name: Assert truststore.p12 file exists
+      - name: Assert truststore.p12 file exists and take note of modification time  
         run: |
           [ -f "$SONAR_SSL_FOLDER/truststore.p12" ] || exit 1
+          # emit the modification time of the truststore.p12 file to be able to read it in the next steps
+          TRUSTSTORE_P12_MOD_TIME_BEFORE=$(stat -c %Y "$SONAR_SSL_FOLDER/truststore.p12")
+          echo $TRUSTSTORE_P12_MOD_TIME_BEFORE
+          echo "TRUSTSTORE_P12_MOD_TIME_BEFORE=$TRUSTSTORE_P12_MOD_TIME_BEFORE" >> $GITHUB_ENV
       - name: Run action
         uses: ./
         env:
           # NO_CACHE not needed, as SONAR_SSL_FOLDER is setup when the Sonar Scanner is run, not installed 
           SONAR_HOST_URL: http://not_actually_used
+          SONAR_ROOT_CERT: |
+            -----BEGIN CERTIFICATE-----
+            MIIFlTCCA32gAwIBAgIUXK4LyGUFe4ZVL93StPXCoJzmnLMwDQYJKoZIhvcNAQEL
+            BQAwTzELMAkGA1UEBhMCQ0gxDzANBgNVBAgMBkdlbmV2YTEPMA0GA1UEBwwGR2Vu
+            ZXZhMQ8wDQYDVQQKDAZTZXJ2ZXIxDTALBgNVBAsMBERlcHQwHhcNMjQxMTAxMDgx
+            MzM3WhcNMzQxMDMwMDgxMzM3WjBPMQswCQYDVQQGEwJDSDEPMA0GA1UECAwGR2Vu
+            ZXZhMQ8wDQYDVQQHDAZHZW5ldmExDzANBgNVBAoMBlNlcnZlcjENMAsGA1UECwwE
+            RGVwdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK5m0V6IFFykib77
+            nmlN7weS9q3D6YGEj+8hRNQViL9KduUoLjoKpONIihU5kfIg+5SkGygjHRkBvIp3
+            b0HQqhkwtGln3/FxxaSfGEguLHgzXR8JDQSyJ8UKIGOPCH93n1rUip5Ok1iExVup
+            HtkiVDRoCC9cRjZXbGOKrO6VBT4RvakpkaqCdXYikV244B5ElM7kdFdz8fso78Aq
+            xekb9dM0f21uUaDBKCIhRcxWeafp0CJIoejTq0+PF7qA2qIY5UHqWElWO5NsvQ8+
+            MqKkIdsOa1pYNuH/5eQ59k9KSE92ps1xTKweW000GfPqxx8IQ/e4aAd2SaMTKvN6
+            aac6piWBeJ7AssgWwkg/3rnZB5seQIrWjIUePmxJ4c0g0eL9cnVpYF0K/Dldle/G
+            wg0zi1g709rBI1TYj9xwrivxSwEQupz8OdKqOmgqrKHJJ/CCLl+JdFYjgwl3NWLH
+            wsU639H1bMXIJoQujg9U47e9fXbwiqdkMQzt7rPGkOBBaAkSctAReiXnWy+CbVEM
+            QFHDrnD5YUJRd5t/DUuWuqhR2QhfUvRClPUKoVqB/iOu2IumlgDEDA8jb1dxEW+W
+            iaYokQCS94OpxOJ8aeReSt9bghT0vc9ifCLWvuE1iBjujdK32ekKSY9DCZyBHXsG
+            J9N1nt1qd/k7QqWOkuPjr1JrTIMbAgMBAAGjaTBnMB0GA1UdDgQWBBQw4ESReEk+
+            AIxwjHRqPkESzMv1bTAfBgNVHSMEGDAWgBQw4ESReEk+AIxwjHRqPkESzMv1bTAP
+            BgNVHRMBAf8EBTADAQH/MBQGA1UdEQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0B
+            AQsFAAOCAgEAE8WefoZN23aOSe79ZN7zRBWP8DdPgFAqg5XUhfc9bCIVfJ4XMpEe
+            3lzRhgjwDm4naEs35QWOhPZH2vx8XrEKnZNI6vKO8JzaCsivgngk8bsWnvhwSXy5
+            eFdc99K+FOmOHevDmeiimoQnikffnSULRhQYzE2Qwyo9iky8703/+D3IKEC/8exC
+            rlyGMUV/Nqj+4M+57DiZ6OXeFuunfoFB7vmcDZygqDhKoHhVRyu8qN6PeK2fvUFK
+            EjeRtvA0GkdlOtLIF2g5yBTK2ykkt/oLUoAolfYUTKcoV2/FS0gVR5ovmEpKyBcP
+            H9hzr16a8dtrEqOf/oKHQSLwxn8afmS354HJ75sq9SujOtIWpHfyH5IgqtUpiBN/
+            bzvKs/QZjtGlqvquOTkdh9L4oxTXqG7zEStZyo/v9g5jf1Tq195b2DNFwVUZIcbb
+            u2d4CvAZ1yNr+8ax/kTwBSY8WU+mCtmvowFstdvsJXVXJKnUO6EZOdbg0GxTBVyE
+            zMsnPcnkOwV5TJIKKhonrgrwmPmQ9IOV9BrThVxujjjEbAdA6jM9PMiXzuDukldm
+            QBRwNbczGbdsHkMKHmQnrTqOyQyI4KCXF08kcOm4C1P+Whrvi0DXkqHnyKvBE0td
+            dciInBoeHwUs2eclz7gP7pMBJUlFUkKfQxwxGLIqZSXnlAFBfW6hHLI=
+            -----END CERTIFICATE-----
         with:
           args: -Dsonar.scanner.internal.dumpToFile=./output.properties
-      - name: Assert truststore.p12 doesn't exists anymore
+      - name: Assert truststore.p12 still exists, but it has been updated
         run: |
           [ ! -f "$SONAR_SSL_FOLDER/truststore.p12" ] || exit 1
+          TRUSTSTORE_P12_MOD_TIME_AFTER=$(stat -c %Y "$SONAR_SSL_FOLDER/truststore.p12")
+          echo $TRUSTSTORE_P12_MOD_TIME_AFTER
+          [ "$TRUSTSTORE_P12_MOD_TIME_BEFORE" != "$TRUSTSTORE_P12_MOD_TIME_AFTER" ] || exit 1
diff --git a/scripts/run-sonar-scanner-cli.sh b/scripts/run-sonar-scanner-cli.sh
@@ -23,20 +23,38 @@ fi
 
 # The SSL folder may exist on an uncleaned self-hosted runner
 SONAR_SSL_FOLDER=~/.sonar/ssl
-if [ -d "$SONAR_SSL_FOLDER" ]; then
-  echo "::warning title=SonarScanner::Cleaning existing SSL folder: $SONAR_SSL_FOLDER"
-  rm -rf "$SONAR_SSL_FOLDER"
+# Use keytool for now, as SonarQube 10.6 and below doesn't support openssl generated keystores
+# keytool require a password > 6 characters, so we wan't use the default password 'sonar'
+KEYTOOL_MAIN_CLASS=sun.security.tools.keytool.Main
+SONAR_SSL_TRUSTSTORE_FILE="$SONAR_SSL_FOLDER/truststore.p12"
+SONAR_SSL_TRUSTSTORE_PASSWORD=changeit
+
+if [ -f "$SONAR_SSL_TRUSTSTORE_FILE" ]; then
+  echo "::warning title=SonarScanner: Removing 'sonar' alias from already existing Scanner truststore: $SONAR_SSL_TRUSTSTORE_FILE"
+  "$SONAR_SCANNER_JRE/bin/java" "$KEYTOOL_MAIN_CLASS" \
+    -storetype PKCS12 \
+    -keystore "$SONAR_SSL_TRUSTSTORE_FILE" \
+    -storepass "$SONAR_SSL_TRUSTSTORE_PASSWORD" \
+    -noprompt \
+    -trustcacerts \
+    -delete \
+    -alias sonar
 fi
 
 if [[ -n "${SONAR_ROOT_CERT}" ]]; then
   echo "Adding SSL certificate to the Scanner truststore"
   rm -f $RUNNER_TEMP/tmpcert.pem
   echo "${SONAR_ROOT_CERT}" > $RUNNER_TEMP/tmpcert.pem
-  # Use keytool for now, as SonarQube 10.6 and below doesn't support openssl generated keystores
-  # keytool require a password > 6 characters, so we wan't use the default password 'sonar'
-  store_pass=changeit
   mkdir -p "$SONAR_SSL_FOLDER"
-  "$SONAR_SCANNER_JRE/bin/java" sun.security.tools.keytool.Main -storetype PKCS12 -keystore "$SONAR_SSL_FOLDER/truststore.p12" -storepass $store_pass -noprompt -trustcacerts -importcert -alias sonar -file "$RUNNER_TEMP/tmpcert.pem"
+  "$SONAR_SCANNER_JRE/bin/java" "$KEYTOOL_MAIN_CLASS" \
+    -storetype PKCS12 \
+    -keystore "$SONAR_SSL_TRUSTSTORE_FILE" \
+    -storepass "$SONAR_SSL_TRUSTSTORE_PASSWORD" \
+    -noprompt \
+    -trustcacerts \
+    -importcert \
+    -alias sonar \
+    -file "$RUNNER_TEMP/tmpcert.pem"
   scanner_args+=("-Dsonar.scanner.truststorePassword=$store_pass")
 fi