SCANJLIB-261 Add a scanner property to disable SSL config based on JVM properties

henryju · henryju · commit 68fcfd250f57 · 2025-02-13T12:21:00.000+01:00
diff --git a/lib/src/main/java/org/sonarsource/scanner/lib/ScannerProperties.java b/lib/src/main/java/org/sonarsource/scanner/lib/ScannerProperties.java
@@ -87,7 +87,7 @@ private ScannerProperties() {
   public static final String SONAR_SCANNER_TRUSTSTORE_PATH = "sonar.scanner.truststorePath";
   public static final String SONAR_SCANNER_TRUSTSTORE_PASSWORD = "sonar.scanner.truststorePassword";
   public static final String SONAR_SCANNER_SKIP_SYSTEM_TRUSTSTORE = "sonar.scanner.skipSystemTruststore";
-
+  public static final String SONAR_SCANNER_SKIP_JVM_SSL_CONFIG = "sonar.scanner.skipJvmSslConfig";
   /**
    * Skip analysis.
    */
diff --git a/lib/src/main/java/org/sonarsource/scanner/lib/internal/http/HttpConfig.java b/lib/src/main/java/org/sonarsource/scanner/lib/internal/http/HttpConfig.java
@@ -53,6 +53,7 @@
 import static org.sonarsource.scanner.lib.ScannerProperties.SONAR_SCANNER_PROXY_PORT;
 import static org.sonarsource.scanner.lib.ScannerProperties.SONAR_SCANNER_PROXY_USER;
 import static org.sonarsource.scanner.lib.ScannerProperties.SONAR_SCANNER_RESPONSE_TIMEOUT;
+import static org.sonarsource.scanner.lib.ScannerProperties.SONAR_SCANNER_SKIP_JVM_SSL_CONFIG;
 import static org.sonarsource.scanner.lib.ScannerProperties.SONAR_SCANNER_SKIP_SYSTEM_TRUSTSTORE;
 import static org.sonarsource.scanner.lib.ScannerProperties.SONAR_SCANNER_SOCKET_TIMEOUT;
 import static org.sonarsource.scanner.lib.ScannerProperties.SONAR_SCANNER_TRUSTSTORE_PASSWORD;
@@ -179,43 +180,48 @@ private static int parseIntProperty(String propValue, String propKey) {
   }
 
   private SslConfig loadSslConfig(Map<String, String> bootstrapProperties, Path sonarUserHome) {
-    var keyStore = loadKeyStoreConfig(bootstrapProperties, sonarUserHome);
-    var trustStore = loadTrustStoreConfig(bootstrapProperties, sonarUserHome);
+    var skipJvmSslConfig = Boolean.parseBoolean(defaultIfBlank(bootstrapProperties.get(SONAR_SCANNER_SKIP_JVM_SSL_CONFIG), "false"));
+    var keyStore = loadKeyStoreConfig(bootstrapProperties, sonarUserHome, skipJvmSslConfig);
+    var trustStore = loadTrustStoreConfig(bootstrapProperties, sonarUserHome, skipJvmSslConfig);
     return new SslConfig(keyStore, trustStore);
   }
 
   @Nullable
-  private CertificateStore loadTrustStoreConfig(Map<String, String> bootstrapProperties, Path sonarUserHome) {
+  private CertificateStore loadTrustStoreConfig(Map<String, String> bootstrapProperties, Path sonarUserHome, boolean skipJvmSslConfig) {
     var trustStorePath = parseFileProperty(bootstrapProperties, SONAR_SCANNER_TRUSTSTORE_PATH, "truststore", sonarUserHome.resolve("ssl/truststore.p12"));
     if (trustStorePath != null) {
       LOG.debug("Using scanner truststore: {}", trustStorePath);
       return new CertificateStore(trustStorePath, bootstrapProperties.get(SONAR_SCANNER_TRUSTSTORE_PASSWORD), false);
     }
-    var jvmTrustStoreProp = system.getProperty(JAVAX_NET_SSL_TRUST_STORE);
-    if (StringUtils.isNotBlank(jvmTrustStoreProp)) {
-      LOG.debug("Using JVM truststore: {}", jvmTrustStoreProp);
-      return new CertificateStore(Paths.get(jvmTrustStoreProp), system.getProperty(JAVAX_NET_SSL_TRUST_STORE_PASSWORD), true);
-    } else {
-      var defaultJvmTrustStoreLocation = Paths.get(Objects.requireNonNull(system.getProperty("java.home")), "lib", "security", "cacerts");
-      if (Files.isRegularFile(defaultJvmTrustStoreLocation)) {
-        LOG.debug("Using JVM default truststore: {}", defaultJvmTrustStoreLocation);
-        return new CertificateStore(defaultJvmTrustStoreLocation, Optional.ofNullable(system.getProperty(JAVAX_NET_SSL_TRUST_STORE_PASSWORD)).orElse("changeit"), true);
+    if (!skipJvmSslConfig) {
+      var jvmTrustStoreProp = system.getProperty(JAVAX_NET_SSL_TRUST_STORE);
+      if (StringUtils.isNotBlank(jvmTrustStoreProp)) {
+        LOG.debug("Using JVM truststore: {}", jvmTrustStoreProp);
+        return new CertificateStore(Paths.get(jvmTrustStoreProp), system.getProperty(JAVAX_NET_SSL_TRUST_STORE_PASSWORD), true);
+      } else {
+        var defaultJvmTrustStoreLocation = Paths.get(Objects.requireNonNull(system.getProperty("java.home")), "lib", "security", "cacerts");
+        if (Files.isRegularFile(defaultJvmTrustStoreLocation)) {
+          LOG.debug("Using JVM default truststore: {}", defaultJvmTrustStoreLocation);
+          return new CertificateStore(defaultJvmTrustStoreLocation, Optional.ofNullable(system.getProperty(JAVAX_NET_SSL_TRUST_STORE_PASSWORD)).orElse("changeit"), true);
+        }
       }
     }
     return null;
   }
 
   @Nullable
-  private CertificateStore loadKeyStoreConfig(Map<String, String> bootstrapProperties, Path sonarUserHome) {
+  private CertificateStore loadKeyStoreConfig(Map<String, String> bootstrapProperties, Path sonarUserHome, boolean skipJvmSslConfig) {
     var keyStorePath = parseFileProperty(bootstrapProperties, SONAR_SCANNER_KEYSTORE_PATH, "keystore", sonarUserHome.resolve("ssl/keystore.p12"));
     if (keyStorePath != null) {
       LOG.debug("Using scanner keystore: {}", keyStorePath);
       return new CertificateStore(keyStorePath, bootstrapProperties.get(SONAR_SCANNER_KEYSTORE_PASSWORD), false);
     }
-    var jvmKeystoreProp = system.getProperty(JAVAX_NET_SSL_KEY_STORE);
-    if (StringUtils.isNotBlank(jvmKeystoreProp)) {
-      LOG.debug("Using JVM keystore: {}", jvmKeystoreProp);
-      return new CertificateStore(Paths.get(jvmKeystoreProp), system.getProperty(JAVAX_NET_SSL_KEY_STORE_PASSWORD), true);
+    if (!skipJvmSslConfig) {
+      var jvmKeystoreProp = system.getProperty(JAVAX_NET_SSL_KEY_STORE);
+      if (StringUtils.isNotBlank(jvmKeystoreProp)) {
+        LOG.debug("Using JVM keystore: {}", jvmKeystoreProp);
+        return new CertificateStore(Paths.get(jvmKeystoreProp), system.getProperty(JAVAX_NET_SSL_KEY_STORE_PASSWORD), true);
+      }
     }
     return null;
   }
diff --git a/lib/src/test/java/org/sonarsource/scanner/lib/internal/http/HttpConfigTest.java b/lib/src/test/java/org/sonarsource/scanner/lib/internal/http/HttpConfigTest.java
@@ -114,6 +114,17 @@ void should_set_ssl_config_from_default_jvm_location() {
     assertThat(logTester.logs(Level.DEBUG)).contains("Using JVM default truststore: " + cacerts);
   }
 
+  @Test
+  void should_skip_ssl_config_from_jvm_if_property_set() {
+    logTester.setLevel(Level.DEBUG);
+    bootstrapProperties.put("sonar.scanner.skipJvmSslConfig", "true");
+
+    var underTest = new HttpConfig(bootstrapProperties, sonarUserHome, system);
+
+    assertThat(underTest.getSslConfig().getTrustStore()).isNull();
+    assertThat(underTest.getSslConfig().getKeyStore()).isNull();
+  }
+
   @Test
   void should_set_ssl_config_from_jvm_system_properties(@TempDir Path tempDir) throws IOException {
     var jvmTruststore = tempDir.resolve("jvmTrust.p12");
