SCANJLIB-258 Log the value of SONAR_SCANNER_JAVA_OPTS

Author: henryju

lib/src/main/java/org/sonarsource/scanner/lib/internal/facade/forked/ScannerEngineLauncher.java

@@ -26,8 +26,10 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
 import java.util.Optional;
+import java.util.Set;
 import java.util.stream.Collectors;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -36,6 +38,10 @@
 import org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory;
 
 public class ScannerEngineLauncher {
+  private static final Set<String> SENSITIVE_JVM_ARGUMENTS = Set.of(
+    "sonar.login",
+    "password",
+    "token");
 
   private static final Logger LOG = LoggerFactory.getLogger(ScannerEngineLauncher.class);
 
@@ -104,14 +110,30 @@ private List<String> buildArgs(Map<String, String> properties) {
     List<String> args = new ArrayList<>();
     String javaOpts = properties.get(ScannerProperties.SCANNER_JAVA_OPTS);
     if (javaOpts != null) {
-      args.addAll(split(javaOpts));
+      var split = split(javaOpts);
+      LOG.atInfo().addArgument(() -> redactSensitiveArguments(split)).log("SONAR_SCANNER_JAVA_OPTS={}");
+      args.addAll(split);
     }
     args.add("-D" + OkHttpClientFactory.BC_IGNORE_USELESS_PASSWD + "=true");
     args.add("-jar");
     args.add(scannerEngineJar.getPathInCache().toAbsolutePath().toString());
     return args;
   }
 
+  private static String redactSensitiveArguments(List<String> scannerOpts) {
+    return scannerOpts.stream()
+      .map(ScannerEngineLauncher::redactArgumentIfSensistive)
+      .collect(Collectors.joining(" "));
+  }
+
+  private static String redactArgumentIfSensistive(String argument) {
+    String[] elems = argument.split("=");
+    if (elems.length > 0 && SENSITIVE_JVM_ARGUMENTS.stream().anyMatch(p -> elems[0].toLowerCase(Locale.ENGLISH).contains(p))) {
+      return elems[0] + "=*";
+    }
+    return argument;
+  }
+
   private static List<String> split(String value) {
     return Arrays.stream(value.split("\\s+"))
       .map(String::trim)
@@ -124,11 +146,11 @@ private static String buildJsonProperties(Map<String, String> properties) {
     properties.entrySet().stream()
       .filter(prop -> prop.getKey() != null)
       .sorted(Map.Entry.comparingByKey()).forEach(prop -> {
-      JsonObject property = new JsonObject();
-      property.addProperty("key", prop.getKey());
-      property.addProperty("value", Optional.ofNullable(prop.getValue()).orElse(""));
-      propertiesArray.add(property);
-    });
+        JsonObject property = new JsonObject();
+        property.addProperty("key", prop.getKey());
+        property.addProperty("value", Optional.ofNullable(prop.getValue()).orElse(""));
+        propertiesArray.add(property);
+      });
     JsonObject jsonObject = new JsonObject();
     jsonObject.add(JSON_FIELD_SCANNER_PROPERTIES, propertiesArray);
     return new Gson().toJson(jsonObject);

lib/src/test/java/org/sonarsource/scanner/lib/internal/facade/forked/ScannerEngineLauncherTest.java

@@ -62,6 +62,22 @@ void execute() {
       eq(List.of("-Xmx4g", "-Xms1g", "-Dorg.bouncycastle.pkcs12.ignore_useless_passwd=true", "-jar", scannerEngine.toAbsolutePath().toString())),
       eq("{\"scannerProperties\":[{\"key\":\"sonar.host.url\",\"value\":\"http://localhost:9000\"},{\"key\":\"sonar.scanner.javaOpts\",\"value\":\"-Xmx4g -Xms1g\"}]}"),
       any());
+
+    assertThat(logTester.logs(Level.INFO)).containsOnly("SONAR_SCANNER_JAVA_OPTS=-Xmx4g -Xms1g");
+  }
+
+  @Test
+  void execute_log_info_when_java_opts_provided_obfuscating_sensitive_values() {
+    var scannerEngine = temp.resolve("scanner-engine.jar");
+
+    ScannerEngineLauncher launcher = new ScannerEngineLauncher(javaRunner, new CachedFile(scannerEngine, true));
+
+    Map<String, String> properties = Map.of(
+      ScannerProperties.SCANNER_JAVA_OPTS, "-Xmx4g -Xms1g -Dsonar.login=secret1 -Dsonar.password=secret2 -Dsonar.token=secret3 -Djava.net.ssl.trustStorePassword=secret4",
+      ScannerProperties.HOST_URL, "http://localhost:9000");
+    launcher.execute(properties);
+
+    assertThat(logTester.logs(Level.INFO)).containsOnly("SONAR_SCANNER_JAVA_OPTS=-Xmx4g -Xms1g -Dsonar.login=* -Dsonar.password=* -Dsonar.token=* -Djava.net.ssl.trustStorePassword=*");
   }
 
   @Test