Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Irrelevant encrypted properties should not be passed to the scanner engine

Description

When gathering properties, in environment variables or maven related files, the scanner for Maven should be more selective of the parameters it passes on to the scanner-engine. When sending an encrypted property that the scanner-engine cannot decrypt, the analysis fails with the following message.

 

The issue can be reproduced by analyzing a Maven project using any recent version of the maven scanner and passing the property as an environment variable

or by adding the property in your pom file

Activity

Show:

Tomasz TylendaMarch 21, 2025 at 1:07 PM

Edit: we are fine.

The problem was that the test project contained “sonar“ in the name, so we the encrypted propery was considered relevant. I validated the fix again on with “sonar“ replaced with “radar“ and it worked fine.

Tomasz TylendaMarch 21, 2025 at 12:47 PM
Edited

The problem occurs in a multimodule project. Stack trace:

It looks like in this case we prepend something to the property name and it is then passed, because it contians “sonar”.

Tomasz TylendaMarch 21, 2025 at 11:10 AM

Works for commandline properties, env vars, but not for property declared in pom.xml.

Tomasz TylendaMarch 13, 2025 at 2:42 PM

The variable which causes problems is captured by Maven Scanner at

Done
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Sprint

Fix versions

Affects versions

Priority

Parent

Sentry

Created October 17, 2024 at 3:57 PM
Updated March 21, 2025 at 2:08 PM
Resolved March 21, 2025 at 1:07 PM