Bitbucket sonarcloud-scan Error: java.lang.IllegalStateException: Argument of call instruction should be a variable or a constant

Running into the error in our bitbucket pipelline with the settings


pipe: sonarsource/sonarcloud-scan:1.2.2
variables:
       SONAR_SCANNER_OPTS: -Xmx512m
       DEBUG: "true"

The error is

16:39:26.004 DEBUG: Invoking method with ucfg : isinstance
16:39:26.004 DEBUG: Invoking method with ucfg : isinstance
16:39:26.005 DEBUG: Invoking method with ucfg : isinstance
16:39:26.018 DEBUG: eslint-bridge server will shutdown
16:39:31.380 DEBUG: stylelint-bridge server will shutdown
16:39:36.393 INFO: ------------------------------------------------------------------------
16:39:36.393 INFO: EXECUTION FAILURE
16:39:36.393 INFO: ------------------------------------------------------------------------
16:39:36.393 INFO: Total time: 3:00.847s
16:39:36.717 INFO: Final Memory: 256M/512M
16:39:36.717 INFO: ------------------------------------------------------------------------
16:39:36.717 ERROR: Error during SonarScanner execution
java.lang.IllegalStateException: Argument of call instruction should be a variable or a constant
	at com.sonar.security.analysis.taint.B.E.A(na:3089)
	at com.sonar.security.analysis.taint.B.E.B(na:2980)
	at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
	at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1654)
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
	at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913)
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578)
	at com.sonar.security.analysis.taint.B.E.A(na:2980)
	at com.sonar.security.analysis.taint.B.E.A(na:300)
	at com.sonar.security.analysis.taint.B.E.A(na:556)
	at com.sonar.security.analysis.taint.B.E.A(na:2714)
	at com.sonar.security.analysis.L.A(na:700)
	at com.sonar.security.analysis.H.A(na:2083)
	at com.sonar.security.analysis.H.A(na:944)
	at com.sonar.security.rules.F.A(na:3434)
	at com.sonar.security.rules.F.A(na:1232)
	at com.sonar.security.E.A(na:3263)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1540)
	at com.sonar.security.E.executeChecks(na:1508)
	at com.sonar.security.E.execute(na:2399)
	at org.sonar.scanner.sensor.AbstractSensorWrapper.analyse(AbstractSensorWrapper.java:45)
	at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:75)
	at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:51)
	at org.sonar.scanner.scan.ModuleScanContainer.doAfterStart(ModuleScanContainer.java:68)
	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:123)
	at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:109)
	at org.sonar.scanner.scan.ProjectScanContainer.scan(ProjectScanContainer.java:442)
	at org.sonar.scanner.scan.ProjectScanContainer.scanRecursively(ProjectScanContainer.java:438)
	at org.sonar.scanner.scan.ProjectScanContainer.doAfterStart(ProjectScanContainer.java:396)
	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:123)
	at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:109)
	at org.sonar.scanner.bootstrap.GlobalContainer.doAfterStart(GlobalContainer.java:128)
	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:123)
	at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:109)
	at org.sonar.batch.bootstrapper.Batch.doExecute(Batch.java:58)
	at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:52)
	at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60)
	at com.sun.proxy.$Proxy0.execute(Unknown Source)
	at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:189)
	at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:138)
	at org.sonarsource.scanner.cli.Main.execute(Main.java:112)
	at org.sonarsource.scanner.cli.Main.execute(Main.java:75)
	at org.sonarsource.scanner.cli.Main.main(Main.java:61)

The error is reproducible and we tried (in desperation) to just remove the method where it fails, but the same error pops up at a different place.

Thanks for you help:)

1 Like

HI @TobiWipf,

welcome to the community and thanks for sharing this!

Just a quick question to better diagnose the problem: What is the language of the project you are analyzing? Is it Python?

Yes we’re using Python.

Hi,

here are some good news. :slight_smile:

The bug that you discovered happens in an old part of the code that has been recently replaced by entirely new code to perform an improved security analysis. Currently, Python is the only language for which this old code is still used. However, with the next release, we will also move Python analysis to the new codebase. The old code that triggers the aforementioned bug will then be removed completely and this bug will disappear.

This new and improved version will be released in a bit over three weeks.

Until the next release which fixes this problem, you can disable the rules that trigger it as a temporary workaround. From the log that you have posted, I cannot say exactly which was the rule that triggered this bug, but if you scroll back in the log you should see it. It is the last line that looks like:

01:38:07.220 DEBUG: Running rule pythonsecurity:<rulename>

…where <rulename> is the rule in question (For example, S3649).

It could be any one of (or several, or all of): S5334, S5135, S3649, S5146, S2083, S2091, S2078, S5145, S5167, S5144, S2076, S5131, S2631.

I hope that helps!

Hi Malte,

Thank you for your response. Its good to hear that the new release will fix that.
Just to add, we are using sonarscloud-scan 1.2.2 in the bitbucket pipeline. Will the next release be included in the bitbucket pipeline as well?

  • pipe: sonarsource/sonarcloud-scan: 1.2.2

I look through the debug log. Seem like the error happened after the rule S5167.
After a bunchs of ‘Invoking method with ucfg…’ and 'Matching sanitizer ', the scan failed with the exception Tobias mentions above.

11:05:59.145 INFO: rule: S5145 done
11:05:59.145 INFO: rule: S5167, entrypoints: 2
11:05:59.145 DEBUG: Running rule pythonsecurity:S5167
11:05:59.145 INFO: Running Steengaards analysis
11:05:59.159 DEBUG: Resource file pythonsecurity/sanitizers/S5167.json was not read
11:05:59.159 DEBUG: loaded 33 sanitizers for rule S5167
11:05:59.160 DEBUG: Resource file pythonsecurity/passthroughs/S5167.json was not read
11:05:59.160 DEBUG: loaded 39 passthroughs for rule S5167
11:05:59.162 DEBUG: Resource file pythonsecurity/collectionHandlers/S5167.json was not read
11:05:59.162 DEBUG: loaded 12 collectionHandlers for rule S5167
11:05:59.162 DEBUG: Resource file pythonsecurity/encoders/common.json was not read
11:05:59.162 DEBUG: Resource file pythonsecurity/encoders/S5167.json was not read
11:05:59.162 DEBUG: loaded 0 encoders for rule S5167
11:05:59.162 DEBUG: Resource file pythonsecurity/decoders/common.json was not read
11:05:59.162 DEBUG: Resource file pythonsecurity/decoders/S5167.json was not read
11:05:59.162 DEBUG: loaded 0 decoders for rule S5167```

Hi @Ruogu_Liu ,

Yes indeed, it looks like rule S5167 is the culprit in this case. If you disable it, it should either fix the problem or (of you’re really unlucky) fail with the same error on another one of the rules I mentioned above.

With sonarcloud-scan, the analysis is running on SomarCloud. The new release will be automatically deployed on SonarCloud as soon as it’s out. So if the error is not that big of a problem for you, you can also just sit back and wait. :wink:

I wish you a good and sunny weekend!