Cannot access environment variables from a plugin in SonarQube 8

2019.10.22 08:43:46 ERROR ce[][o.s.ce.app.CeServer] Compute Engine startup failed
java.lang.IllegalStateException: Fail to load plugin ShellCheck Analyzer [shellcheck]
	at org.sonar.server.plugins.ServerExtensionInstaller.installExtensions(ServerExtensionInstaller.java:88)
	at org.sonar.ce.container.ComputeEngineContainerImpl.startLevel4(ComputeEngineContainerImpl.java:230)
	at org.sonar.ce.container.ComputeEngineContainerImpl.start(ComputeEngineContainerImpl.java:196)
	at org.sonar.ce.ComputeEngineImpl.startup(ComputeEngineImpl.java:45)
	at org.sonar.ce.app.CeServer$CeMainThread.attemptStartup(CeServer.java:163)
	at org.sonar.ce.app.CeServer$CeMainThread.run(CeServer.java:141)
Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getenv.*")
	at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
	at java.base/java.security.AccessController.checkPermission(AccessController.java:897)
	at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
	at java.base/java.lang.System.getenv(System.java:1042)
	at com.github.sbaudoin.sonar.plugins.shellcheck.ShellCheckPlugin.define(ShellCheckPlugin.java:31)
	at org.sonar.server.plugins.ServerExtensionInstaller.installExtensions(ServerExtensionInstaller.java:78)
	... 5 common frames omitted
  • steps to reproduce: install a plugin that access an environment variable (System.getenv("XXX")) and start SQ 8.0
  • potential workaround: none found so far

The cause is the new security manager that do not grant access to the environment variables. The fix could be to add “getenv.*” to the allowed permissions. If this is not a suitable solution, can you give some guidance to a workaround, please?

Hi,
Thanks for letting us know. We are evaluating the security restrictions and will come back to you shortly.

We’ll fix the problem in the next release of SonarQube 8.1: https://jira.sonarsource.com/browse/SONAR-12617. We don’t plan to do a bug fix release for v8.0 at this time.

As for possible workaround, you can read the value as a property.
Instead of reading an environment variable here, you can read a property from the configuration. For example:
if(context.getBootConfiguration().getBoolean("sonar.shell.addlanguage").orElse(false)).

You would then add the property in {SQ_install_dir/conf/sonar.properties}:
sonar.shell.addlanguage=true.