CE failure with Ansible probably with new scanner

SonarQube Server / Community Build
1

Dear team,

I’m experiencing an issue with the Compute Engine since yesterday and the upgrade of the image of sonarscanner that we use (FROM sonarsource/sonar-scanner-cli:latest).

I was first in SQ 25.4.2, and I tested to upgrade to SQ 25.5.0, but I still have the issue.

It’s a sonar installed from zip.

I have a repository in which there are both python and ansible files. I use the following config sonar.properties:

sonar.projectKey=${env.SONAR_PROJECT_KEY}
sonar.qualitygate.wait=true
sonar.python.version=3.12
# sonar.externalIssuesReportPaths=ansible-lint-sq.json
sonar.sarifReportPaths=ansible-lint-sarif.json
sonar.exclusions=*tests-coverage.xml, junit-report*.xml, **/*.min.js, **/*.min.css
sonar.sources=.
sonar.sources.exclusions=*_tests/**
sonar.test.inclusions=*_tests/**
#sonar.python.coverage.reportPaths=*coverage.xml
sonar.coverage.exclusions=**/*.js

I can submit in private the sarif file if needed.

Error in my gitlab-ci is:

ERROR: CE Task finished abnormally with status: FAILED, you can check details here: https://sonar.redacted.tld/api/ce/task?id=75db0911-5aa9-468d-b122-d3e83562c033

Scanner Context

Plugins:
Bundled analyzers:
  - JaCoCo 1.3.0.1538 (jacoco)
  - IaC Code Quality and Security 1.50.0.16452 (iacenterprise)
  - IaC Code Quality and Security 1.50.0.16452 (iac)
  - Text Code Quality and Security 2.29.0.8107 (textdeveloper)
  - Clean as You Code 2.4.0.2018 (cayc)
Global server settings:
  - provisioning.gitlab.enabled=false
  - sonar.abap.file.suffixes=.abap,.ab4,.flow,.asprog
  - sonar.auth.gitlab.allowUsersToSignUp=true
  - sonar.auth.gitlab.allowedGroups=redacted-users,sonar-administrators
  - sonar.auth.gitlab.enabled=true
  - sonar.auth.gitlab.groupsSync=true
  - sonar.auth.gitlab.url=https://git.redacted.tld
  - sonar.azureresourcemanager.file.suffixes=.bicep
  - sonar.c.file.suffixes=.c,.h
  - sonar.core.id=86E1FA4D-AZCIB_myZXX_0mQ618OP
  - sonar.core.serverBaseURL=https://sonar.redacted.tld
  - sonar.core.startTime=2025-10-10T14:23:16+0000
  - sonar.cpp.file.suffixes=.cc,.cpp,.cxx,.c++,.hh,.hpp,.hxx,.h++,.ipp,.ixx,.mxx,.cppm,.ccm,.cxxm,.c++m
  - sonar.cs.file.suffixes=.cs,.razor
  - sonar.css.file.suffixes=.css,.less,.scss,.sass
  - sonar.dart.file.suffixes=.dart
  - sonar.docker.file.patterns=Dockerfile,\*.dockerfile
  - sonar.flex.file.suffixes=as
  - sonar.forceAuthentication=true
  - sonar.go.file.suffixes=.go
  - sonar.html.file.suffixes=.html,.xhtml,.cshtml,.vbhtml,.aspx,.ascx,.rhtml,.erb,.shtm,.shtml,.cmp,.twig,.html.j2
  - sonar.ipynb.file.suffixes=ipynb
  - sonar.java.file.suffixes=.java,.jav
  - sonar.java.jvmframeworkconfig.file.patterns=\*\*/src/main/resources/\*\*/\*app\*.properties,\*\*/src/main/resources/\*\*/\*app\*.yaml,\*\*/src/main/resources/\*\*/\*app\*.yml
  - sonar.javascript.file.suffixes=.js,.jsx,.cjs,.mjs,.vue,.astro,.vite
  - sonar.json.file.suffixes=.json
  - sonar.jsp.file.suffixes=.jsp,.jspf,.jspx
  - sonar.kotlin.file.suffixes=.kt,.kts
  - sonar.lf.enableGravatar=true
  - sonar.multi-quality-mode.enabled=true
  - sonar.objc.file.suffixes=.m
  - sonar.php.file.suffixes=php,php3,php4,php5,phtml,inc
  - sonar.plsql.file.suffixes=sql,pks,pkb
  - sonar.plugins.risk.consent=ACCEPTED
  - sonar.python.file.suffixes=py
  - sonar.qualityProfiles.allowDisableInheritedRules=true
  - sonar.ruby.file.suffixes=.rb
  - sonar.rust.file.suffixes=.rs
  - sonar.scala.file.suffixes=.scala
  - sonar.swift.file.suffixes=.swift
  - sonar.terraform.file.suffixes=.tf
  - sonar.tsql.file.suffixes=.tsql
  - sonar.typescript.file.suffixes=.ts,.tsx,.cts,.mts
  - sonar.vbnet.file.suffixes=.vb
  - sonar.xml.file.suffixes=.xml,.xsd,.xsl,.config
  - sonar.yaml.file.suffixes=.yaml,.yml
Project server settings:
  - sonar.abap.file.suffixes=.abap,.ab4,.flow,.asprog
  - sonar.azureresourcemanager.file.suffixes=.bicep
  - sonar.c.file.suffixes=.c,.h
  - sonar.cpp.file.suffixes=.cc,.cpp,.cxx,.c++,.hh,.hpp,.hxx,.h++,.ipp,.ixx,.mxx,.cppm,.ccm,.cxxm,.c++m
  - sonar.cs.file.suffixes=.cs,.razor
  - sonar.css.file.suffixes=.css,.less,.scss,.sass
  - sonar.dart.file.suffixes=.dart
  - sonar.docker.file.patterns=Dockerfile,\*.dockerfile
  - sonar.flex.file.suffixes=as
  - sonar.go.file.suffixes=.go
  - sonar.html.file.suffixes=.html,.xhtml,.cshtml,.vbhtml,.aspx,.ascx,.rhtml,.erb,.shtm,.shtml,.cmp,.twig,.html.j2
  - sonar.ipynb.file.suffixes=ipynb
  - sonar.java.file.suffixes=.java,.jav
  - sonar.java.jvmframeworkconfig.file.patterns=\*\*/src/main/resources/\*\*/\*app\*.properties,\*\*/src/main/resources/\*\*/\*app\*.yaml,\*\*/src/main/resources/\*\*/\*app\*.yml
  - sonar.javascript.file.suffixes=.js,.jsx,.cjs,.mjs,.vue,.astro,.vite
  - sonar.json.file.suffixes=.json
  - sonar.jsp.file.suffixes=.jsp,.jspf,.jspx
  - sonar.kotlin.file.suffixes=.kt,.kts
  - sonar.objc.file.suffixes=.m
  - sonar.php.file.suffixes=php,php3,php4,php5,phtml,inc
  - sonar.plsql.file.suffixes=sql,pks,pkb
  - sonar.python.file.suffixes=py
  - sonar.ruby.file.suffixes=.rb
  - sonar.rust.file.suffixes=.rs
  - sonar.scala.file.suffixes=.scala
  - sonar.swift.file.suffixes=.swift
  - sonar.terraform.file.suffixes=.tf
  - sonar.tsql.file.suffixes=.tsql
  - sonar.typescript.file.suffixes=.ts,.tsx,.cts,.mts
  - sonar.vbnet.file.suffixes=.vb
  - sonar.xml.file.suffixes=.xml,.xsd,.xsl,.config
  - sonar.yaml.file.suffixes=.yaml,.yml
Project scanner properties:
  - sonar.coverage.exclusions=\*\*/\*.js
  - sonar.exclusions=\*tests-coverage.xml, junit-report\*.xml, \*\*/\*.min.js, \*\*/\*.min.css
  - sonar.host.url=https://sonar.redacted.tld
  - sonar.projectBaseDir=/builds/redacted
  - sonar.projectKey=redacted_dea5946d-8341-44ae-8234-36e680938f47
  - sonar.python.version=3.12
  - sonar.qualitygate.wait=true
  - sonar.sarifReportPaths=ansible-lint-sarif.json
  - sonar.scanner.app=ScannerCLI
  - sonar.scanner.appVersion=5.0.1.3006
  - sonar.scanner.home=/opt/sonar-scanner
  - sonar.sourceEncoding=UTF-8
  - sonar.sources=.
  - sonar.sources.exclusions=\*\_tests/\*\*
  - sonar.test.inclusions=\*\_tests/\*\*
  - sonar.working.directory=/builds/redacted/.scannerwork

Error Details

org.sonar.ce.task.projectanalysis.component.VisitException: Visit of Component {key=redacted_dea5946d-8341-44ae-8234-36e680938f47:automation/commvault/collect_schedule_policy.yml,type=FILE} failed
	at org.sonar.ce.task.projectanalysis.component.VisitException.rethrowOrWrap(VisitException.java:44)
	at org.sonar.ce.task.projectanalysis.component.VisitorsCrawler.visit(VisitorsCrawler.java:71)
	at org.sonar.ce.task.projectanalysis.component.VisitorsCrawler.visitChildren(VisitorsCrawler.java:107)
	at org.sonar.ce.task.projectanalysis.component.VisitorsCrawler.visitImpl(VisitorsCrawler.java:94)
	at org.sonar.ce.task.projectanalysis.component.VisitorsCrawler.visit(VisitorsCrawler.java:69)
	at org.sonar.ce.task.projectanalysis.component.VisitorsCrawler.visitChildren(VisitorsCrawler.java:107)
	at org.sonar.ce.task.projectanalysis.component.VisitorsCrawler.visitImpl(VisitorsCrawler.java:94)
	at org.sonar.ce.task.projectanalysis.component.VisitorsCrawler.visit(VisitorsCrawler.java:69)
	at org.sonar.ce.task.projectanalysis.component.VisitorsCrawler.visitChildren(VisitorsCrawler.java:107)
	at org.sonar.ce.task.projectanalysis.component.VisitorsCrawler.visitImpl(VisitorsCrawler.java:94)
	at org.sonar.ce.task.projectanalysis.component.VisitorsCrawler.visit(VisitorsCrawler.java:69)
	at org.sonar.ce.task.projectanalysis.step.ExecuteVisitorsStep.execute(ExecuteVisitorsStep.java:51)
	at org.sonar.ce.task.step.ComputationStepExecutor.executeStep(ComputationStepExecutor.java:90)
	at org.sonar.ce.task.step.ComputationStepExecutor.executeSteps(ComputationStepExecutor.java:81)
	at org.sonar.ce.task.step.ComputationStepExecutor.execute(ComputationStepExecutor.java:68)
	at org.sonar.ce.task.projectanalysis.taskprocessor.ReportTaskProcessor.process(ReportTaskProcessor.java:75)
	at org.sonar.ce.taskprocessor.CeWorkerImpl$ExecuteTask.executeTask(CeWorkerImpl.java:212)
	at org.sonar.ce.taskprocessor.CeWorkerImpl$ExecuteTask.run(CeWorkerImpl.java:194)
	at org.sonar.ce.taskprocessor.CeWorkerImpl.findAndProcessTask(CeWorkerImpl.java:160)
	at org.sonar.ce.taskprocessor.CeWorkerImpl$TrackRunningState.get(CeWorkerImpl.java:135)
	at org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:87)
	at org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:53)
	at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:128)
	at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:74)
	at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:80)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: java.lang.IllegalStateException: Fail to process issues of component 'redacted_dea5946d-8341-44ae-8234-36e680938f47:automation/commvault/collect_schedule_policy.yml'
	at org.sonar.ce.task.projectanalysis.issue.IntegrateIssuesVisitor.visitAny(IntegrateIssuesVisitor.java:107)
	at org.sonar.ce.task.projectanalysis.component.TypeAwareVisitorWrapper.visitAny(TypeAwareVisitorWrapper.java:77)
	at org.sonar.ce.task.projectanalysis.component.VisitorsCrawler.visitNode(VisitorsCrawler.java:114)
	at org.sonar.ce.task.projectanalysis.component.VisitorsCrawler.visitImpl(VisitorsCrawler.java:97)
	at org.sonar.ce.task.projectanalysis.component.VisitorsCrawler.visit(VisitorsCrawler.java:69)
	... 29 more
Caused by: java.lang.IllegalStateException: Unknown status: TO_REVIEW [issue=39f37d2b-b5a0-4cc1-901e-689f96b2028e]
	at com.google.common.base.Preconditions.checkState(Preconditions.java:834)
	at org.sonar.server.issue.workflow.codequalityissue.CodeQualityIssueWorkflow.stateOf(CodeQualityIssueWorkflow.java:101)
	at org.sonar.server.issue.workflow.codequalityissue.CodeQualityIssueWorkflow.doAutomaticTransition(CodeQualityIssueWorkflow.java:90)
	at org.sonar.server.issue.workflow.IssueWorkflow.doAutomaticTransition(IssueWorkflow.java:71)
	at org.sonar.ce.task.projectanalysis.issue.IssueLifecycle.doAutomaticTransition(IssueLifecycle.java:229)
	at org.sonar.ce.task.projectanalysis.issue.IntegrateIssuesVisitor.processIssue(IntegrateIssuesVisitor.java:210)
	at org.sonar.ce.task.projectanalysis.issue.IntegrateIssuesVisitor.lambda$processIssues$1(IntegrateIssuesVisitor.java:165)
	at java.base/java.lang.Iterable.forEach(Iterable.java:75)
	at org.sonar.ce.task.projectanalysis.issue.IntegrateIssuesVisitor.processIssues(IntegrateIssuesVisitor.java:165)
	at org.sonar.ce.task.projectanalysis.issue.IntegrateIssuesVisitor.visitAny(IntegrateIssuesVisitor.java:101)
	... 33 more

Can you please advise?

Thank you a lot,

Florian Thöni

EDIT: as explained in next messages, image has not been changed, issue is somewhere else.

2

Hey there!

Thanks for the report.

If you revert the scanner version, does the issue go away?

3

Oh I see what you mean, in docker hub, the image has not changed in last 3 month. So yes, it can not be this…

My image got rebuilt, but the upstream did not change unlike I thought initially. Unfortunately, I can not test my previous image based on yours, it doesn’t exist anymore.

But I tested with a vanilla sonar-scanner-cli:latest and same issue.

(our build simply adds shellcheck inside the image)

4

Hey there.

I’ll reach out for this file.

7

Hi @Floh

It seems the issue 39f37d2b-b5a0-4cc1-901e-689f96b2028e is a code quality issue (i.e. not a Security Hotstpot), but has the status TO_REVIEW that is normally only applied to security hotspots.

Can you check what is the rule key of this issue?

A few ideas:

  • the rule was previously of type SECURITY_HOTSPOT, and has been later re-labelled to BUG/CODE_SMELL/VULNERABILITY, causing an inconsistency in the workflow state. This would have affected many users, so I am not really convinced by this possibility (except if this is a rule from a third-party plugin)
  • the issue was manually changed from SECURITY_HOTSPOT to BUG/CODE_SMELL/VULNERABILITY in the UI or using the Web API. This is normally not possible anymore, but it used to be a thing.

The workaround for you would be to “clean” this inconsistency before restarting a new analysis. Since this is normally not possible to change issue types from/to security hotspots, as far as I know the only solution is to go in the DB. Check what is the actual rule type, and if the issue type is not the same, fix it. If the type is correct, then change the status to OPEN.

For reference:

1 Like
8

Thank you a lot for your answer Julien.

I use no plugins except shellcheck that should not been added here.

Through API, bad luck.

floh@floh-desktop [~]  % curl 'https://sonar.redacted.tld/api/sources/issue_snippets?issueKey=39f37d2b-b5a0-4cc1-901e-689f96b2028e' --compressed -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:145.0) Gecko/20100101 Firefox/145.0' -H 'Accept: application/json' -H 'Accept-Language: fr,en;q=0.8,fr-FR;q=0.5,en-US;q=0.3' -H 'Accept-Encoding: gzip, deflate, br, zstd' -H 'X-XSRF-TOKEN: redacted' -H 'Connection: keep-alive' -H 'Cookie: OAUTHSTATE=redacted; XSRF-TOKEN=redacted; JWT-SESSION=redacted' -H 'Sec-Fetch-Dest: empty' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: same-origin' -H 'Priority: u=4' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' 

{"errors":[{"msg":"Issue with key \u002739f37d2b-b5a0-4cc1-901e-689f96b2028e\u0027 does not exist"}]}%

Opening the DB, I can’t find it as well, but maybe not using the right query:


sonarqube=> select issues.kee, issues.rule_uuid, issues.severity, issues.status, issues.issue_type, issues.project_uuid, project_branches.kee, projects.kee from issues left outer join project_branches on issues.project_uuid = project_branches.uuid
left outer join projects on project_branches.project_uuid = projects.uuid where issues.kee like '39f%';
 kee | rule_uuid | severity | status | issue_type | project_uuid | kee | kee 
-----+-----------+----------+--------+------------+--------------+-----+-----
(0 rows)

Here are all issues in my project:

sonarqube=> select issues.kee, issues.rule_uuid, issues.severity, issues.status, issues.issue_type, issues.project_uuid, project_branches.kee from issues left outer join project_branches on issues.project_uuid = project_branches.uuid
left outer join projects on project_branches.project_uuid = projects.uuid where projects.kee = 'redacted_dea5946d-8341-44ae-8234-36e680938f47';
                 kee                  |              rule_uuid               | severity | status | issue_type |             project_uuid             | kee 
--------------------------------------+--------------------------------------+----------+--------+------------+--------------------------------------+-----
 b36fb713-bb7d-40b7-8284-653357b0148b | 78486b44-5b0a-4d6d-bc7c-7803cd47da40 | MAJOR    | OPEN   |          1 | 94e2fa2b-839d-4897-9e78-1c597f7b8042 | 7
 96b26ded-7c95-496b-adbb-8cfc3a3d8576 | 78486b44-5b0a-4d6d-bc7c-7803cd47da40 | MAJOR    | OPEN   |          1 | 94e2fa2b-839d-4897-9e78-1c597f7b8042 | 7
 e3fec60c-125e-4e39-a529-5ab17c634cb6 | 78486b44-5b0a-4d6d-bc7c-7803cd47da40 | MAJOR    | OPEN   |          1 | 94e2fa2b-839d-4897-9e78-1c597f7b8042 | 7
 07b0ca19-3510-4677-8181-6f6466de77f3 | 78486b44-5b0a-4d6d-bc7c-7803cd47da40 | MAJOR    | OPEN   |          1 | 94e2fa2b-839d-4897-9e78-1c597f7b8042 | 7
 360dde73-c5c9-46b0-8e85-ea34c6bd107c | 78486b44-5b0a-4d6d-bc7c-7803cd47da40 | MAJOR    | OPEN   |          1 | 94e2fa2b-839d-4897-9e78-1c597f7b8042 | 7
 ef5dfdc0-d7f3-4dea-b019-458e2de40b9e | 78486b44-5b0a-4d6d-bc7c-7803cd47da40 | MAJOR    | OPEN   |          1 | 94e2fa2b-839d-4897-9e78-1c597f7b8042 | 7
 92de46cb-297a-4b65-bab6-d8e6fd670357 | 78486b44-5b0a-4d6d-bc7c-7803cd47da40 | MAJOR    | OPEN   |          1 | 94e2fa2b-839d-4897-9e78-1c597f7b8042 | 7
 a6ec52d4-28a5-48ea-a7cb-c4b387c6e385 | 78486b44-5b0a-4d6d-bc7c-7803cd47da40 | MAJOR    | OPEN   |          1 | 94e2fa2b-839d-4897-9e78-1c597f7b8042 | 7
 f6157dcd-1536-455e-b365-bb93960fee9b | 78486b44-5b0a-4d6d-bc7c-7803cd47da40 | MAJOR    | OPEN   |          1 | 94e2fa2b-839d-4897-9e78-1c597f7b8042 | 7
 f10a53f9-8438-454d-be6f-44a28a992916 | 946c8494-bccc-4408-9f6d-04f1e8e697f0 | CRITICAL | CLOSED |          3 | 9e53942c-458c-404b-8537-30f4eb5fdb18 | 5
 f296364e-16bc-434a-af09-9e26bb097a21 | 60f15854-3e5d-4cd7-b8fa-8f462769f736 | CRITICAL | CLOSED |          3 | 9e53942c-458c-404b-8537-30f4eb5fdb18 | 5
 febc936d-d4b2-4a55-a72e-dadc23e63faa | 60f15854-3e5d-4cd7-b8fa-8f462769f736 | CRITICAL | CLOSED |          3 | 9e53942c-458c-404b-8537-30f4eb5fdb18 | 5
 58837419-d17f-4c83-9b39-491780410917 | 60f15854-3e5d-4cd7-b8fa-8f462769f736 | CRITICAL | OPEN   |          3 | 9e53942c-458c-404b-8537-30f4eb5fdb18 | 5
 85588b9c-f2f5-4f34-8e20-dd8b39e32627 | 60f15854-3e5d-4cd7-b8fa-8f462769f736 | CRITICAL | OPEN   |          3 | 9e53942c-458c-404b-8537-30f4eb5fdb18 | 5
 7db207ea-d1fe-43bf-af71-01029f94c9f6 | 946c8494-bccc-4408-9f6d-04f1e8e697f0 | CRITICAL | CLOSED |          3 | 9e53942c-458c-404b-8537-30f4eb5fdb18 | 5

where can I find the mapping for issue_types ? Do you see something that I should go deeper with?

9

Forget the previous version of this message, I’m not woken up enough.
I tried to check with the latest issue id in the latest CE failure error details, and this one is not found either.

10

If the issue uuid is different each time, that likely means it is a “new” issue, not an issue in DB. I don’t see why in this case there is this discrepancy between the issue type and status.

Do you see the same issue if you analyze as a new SonarQube project (just change the project key)? If yes, could you share a reproducer?

1 Like
12

Can you please initiate an MP so I can send you a reproducer with a single ansible yml file?

If this one is present and ansible-lint sarif file import, CE task fails.

  • if the sarif file only is given but ansible file doesn’t exist => no problem
  • if the ansible file is here but sarif file import unactivated => no problem

Thank you :slight_smile:

13

Thanks for the reproducer, I was able to replicate with the latest version as well, so I created a ticket:

This should hopefully be picked during the next hardening.

18

Thank you a lot.