Change in UUID Pattern mid 2024 breaks Scans with 2026.3.0.123014 due to UUID Check

SonarQube Server / Community Build
, ,
1

Must-share information (formatted with Markdown):

  • SonarQube Server Enterprise, Version 2026.3.0.123014
  • how is SonarQube deployed: zip
  • SCA Scans of old projects
  • what have you tried so far to achieve this

Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!

We use SonarQube Server with Advanced Security for SCA Scans. Since the upgrade to 2026.3 we have many scans break with errors, both triggered scans and automatic re-scans of the dependencies. That happens for many but not all our projects, for many but not all of our branches.

Exception-Stack (UUID masked but you can see the format):

2026.05.28 14:17:25 ERROR ce[0aac8fc2-564a-4753-aa3c-bb6739beabfc][o.s.c.t.CeWorkerImpl] Failed to execute task 0aac8fc2-564a-4753-aa3c-bb6739beabfc
org.apache.ibatis.exceptions.PersistenceException:
### Error querying database.  Cause: org.apache.ibatis.reflection.ReflectionException: Error instantiating class com.sonar.sca.db.dtos.ScaIssueReleaseDto with invalid types (String,String,String,String,ScaSeverity,ScaSeverity,ScaSeverity,boolean,ScaIssueStatus,ScaIssueStatus,String,long,long) or values (d74a6fc4-1596-4c09-bc4b-bfff52391fb7,a9e3c241-b623-4658-bccb-c5bd02bca4db,b3ece268-b2b7-4341-a4c5-051a8c31003c,AY0hbZ2vChgdzm5hkD2z,LOW,LOW,null,false,OPEN,null,null,1779196532476,1779196532476). Cause: java.lang.reflect.InvocationTargetException
### The error may exist in com.sonar.sca.db.mappers.ScaIssuesReleasesDetailsMapper
### The error may involve com.sonar.sca.db.mappers.ScaIssuesReleasesDetailsMapper.selectByIssueUuidsAndBranchUuids
### The error occurred while handling results
### SQL: select            sir.uuid as issue_release_uuid,     sir.uuid as sir_uuid,     sir.sca_issue_uuid as sir_sca_issue_uuid,     sir.sca_release_uuid as sir_sca_release_uuid,     sir.component_uuid as sir_component_uuid,     sir.severity as sir_severity,     sir.severity_sort_key as sir_severity_sort_key,     sir.original_severity as sir_original_severity,     sir.manual_severity as sir_manual_severity,     sir.show_increased_severity_warning as sir_show_increased_severity_warning,     sir.status as sir_status,     sir.previous_manual_status as sir_previous_manual_status,     sir.assignee_uuid as sir_assignee_uuid,     sir.created_at as sir_created_at,     sir.updated_at as sir_updated_at,     si.uuid as si_uuid,     si.sca_issue_type as si_sca_issue_type,     si.package_url as si_package_url,     si.vulnerability_id as si_vulnerability_id,     si.spdx_license_id as si_spdx_license_id,     si.created_at as si_created_at,     si.updated_at as si_updated_at,     sr.uuid as sr_uuid,     sr.component_uuid as sr_component_uuid,     sr.package_url as sr_package_url,     sr.package_manager as sr_package_manager,     sr.package_name as sr_package_name,     sr.version as sr_version,     sr.license_expression as sr_license_expression,     sr.declared_license_expression as sr_declared_license_expression,     sr.known as sr_known,     sr.known_package as sr_known_package,     sr.is_new as sr_is_new,     sr.created_at as sr_created_at,     sr.updated_at as sr_updated_at,     svi.uuid as svi_uuid,     svi.base_severity as svi_base_severity,     svi.cwe_ids as svi_cwe_ids,     svi.cvss_score as svi_cvss_score,     svi.epss_score as svi_epss_score,     svi.epss_percentile as svi_epss_percentile,     svi.known_exploited as svi_known_exploited,     svi.withdrawn as svi_withdrawn,     svi.published_on as svi_published_on,     svi.created_at as svi_created_at,     svi.updated_at as svi_updated_at               from sca_issues_releases sir     inner join sca_issues si on sir.sca_issue_uuid = si.uuid     inner join sca_releases sr on sir.sca_release_uuid = sr.uuid     left join sca_vulnerability_issues svi on sir.sca_issue_uuid = svi.uuid                       where si.uuid in        (           ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        ,          ?        )                          and sr.component_uuid in        (           ?        )
### Cause: org.apache.ibatis.reflection.ReflectionException: Error instantiating class com.sonar.sca.db.dtos.ScaIssueReleaseDto with invalid types (String,String,String,String,ScaSeverity,ScaSeverity,ScaSeverity,boolean,ScaIssueStatus,ScaIssueStatus,String,long,long) or values (d74a6fc4-1596-4c09-bc4b-bfff52391fb7,a9e3c241-b623-4658-bccb-c5bd02bca4db,b3ece268-b2b7-4341-a4c5-051a8c31003c,AY0hbZ2vChgdzm5hkD2z,LOW,LOW,null,false,OPEN,null,null,1779196532476,1779196532476). Cause: java.lang.reflect.InvocationTargetException
        at org.apache.ibatis.exceptions.ExceptionFactory.wrapException(ExceptionFactory.java:30)
        at org.apache.ibatis.session.defaults.DefaultSqlSession.selectList(DefaultSqlSession.java:156)
        at org.apache.ibatis.session.defaults.DefaultSqlSession.selectList(DefaultSqlSession.java:147)
        at org.apache.ibatis.session.defaults.DefaultSqlSession.selectList(DefaultSqlSession.java:142)
        at org.apache.ibatis.binding.MapperMethod.executeForMany(MapperMethod.java:147)
        at org.apache.ibatis.binding.MapperMethod.execute(MapperMethod.java:80)
        at org.apache.ibatis.binding.MapperProxy$PlainMethodInvoker.invoke(MapperProxy.java:141)
        at org.apache.ibatis.binding.MapperProxy.invoke(MapperProxy.java:86)
        at jdk.proxy2/jdk.proxy2.$Proxy110.selectByIssueUuidsAndBranchUuids(Unknown Source)
        at com.sonar.sca.db.daos.ScaIssuesReleasesDetailsDao.輭(Unknown Source)
        at com.sonar.sca.db.QueryPartitioner.輭(Unknown Source)
        at com.sonar.sca.db.QueryPartitioner.executeLargeInputs(Unknown Source)
        at com.sonar.sca.db.daos.ScaIssuesReleasesDetailsDao.輭(Unknown Source)
        at com.sonar.sca.db.QueryPartitioner.輭(Unknown Source)
        at com.sonar.sca.db.QueryPartitioner.executeLargeInputs(Unknown Source)
        at com.sonar.sca.db.daos.ScaIssuesReleasesDetailsDao.selectByIssueUuidsAndBranchUuids(Unknown Source)
        at com.sonar.sca.ce.y.輭(Unknown Source)
        at com.sonar.sca.ce.s.輭(Unknown Source)
        at com.sonar.sca.ce.s.輭(Unknown Source)
        at com.sonar.sca.ce.s.W.輭(Unknown Source)
        at com.sonar.sca.ce.s.W.輭(Unknown Source)
        at com.sonar.sca.ce.s._.輭(Unknown Source)
        at com.sonar.sca.ce.s.I.輭(Unknown Source)
        at com.sonar.sca.ce.O.輭(Unknown Source)
        at com.sonar.sca.ce.W.execute(Unknown Source)
        at org.sonar.ce.task.step.ComputationStepExecutor.executeStep(ComputationStepExecutor.java:90)
        at org.sonar.ce.task.step.ComputationStepExecutor.executeSteps(ComputationStepExecutor.java:81)
        at org.sonar.ce.task.step.ComputationStepExecutor.execute(ComputationStepExecutor.java:68)
        at org.sonar.ce.task.projectanalysis.taskprocessor.ReportTaskProcessor.process(ReportTaskProcessor.java:75)
        at org.sonar.ce.taskprocessor.CeWorkerImpl$ExecuteTask.executeTask(CeWorkerImpl.java:212)
        at org.sonar.ce.taskprocessor.CeWorkerImpl$ExecuteTask.run(CeWorkerImpl.java:194)
        at org.sonar.ce.taskprocessor.CeWorkerImpl.findAndProcessTask(CeWorkerImpl.java:160)
        at org.sonar.ce.taskprocessor.CeWorkerImpl$TrackRunningState.get(CeWorkerImpl.java:135)
        at org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:87)
        at org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:53)
        at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:128)
        at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:74)
        at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:80)
        at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:572)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
        at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
        at java.base/java.lang.Thread.run(Thread.java:1583)
Caused by: org.apache.ibatis.reflection.ReflectionException: Error instantiating class com.sonar.sca.db.dtos.ScaIssueReleaseDto with invalid types (String,String,String,String,ScaSeverity,ScaSeverity,ScaSeverity,boolean,ScaIssueStatus,ScaIssueStatus,String,long,long) or values (d74a6fc4-1596-4c09-bc4b-bfff52391fb7,a9e3c241-b623-4658-bccb-c5bd02bca4db,b3ece268-b2b7-4341-a4c5-051a8c31003c,AY0hbZ2vChgdzm5hkD2z,LOW,LOW,null,false,OPEN,null,null,1779196532476,1779196532476). Cause: java.lang.reflect.InvocationTargetException
        at org.apache.ibatis.reflection.factory.DefaultObjectFactory.instantiateClass(DefaultObjectFactory.java:86)
        at org.apache.ibatis.reflection.factory.DefaultObjectFactory.create(DefaultObjectFactory.java:53)
        at org.apache.ibatis.executor.resultset.DefaultResultSetHandler.createParameterizedResultObject(DefaultResultSetHandler.java:722)
        at org.apache.ibatis.executor.resultset.DefaultResultSetHandler.createResultObject(DefaultResultSetHandler.java:684)
        at org.apache.ibatis.executor.resultset.DefaultResultSetHandler.createResultObject(DefaultResultSetHandler.java:659)
        at org.apache.ibatis.executor.resultset.DefaultResultSetHandler.getRowValue(DefaultResultSetHandler.java:411)
        at org.apache.ibatis.executor.resultset.DefaultResultSetHandler.createParameterizedResultObject(DefaultResultSetHandler.java:710)
        at org.apache.ibatis.executor.resultset.DefaultResultSetHandler.createResultObject(DefaultResultSetHandler.java:684)
        at org.apache.ibatis.executor.resultset.DefaultResultSetHandler.createResultObject(DefaultResultSetHandler.java:659)
        at org.apache.ibatis.executor.resultset.DefaultResultSetHandler.getRowValue(DefaultResultSetHandler.java:440)
        at org.apache.ibatis.executor.resultset.DefaultResultSetHandler.handleRowValuesForNestedResultMap(DefaultResultSetHandler.java:1034)
        at org.apache.ibatis.executor.resultset.DefaultResultSetHandler.handleRowValues(DefaultResultSetHandler.java:335)
        at org.apache.ibatis.executor.resultset.DefaultResultSetHandler.handleResultSet(DefaultResultSetHandler.java:310)
        at org.apache.ibatis.executor.resultset.DefaultResultSetHandler.handleResultSets(DefaultResultSetHandler.java:202)
        at org.apache.ibatis.executor.statement.PreparedStatementHandler.query(PreparedStatementHandler.java:66)
        at org.apache.ibatis.executor.statement.RoutingStatementHandler.query(RoutingStatementHandler.java:80)
        at org.apache.ibatis.executor.ReuseExecutor.doQuery(ReuseExecutor.java:62)
        at org.apache.ibatis.executor.BaseExecutor.queryFromDatabase(BaseExecutor.java:336)
        at org.apache.ibatis.executor.BaseExecutor.query(BaseExecutor.java:158)
        at org.apache.ibatis.executor.CachingExecutor.query(CachingExecutor.java:110)
        at org.apache.ibatis.executor.CachingExecutor.query(CachingExecutor.java:90)
        at org.apache.ibatis.session.defaults.DefaultSqlSession.selectList(DefaultSqlSession.java:154)
        ... 42 common frames omitted
Caused by: java.lang.reflect.InvocationTargetException
        at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:74)
        at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502)
        at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486)
        at org.apache.ibatis.reflection.factory.DefaultObjectFactory.instantiateClass(DefaultObjectFactory.java:73)
        ... 63 common frames omitted
Caused by: java.lang.IllegalArgumentException: Invalid UUID: 'AY*****_****-*******'
        at com.sonar.sca.uuid.UuidUtils.checkValidUuid(UuidUtils.java:31)
        at com.sonar.sca.db.dtos.ScaIssueReleaseDto.<init>(Unknown Source)
        at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62)
        ... 66 common frames omitted
2026.05.28 14:17:25 INFO  ce[0aac8fc2-564a-4753-aa3c-bb6739beabfc][o.s.c.t.CeWorkerImpl] Executed task | project=***** | type=REPORT | branch=develop | branchType=BRANCH | id=****** | submitter=***** | status=FAILED | time=4931ms

after some digging we found the error in the pattern check of the Component-UUID in the class “com.sonar.sca.uuid.UuidUtils.checkValidUuid” which expects the following pattern

"^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$"

Checking the content of the “components” table in the database this pattern changed to standard UUID pattern somewhere between April and May 2024. Before that it was something like “AY*****_****-*******”.

We never had any problems until the introduction of 2026.3 (and we tend to be very up to date with our SonarQube Installation), so i would assume that the pattern check was introduced in this latest version.

One solution would be deleting all affected projects and recreating them, but that is not really possible as all mitigations and documentation of past issues would be gone without any (known) way of migration.

Is there a way to

  • migrate the UIDs in the Database to the new format (and maybe add that script to the upgrade scripts in the database)
  • change the UUID check to a less strict version that is backwards compatible?

sadly that is a big issue as many of our projects are older and therefore affected as we use Sonarqube for many years. Would be awesome if you could provide some kind of solution in the very near future, maybe we are not the only ones that are affected.

thank you in advance for your time

kind regards

Marc Stockhammer

3

Hi Marc,

I would have expected this ID format change to have been handled by a DB migration at update - probably back in 2024 tho when the format changed. Can you share (do you remember) your version history? Do you typically upgrade to each release, or stick to LTAs for a while? For the whole cycle? Something else?

 
Thx,
Ann

4

hi anne, we always try to be up to date with your normal releases, not just LTS ones.

i have no detailed list of when we installed which version, but normally it was done within 1-2 weeks of notice.

best regards

Marc

6

Hi Marc,

So that means you would have taken each upgrade as it came out. :thinking:

I’m not sure what’s going on here, but I’ve flagged this for the folks who should have a better idea.

 
Ann

7

Will be fixed in a 2026.3.1.

9

… which was just announced :tada:

 
:smiley:
Ann

11

thank you very much, just installed the new release and the scans are working again.