Error in SonarLint for IntelliJ - IndexOutOfBoundsException

Environment:

  • Java: JetBrains s.r.o. 17.0.3
  • OS: Windows 10 amd64
  • IDE: IntelliJ IDEA 2022.2.1
  • SonarLint: 7.0.0.52289
java.lang.IndexOutOfBoundsException: Index 0 out of bounds for length 0
	at java.base/jdk.internal.util.Preconditions.outOfBounds(Preconditions.java:64)
	at java.base/jdk.internal.util.Preconditions.outOfBoundsCheckIndex(Preconditions.java:70)
	at java.base/jdk.internal.util.Preconditions.checkIndex(Preconditions.java:266)
	at java.base/java.util.Objects.checkIndex(Objects.java:359)
	at java.base/java.util.ArrayList.get(ArrayList.java:427)
	at o.sl.ij.editor.EditorDecorator.highlight(EditorDecorator.kt:85)
	at o.sl.ij.ui.vulnerabilities.TaintVulnerabilitiesPanel.updateRulePanelContent(TaintVulnerabilitiesPanel.kt:257)
	at o.sl.ij.ui.vulnerabilities.TaintVulnerabilitiesPanel.TREE_SELECTION_LISTENER$lambda-2(TaintVulnerabilitiesPanel.kt:263)
	at java.desktop/javax.swing.JTree.fireValueChanged(JTree.java:3020)
	at java.desktop/javax.swing.JTree$TreeSelectionRedirector.valueChanged(JTree.java:3521)
	at java.desktop/javax.swing.tree.DefaultTreeSelectionModel.fireValueChanged(DefaultTreeSelectionModel.java:650)
	at c.ij.ui.treeStructure.Tree$MySelectionModel.fireValueChanged(Tree.java:647)
	at java.desktop/javax.swing.tree.DefaultTreeSelectionModel.notifyPathChange(DefaultTreeSelectionModel.java:1120)
	at java.desktop/javax.swing.tree.DefaultTreeSelectionModel.setSelectionPaths(DefaultTreeSelectionModel.java:306)
	at java.desktop/javax.swing.tree.DefaultTreeSelectionModel.setSelectionPath(DefaultTreeSelectionModel.java:200)
	at java.desktop/javax.swing.JTree.setSelectionPath(JTree.java:1709)

Hello Giacomo,

Thanks for raising this! Are you connected to SonarQube or SonarCloud ? Could you share with us the code that triggered this problem ?

It’s connected to SonarQube.

I can’t share the code and I think it wouldn’t be very useful (2000+ lines).

What I realized now is that the “Taint vulnerabilities” panel shows issues at impossible locations (0,0):

When I click on a issue, the exception is thrown.

What version of SonarQube are you using ?

SonarQube 9.4 (build 54424)

I am really puzzled. The vulnerabilities shown in your screenshot seem to come from a third-party plugin (SpotBugs ? FindBugs ?). Could you have a look at what is returned by <url-to-your-SQ-server>/api/plugins/installed and see if it is installed ?

Vulnerabilities from this plugin are not supposed to be considered as taint vulnerabilities, they should not even appear in this view.

Could you try to enable verbose traces, make sure you update the binding (Settings > SonarLint > Project Settings > Update local storage) and share the logs with us please ?

I have Findbugs 4.2.0 which uses SpotBugs 4.7.1.

The rule related to the error is findsecbugs:CRLF_INJECTION_LOGS.

I enabled the logs and it seems nothing is written when the exception occurs. I’d prefer not to share them because it’s quite difficult to anonymize them (more than 10.000 rows to read).

I understand, and you could also send me a private message to make it more secure. Could you try to run the following query on your SQ and see if some rules from find-sec-bugs are returned please ?

<url-to-your-SQ-server>/api/rules/search?repositories=roslyn.sonaranalyzer.security.cs,javasecurity,jssecurity,phpsecurity,pythonsecurity,tssecurity&f=repo&s=key

By the way are you using community edition of SonarQube or higher ?

The result of the query is:

{"total":0,"p":1,"ps":100,"rules":[]}

I’m using SonarQube Community Edition.

We cache the server issues locally and it appears this cache might be corrupted. Could you share with me what is in your IDE System folder, in sonarlint/storage/XXXX/projects/YYYY/issues/backup.tar.gz ? This could help me understand what happened.

As a workaround you could delete this file and go to Settings > Tools > SonarLint > Project Settings > Update local storage.

The only files I have are

I’ve erased all the content of “storage”, let it be re-created analyzing the class and using “Update local storage”, but nothing changed.