Excessive build output using ant sonar scanner

robertd · December 9, 2019, 10:49am

Using ant scanner ‘scanner sonarqube-ant-task-2.6.0.1426.jar’ (with SonarQube 7.9.1)
When performing a build on Jenkins, the sonar scan shows excessive build ouput …

[sonar:sonar] Location:   15: istore[54](2) 4 in basic block 8
[sonar:sonar] After: +============================
[sonar:sonar] | /!\ Warning : The taint debugging is not fully activated.
[sonar:sonar] | [[ Stack ]]
[sonar:sonar] | Empty
[sonar:sonar] |============================
[sonar:sonar] | [[ Local variables ]]
[sonar:sonar] | null = U0[1] source={parameter[1]}
[sonar:sonar] | null = U1[0] source={parameter[0]}
[sonar:sonar] | null = U2 source={method[com/company/SomeClass.<init>()V]}
[sonar:sonar] | null = U3 source={method[com/company/OtherClass.getFoo() [Lcom/company/Bar;]}
[sonar:sonar] | null = U4
[sonar:sonar] | null = S5
[sonar:sonar] | null = U6
[sonar:sonar] | null = U7

There’s about 980,000 lines of similar looking output making our build log 130Mb. A lot seems repeated. Sometimes with different classes and methods, with many Before and After sections, sometimes with different Locations like:

[sonar:sonar] Location:   26: aload_0[42](1) in basic block 8
[sonar:sonar] Location:   27: invokespecial[183](3) 228 in basic block 10
[sonar:sonar] Location:   36: ldc[18](2) 131 in basic block 12

The scan completes and I see reasonable results in SonarQube, so I’m not sure if anything is wrong with the scan or wrong with our code. It just seems to bloat the build logs and makes it hard to find actual errors/warnings in the sonar scan output.

So,

What does it mean?
Is the “Warning : The taint debugging is not fully activated” for me, or for sonar scanner devs?
How do I avoid this excess build output?

Our ant build.xml is essentially a copy of the sample

ganncamp · December 10, 2019, 2:11pm

Hi,

Welcome to the community!

You haven’t by any chance turned on debug logging, have you?

And just to confirm, we’re talking about Java right? And finally, Are you using Community Edition or a commercial edition (I ask because that could impact what is logging so chattily).

Ann

robertd · December 10, 2019, 11:32pm

Hi Ann, thanks.

No, we have not explicitly turned any debuggin on, and we are not calling ant with the -v argument.
Even adding properties to force it off for sonar does not help:

<property name="sonar.verbose" value="false" />
<property name="sonar.log.level" value="INFO" />

Yes it’s a Java project.
I have tried this with both community and developer editions, same results for both.
I can’t seem to find the “taint debugging” message in the ‘sonarqube’, ‘sonar-java’ or ‘sonar-scanner-ant’ repos on github. Any idea where else to look?

saberduck · December 11, 2019, 2:41pm

hello @robertd,

this output doesn’t seem to be comming from SonarSource plugins. Do you have any 3rd party plugins installed on your SQ instance?

robertd · December 12, 2019, 3:37am

Hi Tibor,

Yes, thanks, that appears to be a good lead. We have FindBugs plugin 3.11.1 installed.

Resorted to a github search which shows the warning is thrown by com/h3xstream/findsecbugs/taintanalysis/TaintFrame.java, and that com.h3xstream.findsecbugs is a dependency of https://github.com/spotbugs/sonar-findbugs (the FindBugs plugin).

Thanks for your help. I’ll do some more inveistigating and contact the appropriate maintainer.