How to scan existing code?

When establishing a new project, I realize that “The Sonar Way” only scans the new code. But that means that hotspots/issues in existing code is just ignored as a new baseline is established. So it seems like we just don’t know about those…

Is there any way to basically get everything scanned, but till establish the baseline so that only new changes are measured for the quality gate?

We are running * Developer Edition Version 8.6.1 (build 40680)

Howdy Scott,

Great question, thanks for reaching out.

What you are describing is actually a major feature of SonarQube, but it may not be obvious before you really dive into the tool and start using it on established projects.

On your first scan, the entire project will be scanned for issues. This becomes your baseline for the next scans. As you scan the older unresolved issues, code smells, etc will continue to be collected and available in a “new code / overall code” view available from each project page. You can see that shown in the image below

This is really key to our Clean As You Code philosophy. We want developers to focus on only adding clean new code free of bugs and vulnerabilities without being bogged down in the mess of older technical debt.

However, the baseline view is obviously important and that’s provided in the Overall Code view. Kept neatly separated, this should help when planning how or if to tackle those existing issues.

Hope this helps. Please let me know if you have any more questions.
Aaron

Yea, that’s how I thought it would work, but I am not seeing that it at least one case. Let me explain…
So we have a number of teams sharing the same developer instance. We decided to change the project keys so it is easier for us to map projects with other artifacts we generate for each repo. In hindsight we could have done that different such that the project key didn’t change.

So, we have a project that had one issue that was reviewed as same. We then scanned the same code to the new project key, and it didn’t find that issue even on the “Overall Code” tab. I did check and the offending code is still there. See this specifically, the top one is the current project, bottom one if the old project. They are scanning the same code:

Any ideas? This is a pretty significant problem for us if we are not getting evaluation of any existing code.

does it somehow know that the old project (same code base, but different project key) exists and is somehow linked to that?

Hi @Scott_Chapman ,

what was this issue ? Do you have a screenshot of the issue raised?
Because I see here that the Hotspots are reviewed in the first case, which means that you “fixed” an issue there… Maybe before scanning the project which appears first on your screenshot?

Carine

Thanks for the response. Let me try to explain again…
So he had a project that was being scanned, and there was an issue found that we reviewed as safe. This is what that looks like:

Now we ended up have to change the way we generate the project key, so that resulted in the same code getting scanned into a new project. However, that project never identified the same issue found previously:

The code that trigger the issue originally is still there. So why are we not seeing that issue identified in the “Overall” tab? It looks like we are only getting new code analyzed.

For context, we are running current Dev edition, and are using “Previous Version” in the new code settings (though we are not currently setting the version yet).

Hello @Scott_Chapman ,

Can you verify that both projects (“InfoHub:infohub-common-rest” and “infohub-common-rest”) contain the same code with same file/folder exclusions/inclusions? Based on the screenshot you showed, the former project contains 1.2K Lines of Java and the latter project contains 972 Lines of Java and XML. Obviously, the 2 projects contain different sets of files being scanned. Coverage and Duplications scanned are not matching either.

Please verify the following:

  1. Make sure each project is scanning the same Quality Profile (Click on the “Project Information” link on the far right). Example:

  2. Both Sonar scans of each project have the same number of files/folders scanned:

    • check the command line call to scan the project for any analysis parameters set there
    • in the sonar-project.properties file
    • in the UI (project dashboard > Project Settings > General Settings > Analysis Scope)
  3. So we have a number of teams sharing the same developer instance.

    • Be sure no one else is scanning over the project to override someone else.
  4. Please show the scanner context of the last scan activity from project dashboard > Project Settings > Background Tasks > click on :gear: icon on far right of the last scan. Compare both (one from “InfoHub:infohub-common-rest” and “infohub-common-rest”).

    Example:

Joe

Thanks. I have confirmed they both have analyzed the same file. The new project has more files being scanned. Here is the old project (which identified the issue that we’ve reviewed as safe):


And the new project:

They are both using the “Sonar Way” profiles

I can see project settings for the old project, but there is no similar pulldown for the old one?

FWIW the issue it found was “Make sure disabling Spring Security’s CSRF protection is safe here” Priority is HIGH

Hi @Scott_Chapman ,

It looks like you don’t have Administer permissions for the “InfoHub:infohub-common-rest” project. You should talk to the project owner/administrator of that project and confirm that permissions for your user is set correctly.

If you are an Admin, you can restore Admin access by going to Administration > Projects > Management > search for your project > go to the far right and click on the :gear: icon and click on “Restore Access”. Then go back and check if you can see “Project Settings” drop-down menu.

Please show the scanner context from both of those projects once you are able to get to the Background Tasks page.

Joe

Thanks, I did have to restore the old project. Once I did I could get to the background task history, but none of them have context any more. The context for the new one’s last scan is:

SonarQube plugins:
  - Cobertura 2.0 (cobertura)
  - CSS Code Quality and Security 1.3.1.1642 (cssfamily)
  - PL/SQL Code Quality and Security 3.5.0.3437 (plsql)
  - Scala Code Quality and Security 1.8.1.1804 (sonarscala)
  - C# Code Quality and Security 8.15.0.24505 (csharp)
  - Vulnerability Analysis 8.6.0.6438 (security)
  - Java Code Quality and Security 6.9.0.23563 (java)
  - HTML Code Quality and Security 3.3.0.2534 (web)
  - Flex Code Quality and Security 2.6.0.2294 (flex)
  - SonarXML 2.0.1.2020 (xml)
  - SonarTS 2.1.0.4359 (typescript)
  - VB.NET Code Quality and Security 8.15.0.24505 (vbnet)
  - Swift Code Quality and Security 4.3.0.4687 (swift)
  - YAML Analyzer 1.5.2 (yaml)
  - Dependency-Check 2.0.6 (dependencycheck)
  - CFamily Code Quality and Security 6.15.1.26715 (cpp)
  - Python Code Quality and Security 3.1.0.7619 (python)
  - Go Code Quality and Security 1.8.1.1804 (go)
  - JaCoCo 1.1.0.898 (jacoco)
  - Kotlin Code Quality and Security 1.8.1.1804 (kotlin)
  - ShellCheck Analyzer 2.4.0 (shellcheck)
  - T-SQL Code Quality and Security 1.5.0.3958 (tsql)
  - JavaScript/TypeScript Code Quality and Security 7.0.1.14561 (javascript)
  - Ruby Code Quality and Security 1.8.1.1804 (ruby)
  - Vulnerability Rules for C# 8.6.0.6438 (securitycsharpfrontend)
  - Vulnerability Rules for Java 8.6.0.6438 (securityjavafrontend)
  - License for SonarLint 8.6.1.40680 (license)
  - Findbugs 4.0.2 (findbugs)
  - Vulnerability Rules for JS 8.6.0.6438 (securityjsfrontend)
  - Groovy 1.6 (groovy)
  - Vulnerability Rules for Python 8.6.0.6438 (securitypythonfrontend)
  - PHP Code Quality and Security 3.13.0.6849 (php)
  - ABAP Code Quality and Security 3.9.0.2739 (abap)
  - Vulnerability Rules for PHP 8.6.0.6438 (securityphpfrontend)
Global server settings:
  - sonar.auth.github.allowUsersToSignUp=true
  - sonar.auth.github.apiUrl=https://github.ibm.com/api/v3
  - sonar.auth.github.clientId.secured=******
  - sonar.auth.github.clientSecret.secured=******
  - sonar.auth.github.enabled=true
  - sonar.auth.github.groupsSync=true
  - sonar.auth.github.webUrl=https://github.ibm.com/
  - sonar.core.id=0059F715-AXLinZEg4C5XeTfkK1C_
  - sonar.core.serverBaseURL=https://sonarqube.core.eu.supply-chain.ibm.com
  - sonar.core.startTime=2021-02-11T13:42:04+0000
  - sonar.dbcleaner.branchesToKeepWhenInactive=master,develop,trunk,master-p2
  - sonar.forceAuthentication=true
Project server settings:
Project scanner properties:
  - sonar.coverage.jacoco.xmlReportPaths=**/jacoco.xml
  - sonar.dependencyCheck.htmlReportPath=./dependency-check-report.html
  - sonar.dependencyCheck.jsonReportPath=./dependency-check-report.json
  - sonar.dependencyCheck.xmlReportPath=./dependency-check-report.xml
  - sonar.host.url=https://sonarqube.core.eu.supply-chain.ibm.com
  - sonar.java.binaries=**target/classes
  - sonar.login=******
  - sonar.projectBaseDir=/home/jenkins/agent/workspace/foHub_infohub-common-rest_master
  - sonar.projectKey=InfoHub:infohub-common-rest
  - sonar.projectName=InfoHub:infohub-common-rest
  - sonar.scanner.app=ScannerCLI
  - sonar.scanner.appVersion=4.6.0.2311
  - sonar.sourceEncoding=UTF-8
  - sonar.sources=,./src/main/java
  - sonar.tests=,./src/test/java
  - sonar.working.directory=/home/jenkins/agent/workspace/foHub_infohub-common-rest_master/.scannerwork

Awesome, glad that worked for you, @Scott_Chapman . Looking at the “InfoHub:infohub-common-rest” project, there are some weird things happening here:

You need to correct this. There should be no need to set either of these parameters if you use the Sonar Scanner for Maven or Gradle scanners for your Java project. It looks like you are using the SonarScannerCLI with Jenkins. Those parameters should not be set manually, if possible. How are you invoking the scanner for these projects?

If you have a Java project, is it Maven or Gradle? If either Maven or Gradle, you should be using the Sonar Scanner for Maven or Sonar Scanner for Gradle. Please review our documentation on how to use it. Here are several sample apps you can scan to test it: sonar-scanning-examples

For the other project “infohub-common-rest”, you need to rescan it and then compare the scanner context with the other project and make sure they are matching.

Joe

What exactly is the issue with ,./src/main/java? the sonar-sources is a comma-separated path. It does look like the code is getting scanned (it found code smells in the file that contains the issue). It just didn’t find the issue!

Looking at the invocation of the CLI, we don’t seem to be doing anything more that specifying sources/tests paths, host URL, project name & key, source encoding of UTF-8, java binaries, and then paths to coverage and OWASP dependency check reports

Oh! looking at the output of the command run in Jenkins, we are getting an error:

INFO: Loading findbugs plugin: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/.scannerwork/findbugs/findsecbugs-plugin.jar
INFO: Findbugs output report: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/.scannerwork/findbugs-result.xml
The following errors occurred during analysis:
 ​Exception analyzing com.ibm.wsc.infohub.CorsBeanConfig$1 using detector com.h3xstream.findsecbugs.spring.CorsRegistryCORSDetector
   ​java.lang.NullPointerException
     ​At com.h3xstream.findsecbugs.spring.CorsRegistryCORSDetector.getStringArray(CorsRegistryCORSDetector.java:63)
     ​At com.h3xstream.findsecbugs.spring.CorsRegistryCORSDetector.sawOpcode(CorsRegistryCORSDetector.java:48)
     ​At edu.umd.cs.findbugs.visitclass.DismantleBytecode.visit(DismantleBytecode.java:878)
     ​At edu.umd.cs.findbugs.visitclass.BetterVisitor.visitCode(BetterVisitor.java:218)
     ​At edu.umd.cs.findbugs.visitclass.PreorderVisitor.visitCode(PreorderVisitor.java:243)
     ​At edu.umd.cs.findbugs.bcel.OpcodeStackDetector.visitCode(OpcodeStackDetector.java:65)
     ​At org.apache.bcel.classfile.Code.accept(Code.java:131)
     ​At edu.umd.cs.findbugs.visitclass.PreorderVisitor.doVisitMethod(PreorderVisitor.java:315)
     ​At edu.umd.cs.findbugs.visitclass.PreorderVisitor.visitJavaClass(PreorderVisitor.java:397)
     ​At org.apache.bcel.classfile.JavaClass.accept(JavaClass.java:213)
     ​At edu.umd.cs.findbugs.BytecodeScanningDetector.visitClassContext(BytecodeScanningDetector.java:38)
     ​At edu.umd.cs.findbugs.DetectorToDetector2Adapter.visitClass(DetectorToDetector2Adapter.java:76)
     ​At edu.umd.cs.findbugs.FindBugs2.lambda$analyzeApplication$1(FindBugs2.java:1108)
     ​At java.base/java.util.concurrent.FutureTask.run(Unknown Source)
     ​At edu.umd.cs.findbugs.CurrentThreadExecutorService.execute(CurrentThreadExecutorService.java:86)
     ​At java.base/java.util.concurrent.AbstractExecutorService.invokeAll(Unknown Source)
     ​At edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1118)
     ​At edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:309)
     ​At org.sonar.plugins.findbugs.FindbugsExecutor$FindbugsTask.call(FindbugsExecutor.java:235)
     ​At java.base/java.util.concurrent.FutureTask.run(Unknown Source)
     ​At java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
     ​At java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
     ​At java.base/java.lang.Thread.run(Unknown Source)
The following classes needed for analysis were missing:
 ​org.springframework.web.servlet.config.annotation.WebMvcConfigurer
 ​org.springframework.boot.web.servlet.error.ErrorController
 ​org.springframework.web.servlet.mvc.method.annotation.ResponseEntityExceptionHandler
 ​com.fasterxml.jackson.core.type.TypeReference

…and a lot of libs after that

Try disabling/uninstalling the findbugs plugin and try again. Then compare the results with your other project and see if they are the same.

If you can’t find the difference, please attach the debug logs.

Not a major issue, but you shouldn’t have to specify this parameter yourself. The SonarScanner for Maven/Gradle will automatically handle setting that parameter. You are correct that comma-separated isn’t the issue, but setting it manually like that implies that other parameters could be set incorrectly too.

Make sure that both projects are using the same analysis parameters then, then they should both be the same.

I can do all that, but it feels like it is unrelated to the issue. I think the findbugs failure might be legit in that we are missing a necessary library for it to be able to do that work (one of the missing libraries is what the hotspot extended). But I don’t think it was findbugs hat was identifying the hotspot. It will be a little while before I can try to resurrect the scan of the old build, and unfortunately I can get any historical info from it.

One thing I can tell is that we did change some things about how we scan; for example the old projects were using the maven plugin, and the new projects are all using the CLI. And I see the same pattern with all the projects that had hotspots prior to making that change (none of the new projects found them yet the code appears to be getting scanned).

I can capture more details about how we ran the CLI and the output if that helps.

+ export 'SONAR_SCANNER_OPTS=-Xmx1024m -Dsonar.sources=,./src/main/java -Dsonar.host.url=https://sonarqube.core.eu.supply-chain.ibm.com -Dsonar.projectName=InfoHub:infohub-common-rest -Dsonar.projectKey=InfoHub:infohub-common-rest -Dsonar.sourceEncoding=UTF-8 -Dsonar.tests=,./src/test/java -Dsonar.coverage.jacoco.xmlReportPaths=**/jacoco.xml -Dsonar.java.binaries=**target/classes -Dsonar.dependencyCheck.htmlReportPath=./dependency-check-report.html -Dsonar.dependencyCheck.jsonReportPath=./dependency-check-report.json -Dsonar.dependencyCheck.xmlReportPath=./dependency-check-report.xml'
+ SONAR_SCANNER_OPTS='-Xmx1024m -Dsonar.sources=,./src/main/java -Dsonar.host.url=https://sonarqube.core.eu.supply-chain.ibm.com -Dsonar.projectName=InfoHub:infohub-common-rest -Dsonar.projectKey=InfoHub:infohub-common-rest -Dsonar.sourceEncoding=UTF-8 -Dsonar.tests=,./src/test/java -Dsonar.coverage.jacoco.xmlReportPaths=**/jacoco.xml -Dsonar.java.binaries=**target/classes -Dsonar.dependencyCheck.htmlReportPath=./dependency-check-report.html -Dsonar.dependencyCheck.jsonReportPath=./dependency-check-report.json -Dsonar.dependencyCheck.xmlReportPath=./dependency-check-report.xml'
+ /usr/local/sonar-scanner/bin/sonar-scanner
INFO: Scanner configuration file: /opt/sonar-scanner-4.6.0.2311-linux/conf/sonar-scanner.properties
INFO: Project root configuration file: NONE
INFO: SonarScanner 4.6.0.2311
INFO: Java 11.0.3 AdoptOpenJDK (64-bit)
INFO: Linux 4.15.0-122-generic amd64
INFO: SONAR_SCANNER_OPTS=-Xmx1024m -Dsonar.sources=,./src/main/java -Dsonar.host.url=https://sonarqube.core.eu.supply-chain.ibm.com -Dsonar.projectName=InfoHub:infohub-common-rest -Dsonar.projectKey=InfoHub:infohub-common-rest -Dsonar.sourceEncoding=UTF-8 -Dsonar.tests=,./src/test/java -Dsonar.coverage.jacoco.xmlReportPaths=**/jacoco.xml -Dsonar.java.binaries=**target/classes -Dsonar.dependencyCheck.htmlReportPath=./dependency-check-report.html -Dsonar.dependencyCheck.jsonReportPath=./dependency-check-report.json -Dsonar.dependencyCheck.xmlReportPath=./dependency-check-report.xml
INFO: User cache: /home/jenkins/.sonar/cache
INFO: Scanner configuration file: /opt/sonar-scanner-4.6.0.2311-linux/conf/sonar-scanner.properties
INFO: Project root configuration file: NONE
INFO: Analyzing on SonarQube server 8.6.1
INFO: Default locale: "en_US", source code encoding: "UTF-8"
INFO: Load global settings
INFO: Load global settings (done) | time=543ms
INFO: Server id: <ID>
INFO: User cache: /home/jenkins/.sonar/cache
INFO: Load/download plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=327ms
INFO: Load/download plugins (done) | time=27402ms
INFO: Loaded core extensions: developer-scanner
INFO: JavaScript/TypeScript frontend is enabled
INFO: Process project properties
INFO: Process project properties (done) | time=15ms
INFO: Execute project builders
INFO: Execute project builders (done) | time=2ms
INFO: Project key: InfoHub:infohub-common-rest
INFO: Base dir: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master
INFO: Working dir: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/.scannerwork
INFO: Load project settings for component key: 'InfoHub:infohub-common-rest'
INFO: Load project settings for component key: 'InfoHub:infohub-common-rest' (done) | time=340ms
INFO: Load project branches
INFO: Load project branches (done) | time=295ms
INFO: Load project pull requests
INFO: Load project pull requests (done) | time=268ms
INFO: Load branch configuration
INFO: Detected branch/PR in 'Jenkins'
INFO: Auto-configuring branch 'master'
INFO: Load branch configuration (done) | time=3ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=354ms
INFO: Auto-configuring with CI 'Jenkins'
INFO: Load active rules
INFO: Load active rules (done) | time=9943ms
INFO: Branch name: master
INFO: Indexing files...
INFO: Project configuration:
INFO: 49 files indexed
INFO: 0 files ignored because of scm ignore settings
INFO: Quality profile for java: Sonar way
INFO: ------------- Run sensors on module InfoHub:infohub-common-rest
INFO: JavaScript/TypeScript frontend is enabled
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=326ms
INFO: Sensor JavaSquidSensor [java]
INFO: Configured Java source version (sonar.java.source): none
INFO: JavaClasspath initialization
WARN: Bytecode of dependencies was not provided for analysis of source files, you might end up with less precise results. Bytecode can be provided using sonar.java.libraries property.
INFO: JavaClasspath initialization (done) | time=45ms
INFO: JavaTestClasspath initialization
WARN: Bytecode of dependencies was not provided for analysis of test files, you might end up with less precise results. Bytecode can be provided using sonar.java.test.libraries property.
INFO: JavaTestClasspath initialization (done) | time=0ms
INFO: Java Main Files AST scan
INFO: 34 source files to be analyzed
INFO: Load project repositories
INFO: Load project repositories (done) | time=379ms
INFO: 34/34 source files have been analyzed
INFO: Java Main Files AST scan (done) | time=6579ms
INFO: Java Test Files AST scan
INFO: 15 source files to be analyzed
INFO: Java Test Files AST scan (done) | time=532ms
INFO: Java Generated Files AST scan
INFO: 0 source files to be analyzed
INFO: Java Generated Files AST scan (done) | time=1ms
INFO: Sensor JavaSquidSensor [java] (done) | time=7498ms
INFO: Sensor CoberturaSensor [cobertura]
WARN: Cobertura report not found at /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/target/site/cobertura/coverage.xml
INFO: Sensor CoberturaSensor [cobertura] (done) | time=0ms
INFO: Sensor CSS Rules [cssfamily]
INFO: 15/15 source files have been analyzed
INFO: 0/0 source files have been analyzed
INFO: No CSS, PHP, HTML or VueJS files are found in the project. CSS analysis is skipped.
INFO: Sensor CSS Rules [cssfamily] (done) | time=1ms
INFO: Sensor C# Properties [csharp]
INFO: Sensor C# Properties [csharp] (done) | time=2ms
INFO: Sensor SurefireSensor [java]
INFO: parsing [/home/jenkins/agent/workspace/foHub_infohub-common-rest_master/target/surefire-reports]
INFO: Sensor SurefireSensor [java] (done) | time=123ms
INFO: Sensor JavaXmlSensor [java]
INFO: Sensor JavaXmlSensor [java] (done) | time=2ms
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=4ms
INFO: Sensor VB.NET Properties [vbnet]
INFO: Sensor VB.NET Properties [vbnet] (done) | time=5ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: Importing 1 report(s). Turn your logs in debug mode in order to see the exhaustive list.
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=68ms
INFO: Sensor ThymeLeaf template sensor [securityjavafrontend]
INFO: Sensor ThymeLeaf template sensor [securityjavafrontend] (done) | time=1ms
INFO: Sensor FindBugs Sensor [findbugs]
INFO: Loading findbugs plugin: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/.scannerwork/findbugs/findsecbugs-plugin.jar
INFO: Findbugs output report: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/.scannerwork/findbugs-result.xml
The following errors occurred during analysis:
 ​Exception analyzing com.ibm.wsc.infohub.CorsBeanConfig$1 using detector com.h3xstream.findsecbugs.spring.CorsRegistryCORSDetector
   ​java.lang.NullPointerException
     ​At com.h3xstream.findsecbugs.spring.CorsRegistryCORSDetector.getStringArray(CorsRegistryCORSDetector.java:63)
     ​At com.h3xstream.findsecbugs.spring.CorsRegistryCORSDetector.sawOpcode(CorsRegistryCORSDetector.java:48)
     ​At edu.umd.cs.findbugs.visitclass.DismantleBytecode.visit(DismantleBytecode.java:878)
     ​At edu.umd.cs.findbugs.visitclass.BetterVisitor.visitCode(BetterVisitor.java:218)
     ​At edu.umd.cs.findbugs.visitclass.PreorderVisitor.visitCode(PreorderVisitor.java:243)
     ​At edu.umd.cs.findbugs.bcel.OpcodeStackDetector.visitCode(OpcodeStackDetector.java:65)
     ​At org.apache.bcel.classfile.Code.accept(Code.java:131)
     ​At edu.umd.cs.findbugs.visitclass.PreorderVisitor.doVisitMethod(PreorderVisitor.java:315)
     ​At edu.umd.cs.findbugs.visitclass.PreorderVisitor.visitJavaClass(PreorderVisitor.java:397)
     ​At org.apache.bcel.classfile.JavaClass.accept(JavaClass.java:213)
     ​At edu.umd.cs.findbugs.BytecodeScanningDetector.visitClassContext(BytecodeScanningDetector.java:38)
     ​At edu.umd.cs.findbugs.DetectorToDetector2Adapter.visitClass(DetectorToDetector2Adapter.java:76)
     ​At edu.umd.cs.findbugs.FindBugs2.lambda$analyzeApplication$1(FindBugs2.java:1108)
     ​At java.base/java.util.concurrent.FutureTask.run(Unknown Source)
     ​At edu.umd.cs.findbugs.CurrentThreadExecutorService.execute(CurrentThreadExecutorService.java:86)
     ​At java.base/java.util.concurrent.AbstractExecutorService.invokeAll(Unknown Source)
     ​At edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1118)
     ​At edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:309)
     ​At org.sonar.plugins.findbugs.FindbugsExecutor$FindbugsTask.call(FindbugsExecutor.java:235)
     ​At java.base/java.util.concurrent.FutureTask.run(Unknown Source)
     ​At java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
     ​At java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
     ​At java.base/java.lang.Thread.run(Unknown Source)
The following classes needed for analysis were missing:
 ​org.springframework.web.servlet.config.annotation.WebMvcConfigurer
 ​org.springframework.boot.web.servlet.error.ErrorController
 ​org.springframework.web.servlet.mvc.method.annotation.ResponseEntityExceptionHandler
 ​com.fasterxml.jackson.core.type.TypeReference
 ​org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
 ​org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
 ​org.springframework.security.core.AuthenticationException
 ​com.ibm.wsc.infohub.common.elasticsearch.dao.ESCRUDDao
 ​org.elasticsearch.search.fetch.subphase.FetchSourceContext
 ​javax.ws.rs.core.Response$Status
 ​com.ibm.wsc.infohub.i18n.Message
 ​com.ibm.wsc.infohub.model.TenantType
 ​org.springframework.security.core.GrantedAuthority
 ​com.ibm.wsc.infohub.darklaunch.InfoHubDarklaunch
 ​org.springframework.security.access.AccessDeniedException
 ​org.springframework.security.core.context.SecurityContextHolder
 ​org.springframework.security.core.context.SecurityContext
 ​org.springframework.security.core.Authentication
 ​org.jose4j.jwk.HttpsJwks
 ​org.jose4j.keys.resolvers.VerificationKeyResolver
 ​org.jose4j.jwa.AlgorithmConstraints$ConstraintType
 ​org.slf4j.Logger
 ​com.ibm.wsc.infohub.config.ConfigFacade
 ​com.fasterxml.jackson.databind.ObjectMapper
 ​org.apache.commons.validator.routines.UrlValidator
 ​org.jose4j.http.Get
 ​org.jose4j.keys.resolvers.HttpsJwksVerificationKeyResolver
 ​org.jose4j.jwk.JsonWebKeySet
 ​org.jose4j.keys.resolvers.JwksVerificationKeyResolver
 ​org.jose4j.jwt.JwtClaims
 ​org.springframework.security.core.authority.SimpleGrantedAuthority
 ​org.springframework.security.core.userdetails.User
 ​org.jose4j.jwt.consumer.JwtConsumer
 ​org.jose4j.jwt.consumer.InvalidJwtException
 ​org.jose4j.jwt.consumer.JwtConsumerBuilder
 ​org.slf4j.LoggerFactory
 ​io.swagger.v3.oas.models.OpenAPI
 ​io.swagger.v3.core.util.Yaml
 ​com.github.mustachejava.DefaultMustacheFactory
 ​com.github.mustachejava.MustacheFactory
 ​com.github.mustachejava.Mustache
 ​org.springframework.http.HttpStatus
 ​org.springframework.web.bind.MethodArgumentNotValidException
 ​org.springframework.http.HttpHeaders
 ​org.springframework.web.context.request.WebRequest
 ​org.springframework.validation.FieldError
 ​org.springframework.validation.BindingResult
 ​com.ibm.wsc.infohub.json.JSONObject
 ​org.springframework.http.ResponseEntity
 ​com.ibm.wsc.infohub.security.provider.SCIUtil
 ​com.ibm.wsc.infohub.security.provider.SCIPBEWrapper
 ​com.ibm.wsc.infohub.security.CryptoException
 ​org.springframework.security.web.util.matcher.RequestMatcher
 ​com.google.common.base.Supplier
 ​javax.servlet.http.HttpServletRequest
 ​javax.servlet.http.HttpServletResponse
 ​javax.servlet.FilterChain
 ​org.springframework.security.web.util.matcher.AntPathRequestMatcher
 ​org.springframework.security.web.util.matcher.OrRequestMatcher
 ​org.springframework.security.web.util.matcher.NegatedRequestMatcher
 ​com.google.common.base.Suppliers
 ​org.springframework.security.core.userdetails.UserDetails
 ​org.springframework.security.authentication.UsernamePasswordAuthenticationToken
 ​org.springframework.security.web.authentication.WebAuthenticationDetailsSource
 ​org.json.JSONObject
 ​org.springframework.web.servlet.config.annotation.CorsRegistry
 ​org.springframework.web.servlet.config.annotation.CorsRegistration
 ​com.ibm.wsc.infohub.util.PropertyUtil
 ​org.apache.commons.lang3.ArrayUtils
 ​org.apache.commons.lang3.StringUtils
 ​org.springframework.web.bind.MissingServletRequestParameterException
 ​javax.servlet.Filter
 ​org.springframework.security.web.access.AccessDeniedHandler
 ​org.springframework.security.web.AuthenticationEntryPoint
 ​org.springframework.security.config.http.SessionCreationPolicy
 ​org.springframework.security.config.annotation.web.builders.HttpSecurity
 ​org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder
 ​org.springframework.security.config.annotation.web.builders.WebSecurity
 ​org.springframework.security.config.annotation.SecurityBuilder
 ​org.springframework.security.config.annotation.web.configurers.CsrfConfigurer
 ​org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer
 ​org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer
 ​org.springframework.security.config.annotation.web.builders.WebSecurity$IgnoredRequestConfigurer
 ​springfox.documentation.spi.DocumentationType
 ​springfox.documentation.service.ApiInfo
 ​springfox.documentation.spring.web.plugins.Docket
 ​springfox.documentation.builders.RequestHandlerSelectors
 ​springfox.documentation.spring.web.plugins.ApiSelectorBuilder
 ​springfox.documentation.builders.PathSelectors
 ​springfox.documentation.swagger.web.UiConfigurationBuilder
 ​org.apache.commons.collections4.map.LRUMap
 ​apply
 ​org.jose4j.lang.JoseException
 ​org.jose4j.http.SimpleGet
 ​org.jose4j.jws.AlgorithmIdentifiers
 ​org.jose4j.jwa.AlgorithmConstraints
 ​org.springframework.security.config.annotation.web.HttpSecurityBuilder
 ​handle
 ​commence
 ​org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
 ​javax.servlet.ServletException
 ​com.ibm.wsc.infohub.constant.ElasticSearchConstant
 ​com.ibm.wsc.infohub.i18n.CryptoMessages
 ​com.ibm.wsc.infohub.security.provider.SCIProviderException
 ​io.swagger.v3.oas.models.Components
 ​io.swagger.v3.oas.models.ExternalDocumentation
 ​io.swagger.v3.oas.models.info.Info
 ​io.swagger.v3.oas.models.Paths
 ​customise
 ​org.springdoc.core.customizers.OpenApiCustomiser
 ​test
 ​javax.ws.rs.core.Response
 ​get

INFO: Sensor FindBugs Sensor [findbugs] (done) | time=7959ms
INFO: Sensor JavaSecuritySensor [security]
INFO: Reading type hierarchy from: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/.scannerwork/ucfg2/java
INFO: Read 75 type definitions
INFO: Reading UCFGs from: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/.scannerwork/ucfg2/java
INFO: 21:49:33.366288 Building Runtime Type propagation graph
INFO: 21:49:33.376572 Running Tarjan on 100 nodes
INFO: 21:49:33.385305 Tarjan found 94 components
INFO: 21:49:33.404889 Variable type analysis: done
INFO: 21:49:33.408954 Building Runtime Type propagation graph
INFO: 21:49:33.413637 Running Tarjan on 100 nodes
INFO: 21:49:33.414368 Tarjan found 94 components
INFO: 21:49:33.415113 Variable type analysis: done
INFO: Analyzing 47 ucfgs to detect vulnerabilities.
INFO: All rules entrypoints : 0 Retained UCFGs : 0
INFO: rule: S5131, entrypoints: 0
INFO: rule: S5131 done
INFO: rule: S3649, entrypoints: 0
INFO: rule: S3649 done
INFO: rule: S2076, entrypoints: 0
INFO: rule: S2076 done
INFO: rule: S2091, entrypoints: 0
INFO: rule: S2091 done
INFO: rule: S2078, entrypoints: 0
INFO: rule: S2078 done
INFO: rule: S2631, entrypoints: 0
INFO: rule: S2631 done
INFO: rule: S5135, entrypoints: 0
INFO: rule: S5135 done
INFO: rule: S2083, entrypoints: 0
INFO: rule: S2083 done
INFO: rule: S5167, entrypoints: 0
INFO: rule: S5167 done
INFO: rule: S5144, entrypoints: 0
INFO: rule: S5144 done
INFO: rule: S5145, entrypoints: 0
INFO: rule: S5145 done
INFO: rule: S5146, entrypoints: 0
INFO: rule: S5146 done
INFO: rule: S5334, entrypoints: 0
INFO: rule: S5334 done
INFO: Sensor JavaSecuritySensor [security] (done) | time=703ms
INFO: Sensor CSharpSecuritySensor [security]
INFO: Reading type hierarchy from: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/ucfg_cs2
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/ucfg_cs2
INFO: No UCFGs have been included for analysis.
INFO: Sensor CSharpSecuritySensor [security] (done) | time=1ms
INFO: Sensor PhpSecuritySensor [security]
INFO: Reading type hierarchy from: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/.scannerwork/ucfg2/php
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/.scannerwork/ucfg2/php
INFO: No UCFGs have been included for analysis.
INFO: Sensor PhpSecuritySensor [security] (done) | time=0ms
INFO: Sensor PythonSecuritySensor [security]
INFO: Reading type hierarchy from: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/.scannerwork/ucfg2/python
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/.scannerwork/ucfg2/python
INFO: No UCFGs have been included for analysis.
INFO: Sensor PythonSecuritySensor [security] (done) | time=0ms
INFO: Sensor JsSecuritySensor [security]
INFO: Reading type hierarchy from: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/.scannerwork/ucfg2/js
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/.scannerwork/ucfg2/js
INFO: No UCFGs have been included for analysis.
INFO: Sensor JsSecuritySensor [security] (done) | time=0ms
INFO: ------------- Run sensors on project
INFO: Sensor Dependency-Check [dependencycheck]
INFO: Process Dependency-Check report
INFO: Using JSON-Reportparser
INFO: Dependency-Check JSON report does not exists. Please check property sonar.dependencyCheck.jsonReportPath:/home/jenkins/agent/workspace/foHub_infohub-common-rest_master/dependency-check-report.json
INFO: JSON-Analysis skipped/aborted due to missing report file
INFO: Using XML-Reportparser
INFO: Dependency-Check XML report does not exists. Please check property sonar.dependencyCheck.xmlReportPath:/home/jenkins/agent/workspace/foHub_infohub-common-rest_master/dependency-check-report.xml
INFO: XML-Analysis skipped/aborted due to missing report file
INFO: Dependency-Check HTML report does not exists. Please check property sonar.dependencyCheck.htmlReportPath:/home/jenkins/agent/workspace/foHub_infohub-common-rest_master/dependency-check-report.html
INFO: HTML-Dependency-Check report does not exist.
INFO: Process Dependency-Check report (done) | time=3ms
INFO: Sensor Dependency-Check [dependencycheck] (done) | time=3ms
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=12ms
INFO: Sensor Java CPD Block Indexer
INFO: Sensor Java CPD Block Indexer (done) | time=84ms
INFO: CPD Executor 14 files had no CPD blocks
INFO: CPD Executor Calculating CPD for 20 files
INFO: CPD Executor CPD calculation finished (done) | time=21ms
INFO: Load New Code definition
INFO: Load New Code definition (done) | time=508ms
INFO: Analysis report generated in 666ms, dir size=452 KB
INFO: Analysis report compressed in 152ms, zip size=164 KB
INFO: Analysis report uploaded in 697ms
INFO: ANALYSIS SUCCESSFUL, you can browse https://sonarqube.core.eu.supply-chain.ibm.com/dashboard?id=InfoHub%3Ainfohub-common-rest&branch=master
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at https://sonarqube.core.eu.supply-chain.ibm.com/api/ce/task?id=AXeYOH8P3naOVUJoFJh1
INFO: Analysis total time: 36.193 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 1:08.438s
INFO: Final Memory: 36M/124M
INFO: ------------------------------------------------------------------------

I wonder if the issue is that we didn’t provide the path for the dependency bytecode? Perhaps the Maven plugin is doing something automatically for us that we are not accounting for in our CLI? (we’re going to fix this so Maven projects use the plugin like our Gradle projects do currently. This appears to be a gap in what we are doing)