+ export 'SONAR_SCANNER_OPTS=-Xmx1024m -Dsonar.sources=,./src/main/java -Dsonar.host.url=https://sonarqube.core.eu.supply-chain.ibm.com -Dsonar.projectName=InfoHub:infohub-common-rest -Dsonar.projectKey=InfoHub:infohub-common-rest -Dsonar.sourceEncoding=UTF-8 -Dsonar.tests=,./src/test/java -Dsonar.coverage.jacoco.xmlReportPaths=**/jacoco.xml -Dsonar.java.binaries=**target/classes -Dsonar.dependencyCheck.htmlReportPath=./dependency-check-report.html -Dsonar.dependencyCheck.jsonReportPath=./dependency-check-report.json -Dsonar.dependencyCheck.xmlReportPath=./dependency-check-report.xml'
+ SONAR_SCANNER_OPTS='-Xmx1024m -Dsonar.sources=,./src/main/java -Dsonar.host.url=https://sonarqube.core.eu.supply-chain.ibm.com -Dsonar.projectName=InfoHub:infohub-common-rest -Dsonar.projectKey=InfoHub:infohub-common-rest -Dsonar.sourceEncoding=UTF-8 -Dsonar.tests=,./src/test/java -Dsonar.coverage.jacoco.xmlReportPaths=**/jacoco.xml -Dsonar.java.binaries=**target/classes -Dsonar.dependencyCheck.htmlReportPath=./dependency-check-report.html -Dsonar.dependencyCheck.jsonReportPath=./dependency-check-report.json -Dsonar.dependencyCheck.xmlReportPath=./dependency-check-report.xml'
+ /usr/local/sonar-scanner/bin/sonar-scanner
INFO: Scanner configuration file: /opt/sonar-scanner-4.6.0.2311-linux/conf/sonar-scanner.properties
INFO: Project root configuration file: NONE
INFO: SonarScanner 4.6.0.2311
INFO: Java 11.0.3 AdoptOpenJDK (64-bit)
INFO: Linux 4.15.0-122-generic amd64
INFO: SONAR_SCANNER_OPTS=-Xmx1024m -Dsonar.sources=,./src/main/java -Dsonar.host.url=https://sonarqube.core.eu.supply-chain.ibm.com -Dsonar.projectName=InfoHub:infohub-common-rest -Dsonar.projectKey=InfoHub:infohub-common-rest -Dsonar.sourceEncoding=UTF-8 -Dsonar.tests=,./src/test/java -Dsonar.coverage.jacoco.xmlReportPaths=**/jacoco.xml -Dsonar.java.binaries=**target/classes -Dsonar.dependencyCheck.htmlReportPath=./dependency-check-report.html -Dsonar.dependencyCheck.jsonReportPath=./dependency-check-report.json -Dsonar.dependencyCheck.xmlReportPath=./dependency-check-report.xml
INFO: User cache: /home/jenkins/.sonar/cache
INFO: Scanner configuration file: /opt/sonar-scanner-4.6.0.2311-linux/conf/sonar-scanner.properties
INFO: Project root configuration file: NONE
INFO: Analyzing on SonarQube server 8.6.1
INFO: Default locale: "en_US", source code encoding: "UTF-8"
INFO: Load global settings
INFO: Load global settings (done) | time=543ms
INFO: Server id: <ID>
INFO: User cache: /home/jenkins/.sonar/cache
INFO: Load/download plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=327ms
INFO: Load/download plugins (done) | time=27402ms
INFO: Loaded core extensions: developer-scanner
INFO: JavaScript/TypeScript frontend is enabled
INFO: Process project properties
INFO: Process project properties (done) | time=15ms
INFO: Execute project builders
INFO: Execute project builders (done) | time=2ms
INFO: Project key: InfoHub:infohub-common-rest
INFO: Base dir: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master
INFO: Working dir: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/.scannerwork
INFO: Load project settings for component key: 'InfoHub:infohub-common-rest'
INFO: Load project settings for component key: 'InfoHub:infohub-common-rest' (done) | time=340ms
INFO: Load project branches
INFO: Load project branches (done) | time=295ms
INFO: Load project pull requests
INFO: Load project pull requests (done) | time=268ms
INFO: Load branch configuration
INFO: Detected branch/PR in 'Jenkins'
INFO: Auto-configuring branch 'master'
INFO: Load branch configuration (done) | time=3ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=354ms
INFO: Auto-configuring with CI 'Jenkins'
INFO: Load active rules
INFO: Load active rules (done) | time=9943ms
INFO: Branch name: master
INFO: Indexing files...
INFO: Project configuration:
INFO: 49 files indexed
INFO: 0 files ignored because of scm ignore settings
INFO: Quality profile for java: Sonar way
INFO: ------------- Run sensors on module InfoHub:infohub-common-rest
INFO: JavaScript/TypeScript frontend is enabled
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=326ms
INFO: Sensor JavaSquidSensor [java]
INFO: Configured Java source version (sonar.java.source): none
INFO: JavaClasspath initialization
WARN: Bytecode of dependencies was not provided for analysis of source files, you might end up with less precise results. Bytecode can be provided using sonar.java.libraries property.
INFO: JavaClasspath initialization (done) | time=45ms
INFO: JavaTestClasspath initialization
WARN: Bytecode of dependencies was not provided for analysis of test files, you might end up with less precise results. Bytecode can be provided using sonar.java.test.libraries property.
INFO: JavaTestClasspath initialization (done) | time=0ms
INFO: Java Main Files AST scan
INFO: 34 source files to be analyzed
INFO: Load project repositories
INFO: Load project repositories (done) | time=379ms
INFO: 34/34 source files have been analyzed
INFO: Java Main Files AST scan (done) | time=6579ms
INFO: Java Test Files AST scan
INFO: 15 source files to be analyzed
INFO: Java Test Files AST scan (done) | time=532ms
INFO: Java Generated Files AST scan
INFO: 0 source files to be analyzed
INFO: Java Generated Files AST scan (done) | time=1ms
INFO: Sensor JavaSquidSensor [java] (done) | time=7498ms
INFO: Sensor CoberturaSensor [cobertura]
WARN: Cobertura report not found at /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/target/site/cobertura/coverage.xml
INFO: Sensor CoberturaSensor [cobertura] (done) | time=0ms
INFO: Sensor CSS Rules [cssfamily]
INFO: 15/15 source files have been analyzed
INFO: 0/0 source files have been analyzed
INFO: No CSS, PHP, HTML or VueJS files are found in the project. CSS analysis is skipped.
INFO: Sensor CSS Rules [cssfamily] (done) | time=1ms
INFO: Sensor C# Properties [csharp]
INFO: Sensor C# Properties [csharp] (done) | time=2ms
INFO: Sensor SurefireSensor [java]
INFO: parsing [/home/jenkins/agent/workspace/foHub_infohub-common-rest_master/target/surefire-reports]
INFO: Sensor SurefireSensor [java] (done) | time=123ms
INFO: Sensor JavaXmlSensor [java]
INFO: Sensor JavaXmlSensor [java] (done) | time=2ms
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=4ms
INFO: Sensor VB.NET Properties [vbnet]
INFO: Sensor VB.NET Properties [vbnet] (done) | time=5ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: Importing 1 report(s). Turn your logs in debug mode in order to see the exhaustive list.
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=68ms
INFO: Sensor ThymeLeaf template sensor [securityjavafrontend]
INFO: Sensor ThymeLeaf template sensor [securityjavafrontend] (done) | time=1ms
INFO: Sensor FindBugs Sensor [findbugs]
INFO: Loading findbugs plugin: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/.scannerwork/findbugs/findsecbugs-plugin.jar
INFO: Findbugs output report: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/.scannerwork/findbugs-result.xml
The following errors occurred during analysis:
Exception analyzing com.ibm.wsc.infohub.CorsBeanConfig$1 using detector com.h3xstream.findsecbugs.spring.CorsRegistryCORSDetector
java.lang.NullPointerException
At com.h3xstream.findsecbugs.spring.CorsRegistryCORSDetector.getStringArray(CorsRegistryCORSDetector.java:63)
At com.h3xstream.findsecbugs.spring.CorsRegistryCORSDetector.sawOpcode(CorsRegistryCORSDetector.java:48)
At edu.umd.cs.findbugs.visitclass.DismantleBytecode.visit(DismantleBytecode.java:878)
At edu.umd.cs.findbugs.visitclass.BetterVisitor.visitCode(BetterVisitor.java:218)
At edu.umd.cs.findbugs.visitclass.PreorderVisitor.visitCode(PreorderVisitor.java:243)
At edu.umd.cs.findbugs.bcel.OpcodeStackDetector.visitCode(OpcodeStackDetector.java:65)
At org.apache.bcel.classfile.Code.accept(Code.java:131)
At edu.umd.cs.findbugs.visitclass.PreorderVisitor.doVisitMethod(PreorderVisitor.java:315)
At edu.umd.cs.findbugs.visitclass.PreorderVisitor.visitJavaClass(PreorderVisitor.java:397)
At org.apache.bcel.classfile.JavaClass.accept(JavaClass.java:213)
At edu.umd.cs.findbugs.BytecodeScanningDetector.visitClassContext(BytecodeScanningDetector.java:38)
At edu.umd.cs.findbugs.DetectorToDetector2Adapter.visitClass(DetectorToDetector2Adapter.java:76)
At edu.umd.cs.findbugs.FindBugs2.lambda$analyzeApplication$1(FindBugs2.java:1108)
At java.base/java.util.concurrent.FutureTask.run(Unknown Source)
At edu.umd.cs.findbugs.CurrentThreadExecutorService.execute(CurrentThreadExecutorService.java:86)
At java.base/java.util.concurrent.AbstractExecutorService.invokeAll(Unknown Source)
At edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1118)
At edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:309)
At org.sonar.plugins.findbugs.FindbugsExecutor$FindbugsTask.call(FindbugsExecutor.java:235)
At java.base/java.util.concurrent.FutureTask.run(Unknown Source)
At java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
At java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
At java.base/java.lang.Thread.run(Unknown Source)
The following classes needed for analysis were missing:
org.springframework.web.servlet.config.annotation.WebMvcConfigurer
org.springframework.boot.web.servlet.error.ErrorController
org.springframework.web.servlet.mvc.method.annotation.ResponseEntityExceptionHandler
com.fasterxml.jackson.core.type.TypeReference
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
org.springframework.security.core.AuthenticationException
com.ibm.wsc.infohub.common.elasticsearch.dao.ESCRUDDao
org.elasticsearch.search.fetch.subphase.FetchSourceContext
javax.ws.rs.core.Response$Status
com.ibm.wsc.infohub.i18n.Message
com.ibm.wsc.infohub.model.TenantType
org.springframework.security.core.GrantedAuthority
com.ibm.wsc.infohub.darklaunch.InfoHubDarklaunch
org.springframework.security.access.AccessDeniedException
org.springframework.security.core.context.SecurityContextHolder
org.springframework.security.core.context.SecurityContext
org.springframework.security.core.Authentication
org.jose4j.jwk.HttpsJwks
org.jose4j.keys.resolvers.VerificationKeyResolver
org.jose4j.jwa.AlgorithmConstraints$ConstraintType
org.slf4j.Logger
com.ibm.wsc.infohub.config.ConfigFacade
com.fasterxml.jackson.databind.ObjectMapper
org.apache.commons.validator.routines.UrlValidator
org.jose4j.http.Get
org.jose4j.keys.resolvers.HttpsJwksVerificationKeyResolver
org.jose4j.jwk.JsonWebKeySet
org.jose4j.keys.resolvers.JwksVerificationKeyResolver
org.jose4j.jwt.JwtClaims
org.springframework.security.core.authority.SimpleGrantedAuthority
org.springframework.security.core.userdetails.User
org.jose4j.jwt.consumer.JwtConsumer
org.jose4j.jwt.consumer.InvalidJwtException
org.jose4j.jwt.consumer.JwtConsumerBuilder
org.slf4j.LoggerFactory
io.swagger.v3.oas.models.OpenAPI
io.swagger.v3.core.util.Yaml
com.github.mustachejava.DefaultMustacheFactory
com.github.mustachejava.MustacheFactory
com.github.mustachejava.Mustache
org.springframework.http.HttpStatus
org.springframework.web.bind.MethodArgumentNotValidException
org.springframework.http.HttpHeaders
org.springframework.web.context.request.WebRequest
org.springframework.validation.FieldError
org.springframework.validation.BindingResult
com.ibm.wsc.infohub.json.JSONObject
org.springframework.http.ResponseEntity
com.ibm.wsc.infohub.security.provider.SCIUtil
com.ibm.wsc.infohub.security.provider.SCIPBEWrapper
com.ibm.wsc.infohub.security.CryptoException
org.springframework.security.web.util.matcher.RequestMatcher
com.google.common.base.Supplier
javax.servlet.http.HttpServletRequest
javax.servlet.http.HttpServletResponse
javax.servlet.FilterChain
org.springframework.security.web.util.matcher.AntPathRequestMatcher
org.springframework.security.web.util.matcher.OrRequestMatcher
org.springframework.security.web.util.matcher.NegatedRequestMatcher
com.google.common.base.Suppliers
org.springframework.security.core.userdetails.UserDetails
org.springframework.security.authentication.UsernamePasswordAuthenticationToken
org.springframework.security.web.authentication.WebAuthenticationDetailsSource
org.json.JSONObject
org.springframework.web.servlet.config.annotation.CorsRegistry
org.springframework.web.servlet.config.annotation.CorsRegistration
com.ibm.wsc.infohub.util.PropertyUtil
org.apache.commons.lang3.ArrayUtils
org.apache.commons.lang3.StringUtils
org.springframework.web.bind.MissingServletRequestParameterException
javax.servlet.Filter
org.springframework.security.web.access.AccessDeniedHandler
org.springframework.security.web.AuthenticationEntryPoint
org.springframework.security.config.http.SessionCreationPolicy
org.springframework.security.config.annotation.web.builders.HttpSecurity
org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder
org.springframework.security.config.annotation.web.builders.WebSecurity
org.springframework.security.config.annotation.SecurityBuilder
org.springframework.security.config.annotation.web.configurers.CsrfConfigurer
org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer
org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer
org.springframework.security.config.annotation.web.builders.WebSecurity$IgnoredRequestConfigurer
springfox.documentation.spi.DocumentationType
springfox.documentation.service.ApiInfo
springfox.documentation.spring.web.plugins.Docket
springfox.documentation.builders.RequestHandlerSelectors
springfox.documentation.spring.web.plugins.ApiSelectorBuilder
springfox.documentation.builders.PathSelectors
springfox.documentation.swagger.web.UiConfigurationBuilder
org.apache.commons.collections4.map.LRUMap
apply
org.jose4j.lang.JoseException
org.jose4j.http.SimpleGet
org.jose4j.jws.AlgorithmIdentifiers
org.jose4j.jwa.AlgorithmConstraints
org.springframework.security.config.annotation.web.HttpSecurityBuilder
handle
commence
org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
javax.servlet.ServletException
com.ibm.wsc.infohub.constant.ElasticSearchConstant
com.ibm.wsc.infohub.i18n.CryptoMessages
com.ibm.wsc.infohub.security.provider.SCIProviderException
io.swagger.v3.oas.models.Components
io.swagger.v3.oas.models.ExternalDocumentation
io.swagger.v3.oas.models.info.Info
io.swagger.v3.oas.models.Paths
customise
org.springdoc.core.customizers.OpenApiCustomiser
test
javax.ws.rs.core.Response
get
INFO: Sensor FindBugs Sensor [findbugs] (done) | time=7959ms
INFO: Sensor JavaSecuritySensor [security]
INFO: Reading type hierarchy from: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/.scannerwork/ucfg2/java
INFO: Read 75 type definitions
INFO: Reading UCFGs from: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/.scannerwork/ucfg2/java
INFO: 21:49:33.366288 Building Runtime Type propagation graph
INFO: 21:49:33.376572 Running Tarjan on 100 nodes
INFO: 21:49:33.385305 Tarjan found 94 components
INFO: 21:49:33.404889 Variable type analysis: done
INFO: 21:49:33.408954 Building Runtime Type propagation graph
INFO: 21:49:33.413637 Running Tarjan on 100 nodes
INFO: 21:49:33.414368 Tarjan found 94 components
INFO: 21:49:33.415113 Variable type analysis: done
INFO: Analyzing 47 ucfgs to detect vulnerabilities.
INFO: All rules entrypoints : 0 Retained UCFGs : 0
INFO: rule: S5131, entrypoints: 0
INFO: rule: S5131 done
INFO: rule: S3649, entrypoints: 0
INFO: rule: S3649 done
INFO: rule: S2076, entrypoints: 0
INFO: rule: S2076 done
INFO: rule: S2091, entrypoints: 0
INFO: rule: S2091 done
INFO: rule: S2078, entrypoints: 0
INFO: rule: S2078 done
INFO: rule: S2631, entrypoints: 0
INFO: rule: S2631 done
INFO: rule: S5135, entrypoints: 0
INFO: rule: S5135 done
INFO: rule: S2083, entrypoints: 0
INFO: rule: S2083 done
INFO: rule: S5167, entrypoints: 0
INFO: rule: S5167 done
INFO: rule: S5144, entrypoints: 0
INFO: rule: S5144 done
INFO: rule: S5145, entrypoints: 0
INFO: rule: S5145 done
INFO: rule: S5146, entrypoints: 0
INFO: rule: S5146 done
INFO: rule: S5334, entrypoints: 0
INFO: rule: S5334 done
INFO: Sensor JavaSecuritySensor [security] (done) | time=703ms
INFO: Sensor CSharpSecuritySensor [security]
INFO: Reading type hierarchy from: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/ucfg_cs2
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/ucfg_cs2
INFO: No UCFGs have been included for analysis.
INFO: Sensor CSharpSecuritySensor [security] (done) | time=1ms
INFO: Sensor PhpSecuritySensor [security]
INFO: Reading type hierarchy from: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/.scannerwork/ucfg2/php
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/.scannerwork/ucfg2/php
INFO: No UCFGs have been included for analysis.
INFO: Sensor PhpSecuritySensor [security] (done) | time=0ms
INFO: Sensor PythonSecuritySensor [security]
INFO: Reading type hierarchy from: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/.scannerwork/ucfg2/python
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/.scannerwork/ucfg2/python
INFO: No UCFGs have been included for analysis.
INFO: Sensor PythonSecuritySensor [security] (done) | time=0ms
INFO: Sensor JsSecuritySensor [security]
INFO: Reading type hierarchy from: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/.scannerwork/ucfg2/js
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /home/jenkins/agent/workspace/foHub_infohub-common-rest_master/.scannerwork/ucfg2/js
INFO: No UCFGs have been included for analysis.
INFO: Sensor JsSecuritySensor [security] (done) | time=0ms
INFO: ------------- Run sensors on project
INFO: Sensor Dependency-Check [dependencycheck]
INFO: Process Dependency-Check report
INFO: Using JSON-Reportparser
INFO: Dependency-Check JSON report does not exists. Please check property sonar.dependencyCheck.jsonReportPath:/home/jenkins/agent/workspace/foHub_infohub-common-rest_master/dependency-check-report.json
INFO: JSON-Analysis skipped/aborted due to missing report file
INFO: Using XML-Reportparser
INFO: Dependency-Check XML report does not exists. Please check property sonar.dependencyCheck.xmlReportPath:/home/jenkins/agent/workspace/foHub_infohub-common-rest_master/dependency-check-report.xml
INFO: XML-Analysis skipped/aborted due to missing report file
INFO: Dependency-Check HTML report does not exists. Please check property sonar.dependencyCheck.htmlReportPath:/home/jenkins/agent/workspace/foHub_infohub-common-rest_master/dependency-check-report.html
INFO: HTML-Dependency-Check report does not exist.
INFO: Process Dependency-Check report (done) | time=3ms
INFO: Sensor Dependency-Check [dependencycheck] (done) | time=3ms
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=12ms
INFO: Sensor Java CPD Block Indexer
INFO: Sensor Java CPD Block Indexer (done) | time=84ms
INFO: CPD Executor 14 files had no CPD blocks
INFO: CPD Executor Calculating CPD for 20 files
INFO: CPD Executor CPD calculation finished (done) | time=21ms
INFO: Load New Code definition
INFO: Load New Code definition (done) | time=508ms
INFO: Analysis report generated in 666ms, dir size=452 KB
INFO: Analysis report compressed in 152ms, zip size=164 KB
INFO: Analysis report uploaded in 697ms
INFO: ANALYSIS SUCCESSFUL, you can browse https://sonarqube.core.eu.supply-chain.ibm.com/dashboard?id=InfoHub%3Ainfohub-common-rest&branch=master
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at https://sonarqube.core.eu.supply-chain.ibm.com/api/ce/task?id=AXeYOH8P3naOVUJoFJh1
INFO: Analysis total time: 36.193 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 1:08.438s
INFO: Final Memory: 36M/124M
INFO: ------------------------------------------------------------------------
I wonder if the issue is that we didn’t provide the path for the dependency bytecode? Perhaps the Maven plugin is doing something automatically for us that we are not accounting for in our CLI? (we’re going to fix this so Maven projects use the plugin like our Gradle projects do currently. This appears to be a gap in what we are doing)