Import of Sarif report not working - this.bases is null

Hi everyone.

We are trying to upload a vulnerability sarif report from trivy from a github action to sonarqube 10.2 but we cannot see the results in the dashboard.
We are using the GitHub - aquasecurity/trivy-action: Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities and the creation is successful and the report is valid.

This is what we can see when we follow the sonarqube/api/ce/task?id=…

{"task":{"id":"AY0g8mmq2xBPXuAlw4C6","type":"REPORT","componentId":"AY0SKm0Z2xBPXuAlw3_g","componentKey":"container","componentName":"container","componentQualifier":"TRK","status":"FAILED","submittedAt":"2024-01-19T08:59:34+0000","submitterLogin":"admin","startedAt":"2024-01-19T08:59:43+0000","executedAt":"2024-01-19T08:59:44+0000","executionTimeMs":1313,"errorMessage":"Fail to process issues of component \u0027container\u0027 (Visit of Component {key\u003dcontainer,type\u003dPROJECT} failed)","errorStacktrace":"org.sonar.ce.task.projectanalysis.component.VisitException: Visit of Component {key\u003dcontainer,type\u003dPROJECT} failed\n\tat org.sonar.ce.task.projectanalysis.component.VisitException.rethrowOrWrap(VisitException.java:44)\n\tat org.sonar.ce.task.projectanalysis.component.VisitorsCrawler.visit(VisitorsCrawler.java:71)\n\tat org.sonar.ce.task.projectanalysis.step.ExecuteVisitorsStep.execute(ExecuteVisitorsStep.java:51)\n\tat org.sonar.ce.task.step.ComputationStepExecutor.executeStep(ComputationStepExecutor.java:79)\n\tat org.sonar.ce.task.step.ComputationStepExecutor.executeSteps(ComputationStepExecutor.java:70)\n\tat org.sonar.ce.task.step.ComputationStepExecutor.execute(ComputationStepExecutor.java:57)\n\tat org.sonar.ce.task.projectanalysis.taskprocessor.ReportTaskProcessor.process(ReportTaskProcessor.java:75)\n\tat org.sonar.ce.taskprocessor.CeWorkerImpl$ExecuteTask.executeTask(CeWorkerImpl.java:212)\n\tat org.sonar.ce.taskprocessor.CeWorkerImpl$ExecuteTask.run(CeWorkerImpl.java:194)\n\tat org.sonar.ce.taskprocessor.CeWorkerImpl.findAndProcessTask(CeWorkerImpl.java:160)\n\tat org.sonar.ce.taskprocessor.CeWorkerImpl$TrackRunningState.get(CeWorkerImpl.java:135)\n\tat org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:87)\n\tat org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:53)\n\tat com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:131)\n\tat com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:75)\n\tat com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:82)\n\tat java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)\n\tat java.base/java.util.concurrent.FutureTask.run(Unknown Source)\n\tat java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)\n\tat java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)\n\tat java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)\n\tat java.base/java.lang.Thread.run(Unknown Source)\nCaused by: java.lang.IllegalStateException: Fail to process issues of component \u0027container\u0027\n\tat org.sonar.ce.task.projectanalysis.issue.IntegrateIssuesVisitor.visitAny(IntegrateIssuesVisitor.java:104)\n\tat org.sonar.ce.task.projectanalysis.component.TypeAwareVisitorWrapper.visitAny(TypeAwareVisitorWrapper.java:77)\n\tat org.sonar.ce.task.projectanalysis.component.VisitorsCrawler.visitNode(VisitorsCrawler.java:114)\n\tat org.sonar.ce.task.projectanalysis.component.VisitorsCrawler.visitImpl(VisitorsCrawler.java:97)\n\tat org.sonar.ce.task.projectanalysis.component.VisitorsCrawler.visit(VisitorsCrawler.java:69)\n\t... 20 more\nCaused by: java.lang.NullPointerException: Cannot invoke \"java.util.Collection.stream()\" because \"this.bases\" is null\n\tat org.sonar.core.issue.tracking.Tracking.getUnmatchedBases(Tracking.java:73)\n\tat org.sonar.core.issue.tracking.AbstractTracker.match(AbstractTracker.java:41)\n\tat org.sonar.core.issue.tracking.AnticipatedTransitionTracker.track(AnticipatedTransitionTracker.java:34)\n\tat org.sonar.ce.task.projectanalysis.issue.TransitionIssuesToAnticipatedStatesVisitor.onIssue(TransitionIssuesToAnticipatedStatesVisitor.java:72)\n\tat org.sonar.ce.task.projectanalysis.issue.IssueVisitors.onIssue(IssueVisitors.java:41)\n\tat org.sonar.ce.task.projectanalysis.issue.IntegrateIssuesVisitor.processIssue(IntegrateIssuesVisitor.java:158)\n\tat org.sonar.ce.task.projectanalysis.issue.IntegrateIssuesVisitor.lambda$processIssues$0(IntegrateIssuesVisitor.java:109)\n\tat java.base/java.lang.Iterable.forEach(Unknown Source)\n\tat org.sonar.ce.task.projectanalysis.issue.IntegrateIssuesVisitor.processIssues(IntegrateIssuesVisitor.java:109)\n\tat org.sonar.ce.task.projectanalysis.issue.IntegrateIssuesVisitor.visitAny(IntegrateIssuesVisitor.java:98)\n\t... 24 more\n","scannerContext":"Plugins:\nBundled analyzers:\n - Clean as You Code 2.1.0.500 (cayc)\n - IaC Code Quality and Security 1.20.0.5654 (iac)\n - PL/SQL Code Quality and Security 3.10.0.5282 (plsql)\n - Scala Code Quality and Security 1.14.0.4481 (sonarscala)\n - C# Code Quality and Security 9.8.0.76515 (csharp)\n - Vulnerability Analysis 10.2.0.22608 (security)\n - Java Code Quality and Security 7.24.0.32100 (java)\n - HTML Code Quality and Security 3.9.0.3600 (web)\n - Flex Code Quality and Security 2.10.0.3458 (flex)\n - XML Code Quality and Security 2.10.0.4108 (xml)\n - Text Code Quality and Security 2.3.0.1632 (text)\n - VB.NET Code Quality and Security 9.8.0.76515 (vbnet)\n - Swift Code Quality and Security 4.10.0.5999 (swift)\n - CFamily Code Quality and Security 6.48.1.62610 (cpp)\n - Python Code Quality and Security 4.7.0.12181 (python)\n - Dataflow Bug Detection Rules for Python 1.17.0.4892 (dbdpythonfrontend)\n - Dataflow Bug Detection 1.17.0.4892 (dbd)\n - Go Code Quality and Security 1.14.0.4481 (go)\n - JaCoCo 1.3.0.1538 (jacoco)\n - Kotlin Code Quality and Security 2.17.0.2902 (kotlin)\n - RPG Code Quality 3.6.0.3520 (rpg)\n - Dataflow Bug Detection Rules for Java 1.17.0.4892 (dbdjavafrontend)\n - PL/I Code Quality and Security 1.14.0.3735 (pli)\n - T-SQL Code Quality and Security 1.10.0.5799 (tsql)\n - VB6 Code Quality and Security 2.11.0.3706 (vb)\n - Apex Code Quality and Security 1.14.0.4481 (sonarapex)\n - JavaScript/TypeScript/CSS Code Quality and Security 10.5.1.22382 (javascript)\n - Ruby Code Quality and Security 1.14.0.4481 (ruby)\n - Vulnerability Rules for C# 10.2.0.22608 (securitycsharpfrontend)\n - Vulnerability Rules for Java 10.2.0.22608 (securityjavafrontend)\n - Vulnerability Rules for JS 10.2.0.22608 (securityjsfrontend)\n - COBOL Code Quality 5.5.0.6450 (cobol)\n - Vulnerability Rules for Python 10.2.0.22608 (securitypythonfrontend)\n - PHP Code Quality and Security 3.32.0.10180 (php)\n - ABAP Code Quality and Security 3.13.0.4389 (abap)\n - Configuration detection for Code Quality and Security 1.3.0.654 (config)\n - Vulnerability Rules for PHP 10.2.0.22608 (securityphpfrontend)\nGlobal server settings:\n - sonar.auth.github.allowUsersToSignUp\u003dtrue\n - sonar.auth.github.enabled\u003dtrue\n - sonar.auth.github.groupsSync\u003dtrue\n - sonar.auth.github.organizations\u003dsmc-org\n - sonar.auth.github.webUrl\u003dhttps://github.com/\n - sonar.core.id\***********\n - sonar.core.serverBaseURL\u003dhttps://***.****.**/sonarqube\n - sonar.core.startTime\u003d2023-12-12T08:33:46+0000\n - sonar.dbcleaner.branchesToKeepWhenInactive\u003dmaster\n - sonar.dbcleaner.daysBeforeDeletingInactiveBranchesAndPRs\u003d7\n - sonar.forceAuthentication\u003dtrue\n - sonar.plugins.risk.consent\u003dACCEPTED\n - sonar.projectCreation.mainBranchName\u003dmaster\nProject server settings:\nProject scanner properties:\n - sonar.branch.name\u003d*****\n - sonar.host.url\u003dhttps://***.****.**/sonarqube/\n - sonar.projectBaseDir\u003d/usr/src\n - sonar.projectKey\u003dcontainer\n - sonar.sarifReportPaths\u003d/usr/src/result.sarif\n - sonar.scanner.app\u003dScannerCLI\n - sonar.scanner.appVersion\u003d5.0.1.3006\n - sonar.sourceEncoding\u003dUTF-8\n - sonar.working.directory\u003d/usr/src/.scannerwork","hasScannerContext":true,"branch":"***","branchType":"BRANCH","warningCount":1,"warnings":["SCM provider autodetection failed. Please use \"sonar.scm.provider\" to define SCM of your project, or disable the SCM Sensor in the project settings."]}}

Hey there.

We haven’t had a report like this yet, with many users using the SARIF import. Can you share the specific report that triggered this issue?

Hi Colin.

Please find below the sarif report.
result_report.zip (16.7 KB)

Hello,

Thanks for opening this thread.

Could you also share the logs from the compute engine so that we get more context?

Also, can you try to run an analysis without passing the sarif file, to make sure it succeeds?

Thanks,
Aurélien

Hello.

Please find attached the CE log.
Regards,

log_sonarqube_2901_CE.txt (23.5 KB)

Hello,

In the logs, I see an indexation task failure.

Could you force a full reindexation (instruction here)?

And then retry and send me the full logs if something goes wrong?

Thanks a lot,
Aurélien

Hello Aurélien,

I’ve done the full reindexing then I’ve attempted the operation again.
(Now the log is clean, there are no more indexing issues).
The result is the same, I see the same exception:
Cannot invoke “java.util.Collection.stream()” because “this.bases” is null

Regards,

Have you tried that? I would need the information before doing extra-investigation.

For this canse we are using a pipeline to trigger a workflow that does the docker container vulnerability scanning and sends this trivy report scan to our sonarqube instance.

We are doing analysis (without the trivy vulnerabiliy scanning) on other projects that we have and we have no problem on that part.

Could you share a small reproducer with us?

Can you please be more concise on what exactly should I share? The sarif report was attached above.

I’ve tried to import your Sarif on another project and it worked fine. So, it seems the issue is related to the project or the way you trigger the analysis. I guess you can’t share the project itself with us, but you might be able to create a minimal setup that recreate the issue and would allow us to investigate.

Hello,

Please find attached the code that triggers our trivy scanner and sends the resulting report to our sonarqube instance.

Regards,
calling_trivy_and_sending_report_to_sq.zip (864 Bytes)

Update: We are using Enterprise Edition Version 10.2.1 (build 78527)