Issue Description
We are facing a couple of problems that seem to be tied together.
- Issues in old code are being incorrectly identified as issues in new code
- Identification is intermittent, resulting in later scans marking the issue ‘Fixed’ and reopening it as ‘new’ in later scans. This makes it impossible to mark them as ‘Accepted’ and have it stick.
The old code in the example below is 4 years old.
Any help with this would be appriciated.
SonarQube Server Details
Version: SonarQube Developer Edition v10.6 (92116)
Deployment: Kubernetes via Helm chart
Leak Period: Previous version
Issue Screenshots
-
Issue marked as fixed in the pull request and does not show in the feature branch analysis:
-
Issue displayed as fixed in the pull request:
-
Issue re-appears in the master branch analysis after merging:
Scanner Logs
Pull Request (feature branch) analysis log:
++ echo 'e[32;1m$ sonar-scanner -Dsonar.java.libraries=$M2_REPO/**/*.jare[0;m'
e[32;1m$ sonar-scanner -Dsonar.java.libraries=$M2_REPO/**/*.jare[0;m
++ sonar-scanner '-Dsonar.java.libraries=/builds/engineering/----/---------/.m2/repository/**/*.jar'
INFO: Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties
INFO: Project root configuration file: /builds/engineering/----/---------/sonar-project.properties
INFO: SonarScanner 5.0.1.3006
INFO: Java 17.0.10 Alpine (64-bit)
INFO: Linux 6.1.100+ amd64
INFO: User cache: /opt/sonar-scanner/.sonar/cache
INFO: Analyzing on SonarQube server 10.6.0.92116
INFO: Default locale: "en_US", source code encoding: "UTF-8" (analysis is platform dependent)
INFO: Load global settings
INFO: Load global settings (done) | time=247ms
INFO: Server id: 3A9A6FFF-AY8wx3ngsBdV4UVeFY8S
INFO: Loading required plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=58ms
INFO: Load/download plugins
INFO: Load/download plugins (done) | time=864ms
INFO: Loaded core extensions: developer-scanner
INFO: Process project properties
INFO: Process project properties (done) | time=10ms
INFO: Project key: ---------
INFO: Base dir: /builds/engineering/----/---------
INFO: Working dir: /builds/engineering/----/---------/.scannerwork
INFO: Load project settings for component key: '---------'
INFO: Load project settings for component key: '---------' (done) | time=26ms
INFO: Load project branches
INFO: Load project branches (done) | time=23ms
INFO: Load branch configuration
INFO: Found manual configuration of branch/PR analysis. Skipping automatic configuration.
INFO: Load branch configuration (done) | time=3ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=69ms
INFO: Auto-configuring with CI 'Gitlab CI'
INFO: Load active rules
INFO: Load active rules (done) | time=2801ms
INFO: Load analysis cache
INFO: Load analysis cache (404) | time=39ms
INFO: Pull request 48 for merge into master from PMO-102109-configurable-iteration-count
INFO: Preprocessing files...
INFO: 3 languages detected in 74 preprocessed files
INFO: 842 files ignored because of inclusion/exclusion patterns
INFO: 0 files ignored because of scm ignore settings
INFO: Loading plugins for detected languages
INFO: Load/download plugins
INFO: Load/download plugins (done) | time=1279ms
INFO: Load project repositories
INFO: Load project repositories (done) | time=28ms
INFO: SCM collecting changed files in the branch
INFO: Merge base sha1: 6b3bf744f020c38184355c69a86372c76f062420
INFO: SCM collecting changed files in the branch (done) | time=179ms
INFO: Indexing files...
INFO: Project configuration:
INFO: Excluded sources: **/*.yaml, **/*.yml, **/*.json, **/*.xml, **/*.xslt, **/*.htm, **/*.html, **/target/**, **/test/**, **/tests/**, **/sonar.sh, **/settings.xml, **/public/**/*.ts, **/public/**/*.js, **/*.xsd, **/*.sql, **/charts/**
INFO: 74 files indexed
INFO: Quality profile for docker: Sonar way
INFO: Quality profile for java: Sonar + FindBugs way
INFO: Quality profile for xml: Sonar way
INFO: ------------- Run sensors on module ---------
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=30ms
INFO: Sensor JavaSensor [java]
INFO: Configured Java source version (sonar.java.source): 8, preview features enabled (sonar.java.enablePreview): false
INFO: The Java analyzer is running in a context where unchanged files can be skipped. Full analysis is performed for changed files, optimized analysis for unchanged files.
INFO: Server-side caching is enabled. The Java analyzer was able to leverage cached data from previous analyses for 0 out of 48 files. These files will not be parsed.
INFO: Using ECJ batch to parse 48 Main java source files with batch size 183 KB.
INFO: Starting batch processing.
INFO: 100% analyzed
INFO: Batch processing: Done.
INFO: Did not optimize analysis for any files, performed a full analysis for all 48 files.
WARN: Unresolved imports/types have been detected during analysis. Enable DEBUG mode to see them.
INFO: No "Test" source files to scan.
INFO: No "Generated" source files to scan.
INFO: Sensor JavaSensor [java] (done) | time=6291ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: Importing 3 report(s). Turn your logs in debug mode in order to see the exhaustive list.
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=248ms
INFO: Sensor Java Config Sensor [iac]
INFO: 0 source files to be analyzed
INFO: 0/0 source files have been analyzed
INFO: Sensor Java Config Sensor [iac] (done) | time=26ms
INFO: Sensor ThymeLeaf template sensor [securityjavafrontend]
INFO: Sensor ThymeLeaf template sensor [securityjavafrontend] (done) | time=1ms
INFO: Sensor FindBugs Sensor [findbugs]
INFO: Findbugs plugin version: 4.2.9
INFO: Loading findbugs plugin: /builds/engineering/----/---------/.scannerwork/findbugs/sb-contrib.jar
INFO: Loading findbugs plugin: /builds/engineering/----/---------/.scannerwork/findbugs/findsecbugs-plugin.jar
INFO: Findbugs output report: /builds/engineering/----/---------/.scannerwork/findbugs-result.xml
The following classes needed for analysis were missing:
execute
test
accept
apply
INFO: Sensor FindBugs Sensor [findbugs] (done) | time=11431ms
INFO: Sensor SurefireSensor [java]
INFO: parsing [/builds/engineering/----/---------/---------/target/surefire-reports]
INFO: Sensor SurefireSensor [java] (done) | time=92ms
INFO: Sensor XML Sensor [xml]
INFO: Sensor XML Sensor is restricted to changed files only
INFO: Sensor XML Sensor [xml] (done) | time=2ms
INFO: Sensor IaC Docker Sensor [iac]
INFO: Sensor IaC Docker Sensor is restricted to changed files only
INFO: 0 source files to be analyzed
INFO: 0/0 source files have been analyzed
INFO: Sensor IaC Docker Sensor [iac] (done) | time=92ms
INFO: Sensor Serverless configuration file sensor [security]
INFO: 0 Serverless function entries were found in the project
INFO: 0 Serverless function handlers were kept as entrypoints
INFO: Sensor Serverless configuration file sensor [security] (done) | time=4ms
INFO: Sensor AWS SAM template file sensor [security]
INFO: Sensor AWS SAM template file sensor [security] (done) | time=0ms
INFO: Sensor AWS SAM Inline template file sensor [security]
INFO: Sensor AWS SAM Inline template file sensor [security] (done) | time=1ms
INFO: Sensor javabugs [dbd]
INFO: Reading IR files from: /builds/engineering/----/---------/.scannerwork/ir/java
INFO: Analyzing 339 functions to detect bugs.
INFO: Sensor javabugs [dbd] (done) | time=941ms
INFO: Sensor pythonbugs [dbd]
INFO: Reading IR files from: /builds/engineering/----/---------/.scannerwork/ir/python
INFO: No IR files have been included for analysis.
INFO: Sensor pythonbugs [dbd] (done) | time=1ms
INFO: Sensor TextAndSecretsSensor [text]
INFO: Sensor TextAndSecretsSensor is restricted to changed files only
INFO: Available processors: 8
INFO: Using 8 threads for analysis.
INFO: The property "sonar.tests" is not set. To improve the analysis accuracy, we categorize a file as a test file if any of the following is true:
* The filename starts with "test"
* The filename contains "test." or "tests."
* Any directory in the file path is named: "doc", "docs", "test" or "tests"
* Any directory in the file path has a name ending in "test" or "tests"
INFO: Using git CLI to retrieve untracked files
INFO: Analyzing language associated files and files included via "sonar.text.inclusions" that are tracked by git
INFO: 7 source files to be analyzed
INFO: 7/7 source files have been analyzed
INFO: Sensor TextAndSecretsSensor [text] (done) | time=768ms
INFO: Sensor JavaSecuritySensor [security]
INFO: Enabled taint analysis rules: S2076, S2078, S2083, S2091, S2631, S3649, S5131, S5135, S5144, S5145, S5146, S5147, S5334, S5883, S6096, S6173, S6287, S6350, S6384, S6390, S6398, S6399, S6547, S6549
INFO: Load type hierarchy and UCFGs: Starting
INFO: Load type hierarchy: Starting
INFO: Reading type hierarchy from: /builds/engineering/----/---------/.scannerwork/ucfg2/java
INFO: Read 238 type definitions
INFO: Load type hierarchy: Time spent was 00:00:00.066
INFO: Load UCFGs: Starting
INFO: Reading UCFGs from: /builds/engineering/----/---------/.scannerwork/ucfg2/java
INFO: Load UCFGs: Time spent was 00:00:00.194
INFO: Load type hierarchy and UCFGs: Time spent was 00:00:00.261
INFO: Analyzing 280 UCFGs to detect vulnerabilities.
INFO: Check cache: Starting
INFO: Load cache: Starting
INFO: Load cache: Time spent was 00:00:00.000
INFO: Check cache: Time spent was 00:00:00.000
INFO: Create runtime call graph: Starting
INFO: Variable Type Analysis #1: Starting
INFO: Create runtime type propagation graph: Starting
INFO: Create runtime type propagation graph: Time spent was 00:00:00.024
INFO: Run SCC (Tarjan) on 1368 nodes: Starting
INFO: Run SCC (Tarjan) on 1368 nodes: Time spent was 00:00:00.004
INFO: Tarjan found 1357 strongly connected components
INFO: Propagate runtime types to strongly connected components: Starting
INFO: Propagate runtime types to strongly connected components: Time spent was 00:00:00.007
INFO: Variable Type Analysis #1: Time spent was 00:00:00.037
INFO: Variable Type Analysis #2: Starting
INFO: Create runtime type propagation graph: Starting
INFO: Create runtime type propagation graph: Time spent was 00:00:00.010
INFO: Run SCC (Tarjan) on 1368 nodes: Starting
INFO: Run SCC (Tarjan) on 1368 nodes: Time spent was 00:00:00.001
INFO: Tarjan found 1357 strongly connected components
INFO: Propagate runtime types to strongly connected components: Starting
INFO: Propagate runtime types to strongly connected components: Time spent was 00:00:00.002
INFO: Variable Type Analysis #2: Time spent was 00:00:00.014
INFO: Create runtime call graph: Time spent was 00:00:00.057
INFO: Load config: Starting
INFO: Load config: Time spent was 00:00:01.154
INFO: Compute entry points: Starting
INFO: Compute entry points: Time spent was 00:00:01.563
INFO: All rules entry points : 1
INFO: Slice call graph: Starting
INFO: Retained UCFGs : 13
INFO: Slice call graph: Time spent was 00:00:00.001
INFO: Live variable analysis: Starting
INFO: Live variable analysis: Time spent was 00:00:00.007
INFO: Taint analysis for java: Starting
INFO: 0 / 13 UCFGs simulated, memory usage: 659 MB
INFO: 13 / 13 UCFGs simulated, memory usage: 667 MB
INFO: Taint analysis for java: Time spent was 00:00:00.165
INFO: Report issues: Starting
INFO: Report issues: Time spent was 00:00:00.004
INFO: Store cache: Starting
INFO: Store cache: Time spent was 00:00:00.000
INFO: java security sensor: Time spent was 00:00:03.221
INFO: java security sensor: Begin: 2024-11-20T07:20:31.276736548Z, End: 2024-11-20T07:20:34.498043643Z, Duration: 00:00:03.221
Load type hierarchy and UCFGs: Begin: 2024-11-20T07:20:31.278701888Z, End: 2024-11-20T07:20:31.539905347Z, Duration: 00:00:00.261
Load type hierarchy: Begin: 2024-11-20T07:20:31.278780780Z, End: 2024-11-20T07:20:31.345082880Z, Duration: 00:00:00.066
Load UCFGs: Begin: 2024-11-20T07:20:31.345377846Z, End: 2024-11-20T07:20:31.539721124Z, Duration: 00:00:00.194
Check cache: Begin: 2024-11-20T07:20:31.540064609Z, End: 2024-11-20T07:20:31.540714241Z, Duration: 00:00:00.000
Load cache: Begin: 2024-11-20T07:20:31.540111130Z, End: 2024-11-20T07:20:31.540275057Z, Duration: 00:00:00.000
Create runtime call graph: Begin: 2024-11-20T07:20:31.540868350Z, End: 2024-11-20T07:20:31.598376686Z, Duration: 00:00:00.057
Variable Type Analysis #1: Begin: 2024-11-20T07:20:31.541659836Z, End: 2024-11-20T07:20:31.579657125Z, Duration: 00:00:00.037
Create runtime type propagation graph: Begin: 2024-11-20T07:20:31.542796596Z, End: 2024-11-20T07:20:31.567301310Z, Duration: 00:00:00.024
Run SCC (Tarjan) on 1368 nodes: Begin: 2024-11-20T07:20:31.567840024Z, End: 2024-11-20T07:20:31.572221555Z, Duration: 00:00:00.004
Propagate runtime types to strongly connected components: Begin: 2024-11-20T07:20:31.572482453Z, End: 2024-11-20T07:20:31.579488657Z, Duration: 00:00:00.007
Variable Type Analysis #2: Begin: 2024-11-20T07:20:31.582575199Z, End: 2024-11-20T07:20:31.597215082Z, Duration: 00:00:00.014
Create runtime type propagation graph: Begin: 2024-11-20T07:20:31.582634682Z, End: 2024-11-20T07:20:31.592926023Z, Duration: 00:00:00.010
Run SCC (Tarjan) on 1368 nodes: Begin: 2024-11-20T07:20:31.593104836Z, End: 2024-11-20T07:20:31.594495333Z, Duration: 00:00:00.001
Propagate runtime types to strongly connected components: Begin: 2024-11-20T07:20:31.594636834Z, End: 2024-11-20T07:20:31.597112006Z, Duration: 00:00:00.002
Load config: Begin: 2024-11-20T07:20:31.598472308Z, End: 2024-11-20T07:20:32.753252960Z, Duration: 00:00:01.154
Compute entry points: Begin: 2024-11-20T07:20:32.753467169Z, End: 2024-11-20T07:20:34.316583964Z, Duration: 00:00:01.563
Slice call graph: Begin: 2024-11-20T07:20:34.316824364Z, End: 2024-11-20T07:20:34.318048788Z, Duration: 00:00:00.001
Live variable analysis: Begin: 2024-11-20T07:20:34.318179195Z, End: 2024-11-20T07:20:34.325511843Z, Duration: 00:00:00.007
Taint analysis for java: Begin: 2024-11-20T07:20:34.325770031Z, End: 2024-11-20T07:20:34.491103656Z, Duration: 00:00:00.165
Report issues: Begin: 2024-11-20T07:20:34.491246836Z, End: 2024-11-20T07:20:34.496181545Z, Duration: 00:00:00.004
Store cache: Begin: 2024-11-20T07:20:34.496370353Z, End: 2024-11-20T07:20:34.496439275Z, Duration: 00:00:00.000
INFO: java security sensor peak memory: 797 MB
INFO: Sensor JavaSecuritySensor [security] (done) | time=3226ms
INFO: Sensor CSharpSecuritySensor [security]
INFO: Enabled taint analysis rules: S2076, S2078, S2083, S2091, S2631, S3649, S5131, S5135, S5144, S5145, S5146, S5334, S5883, S6096, S6173, S6287, S6350, S6399, S6639, S6641
INFO: Load type hierarchy and UCFGs: Starting
INFO: Load type hierarchy: Starting
INFO: Reading type hierarchy from: /builds/engineering/----/---------/ucfg2/cs
INFO: Read 0 type definitions
INFO: Load type hierarchy: Time spent was 00:00:00.000
INFO: Load UCFGs: Starting
INFO: Load UCFGs: Time spent was 00:00:00.000
INFO: Load type hierarchy and UCFGs: Time spent was 00:00:00.000
INFO: No UCFGs have been included for analysis.
INFO: csharp security sensor: Time spent was 00:00:00.001
INFO: csharp security sensor: Begin: 2024-11-20T07:20:34.499481284Z, End: 2024-11-20T07:20:34.500542981Z, Duration: 00:00:00.001
Load type hierarchy and UCFGs: Begin: 2024-11-20T07:20:34.499691406Z, End: 2024-11-20T07:20:34.500245243Z, Duration: 00:00:00.000
Load type hierarchy: Begin: 2024-11-20T07:20:34.499722716Z, End: 2024-11-20T07:20:34.500059401Z, Duration: 00:00:00.000
Load UCFGs: Begin: 2024-11-20T07:20:34.500138460Z, End: 2024-11-20T07:20:34.500185078Z, Duration: 00:00:00.000
INFO: csharp security sensor peak memory: 797 MB
INFO: Sensor CSharpSecuritySensor [security] (done) | time=1ms
INFO: Sensor PhpSecuritySensor [security]
INFO: Enabled taint analysis rules: S2076, S2078, S2083, S2091, S2631, S3649, S5131, S5135, S5144, S5145, S5146, S5334, S5335, S5883, S6173, S6287, S6350
INFO: Load type hierarchy and UCFGs: Starting
INFO: Load type hierarchy: Starting
INFO: Reading type hierarchy from: /builds/engineering/----/---------/.scannerwork/ucfg2/php
INFO: Read 0 type definitions
INFO: Load type hierarchy: Time spent was 00:00:00.000
INFO: Load UCFGs: Starting
INFO: Load UCFGs: Time spent was 00:00:00.000
INFO: Load type hierarchy and UCFGs: Time spent was 00:00:00.000
INFO: No UCFGs have been included for analysis.
INFO: php security sensor: Time spent was 00:00:00.000
INFO: php security sensor: Begin: 2024-11-20T07:20:34.500967227Z, End: 2024-11-20T07:20:34.501893846Z, Duration: 00:00:00.000
Load type hierarchy and UCFGs: Begin: 2024-11-20T07:20:34.501130604Z, End: 2024-11-20T07:20:34.501590247Z, Duration: 00:00:00.000
Load type hierarchy: Begin: 2024-11-20T07:20:34.501172302Z, End: 2024-11-20T07:20:34.501340062Z, Duration: 00:00:00.000
Load UCFGs: Begin: 2024-11-20T07:20:34.501445419Z, End: 2024-11-20T07:20:34.501500948Z, Duration: 00:00:00.000
INFO: php security sensor peak memory: 797 MB
INFO: Sensor PhpSecuritySensor [security] (done) | time=2ms
INFO: Sensor PythonSecuritySensor [security]
INFO: Enabled taint analysis rules: S2076, S2078, S2083, S2091, S2631, S3649, S5131, S5135, S5144, S5145, S5146, S5147, S5334, S5496, S6287, S6350, S6639, S6680, S6776, S6839
INFO: Load type hierarchy and UCFGs: Starting
INFO: Load type hierarchy: Starting
INFO: Reading type hierarchy from: /builds/engineering/----/---------/.scannerwork/ucfg2/python
INFO: Read 0 type definitions
INFO: Load type hierarchy: Time spent was 00:00:00.000
INFO: Load UCFGs: Starting
INFO: Load UCFGs: Time spent was 00:00:00.000
INFO: Load type hierarchy and UCFGs: Time spent was 00:00:00.000
INFO: No UCFGs have been included for analysis.
INFO: python security sensor: Time spent was 00:00:00.000
INFO: python security sensor: Begin: 2024-11-20T07:20:34.502532978Z, End: 2024-11-20T07:20:34.503337140Z, Duration: 00:00:00.000
Load type hierarchy and UCFGs: Begin: 2024-11-20T07:20:34.502699273Z, End: 2024-11-20T07:20:34.503074683Z, Duration: 00:00:00.000
Load type hierarchy: Begin: 2024-11-20T07:20:34.502734163Z, End: 2024-11-20T07:20:34.502907969Z, Duration: 00:00:00.000
Load UCFGs: Begin: 2024-11-20T07:20:34.502976760Z, End: 2024-11-20T07:20:34.503016483Z, Duration: 00:00:00.000
INFO: python security sensor peak memory: 797 MB
INFO: Sensor PythonSecuritySensor [security] (done) | time=1ms
INFO: Sensor JsSecuritySensor [security]
INFO: Enabled taint analysis rules: S5696, S2076, S3649, S6105, S6096, S5146, S6350, S6287, S5131, S5147, S2083, S2631, S5144, S5883, S5334
INFO: Load type hierarchy and UCFGs: Starting
INFO: Load type hierarchy: Starting
INFO: Reading type hierarchy from: /builds/engineering/----/---------/.scannerwork/ucfg2/js
INFO: Read 0 type definitions
INFO: Load type hierarchy: Time spent was 00:00:00.000
INFO: Load UCFGs: Starting
INFO: Load UCFGs: Time spent was 00:00:00.000
INFO: Load type hierarchy and UCFGs: Time spent was 00:00:00.000
INFO: No UCFGs have been included for analysis.
INFO: js security sensor: Time spent was 00:00:00.000
INFO: js security sensor: Begin: 2024-11-20T07:20:34.503824712Z, End: 2024-11-20T07:20:34.504663938Z, Duration: 00:00:00.000
Load type hierarchy and UCFGs: Begin: 2024-11-20T07:20:34.503991097Z, End: 2024-11-20T07:20:34.504386238Z, Duration: 00:00:00.000
Load type hierarchy: Begin: 2024-11-20T07:20:34.504014383Z, End: 2024-11-20T07:20:34.504207705Z, Duration: 00:00:00.000
Load UCFGs: Begin: 2024-11-20T07:20:34.504285669Z, End: 2024-11-20T07:20:34.504326074Z, Duration: 00:00:00.000
INFO: js security sensor peak memory: 797 MB
INFO: Sensor JsSecuritySensor [security] (done) | time=2ms
INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=3ms
INFO: Sensor Java CPD Block Indexer
INFO: Sensor Java CPD Block Indexer (done) | time=97ms
INFO: SCM Publisher SCM provider for this project is: git
INFO: SCM Publisher 6 source files to be analyzed
INFO: SCM Publisher 6/6 source files have been analyzed (done) | time=90ms
INFO: CPD Executor 17 files had no CPD blocks
INFO: CPD Executor Calculating CPD for 31 files
INFO: CPD Executor CPD calculation finished (done) | time=14ms
INFO: SCM revision ID '847ea545fa72ec481fa26552398e957a228d051f'
INFO: SCM writing changed lines
INFO: Merge base sha1: 6b3bf744f020c38184355c69a86372c76f062420
INFO: SCM writing changed lines (done) | time=86ms
INFO: Analysis report generated in 158ms, dir size=524.2 kB
INFO: Analysis report compressed in 54ms, zip size=126.1 kB
INFO: Analysis report uploaded in 112ms
INFO: ------------- Check Quality Gate status
INFO: Waiting for the analysis report to be processed (max 300s)
INFO: QUALITY GATE STATUS: PASSED - View details on https://-------------/dashboard?id=---------&pullRequest=48
INFO: Analysis total time: 36.476 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 39.960s
INFO: Final Memory: 64M/240M
INFO: ------------------------------------------------------------------------
Master branch analysis log:
++ echo 'e[32;1m$ sonar-scanner -Dsonar.java.libraries=$M2_REPO/**/*.jare[0;m'
e[32;1m$ sonar-scanner -Dsonar.java.libraries=$M2_REPO/**/*.jare[0;m
++ sonar-scanner '-Dsonar.java.libraries=/builds/engineering/----/---------/.m2/repository/**/*.jar'
INFO: Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties
INFO: Project root configuration file: /builds/engineering/----/---------/sonar-project.properties
INFO: SonarScanner 5.0.1.3006
INFO: Java 17.0.10 Alpine (64-bit)
INFO: Linux 6.1.100+ amd64
INFO: User cache: /opt/sonar-scanner/.sonar/cache
INFO: Analyzing on SonarQube server 10.6.0.92116
INFO: Default locale: "en_US", source code encoding: "UTF-8" (analysis is platform dependent)
INFO: Load global settings
INFO: Load global settings (done) | time=244ms
INFO: Server id: 3A9A6FFF-AY8wx3ngsBdV4UVeFY8S
INFO: Loading required plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=55ms
INFO: Load/download plugins
INFO: Load/download plugins (done) | time=765ms
INFO: Loaded core extensions: developer-scanner
INFO: Process project properties
INFO: Process project properties (done) | time=11ms
INFO: Project key: ---------
INFO: Base dir: /builds/engineering/----/---------
INFO: Working dir: /builds/engineering/----/---------/.scannerwork
INFO: Load project settings for component key: '---------'
INFO: Load project settings for component key: '---------' (done) | time=26ms
INFO: Load project branches
INFO: Load project branches (done) | time=25ms
INFO: Load branch configuration
INFO: Detected branch/PR in 'GitLab'
INFO: Auto-configuring branch 'master'
INFO: Load branch configuration (done) | time=3ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=68ms
INFO: Auto-configuring with CI 'Gitlab CI'
INFO: Load active rules
INFO: Load active rules (done) | time=2997ms
INFO: Load analysis cache
INFO: Load analysis cache | time=28ms
INFO: Branch name: master
INFO: Preprocessing files...
INFO: 3 languages detected in 74 preprocessed files
INFO: 842 files ignored because of inclusion/exclusion patterns
INFO: 0 files ignored because of scm ignore settings
INFO: Loading plugins for detected languages
INFO: Load/download plugins
INFO: Load/download plugins (done) | time=1365ms
INFO: Load project repositories
INFO: Load project repositories (done) | time=37ms
INFO: Indexing files...
INFO: Project configuration:
INFO: Excluded sources: **/*.yaml, **/*.yml, **/*.json, **/*.xml, **/*.xslt, **/*.htm, **/*.html, **/target/**, **/test/**, **/tests/**, **/sonar.sh, **/settings.xml, **/public/**/*.ts, **/public/**/*.js, **/*.xsd, **/*.sql, **/charts/**
INFO: 74 files indexed
INFO: Quality profile for docker: Sonar way
INFO: Quality profile for java: Sonar + FindBugs way
INFO: Quality profile for xml: Sonar way
INFO: ------------- Run sensors on module ---------
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=27ms
INFO: Sensor JavaSensor [java]
INFO: Configured Java source version (sonar.java.source): 8, preview features enabled (sonar.java.enablePreview): false
INFO: Server-side caching is enabled. The Java analyzer will not try to leverage data from a previous analysis.
INFO: Using ECJ batch to parse 48 Main java source files with batch size 183 KB.
INFO: Starting batch processing.
INFO: The Java analyzer cannot skip unchanged files in this context. A full analysis is performed for all files.
INFO: 100% analyzed
INFO: Batch processing: Done.
INFO: Did not optimize analysis for any files, performed a full analysis for all 48 files.
WARN: Unresolved imports/types have been detected during analysis. Enable DEBUG mode to see them.
INFO: No "Test" source files to scan.
INFO: No "Generated" source files to scan.
INFO: Sensor JavaSensor [java] (done) | time=6151ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: Importing 3 report(s). Turn your logs in debug mode in order to see the exhaustive list.
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=227ms
INFO: Sensor Java Config Sensor [iac]
INFO: 0 source files to be analyzed
INFO: 0/0 source files have been analyzed
INFO: Sensor Java Config Sensor [iac] (done) | time=27ms
INFO: Sensor ThymeLeaf template sensor [securityjavafrontend]
INFO: Sensor ThymeLeaf template sensor [securityjavafrontend] (done) | time=1ms
INFO: Sensor FindBugs Sensor [findbugs]
INFO: Findbugs plugin version: 4.2.9
INFO: Loading findbugs plugin: /builds/engineering/----/---------/.scannerwork/findbugs/sb-contrib.jar
INFO: Loading findbugs plugin: /builds/engineering/----/---------/.scannerwork/findbugs/findsecbugs-plugin.jar
INFO: Findbugs output report: /builds/engineering/----/---------/.scannerwork/findbugs-result.xml
The following classes needed for analysis were missing:
execute
test
accept
apply
INFO: Sensor FindBugs Sensor [findbugs] (done) | time=11985ms
INFO: Sensor SurefireSensor [java]
INFO: parsing [/builds/engineering/----/---------/---------/target/surefire-reports]
INFO: Sensor SurefireSensor [java] (done) | time=70ms
INFO: Sensor XML Sensor [xml]
INFO: 1 source file to be analyzed
INFO: 1/1 source file has been analyzed
INFO: Sensor XML Sensor [xml] (done) | time=66ms
INFO: Sensor IaC Docker Sensor [iac]
INFO: 1 source file to be analyzed
INFO: 1/1 source file has been analyzed
INFO: Sensor IaC Docker Sensor [iac] (done) | time=138ms
INFO: Sensor Serverless configuration file sensor [security]
INFO: 0 Serverless function entries were found in the project
INFO: 0 Serverless function handlers were kept as entrypoints
INFO: Sensor Serverless configuration file sensor [security] (done) | time=3ms
INFO: Sensor AWS SAM template file sensor [security]
INFO: Sensor AWS SAM template file sensor [security] (done) | time=1ms
INFO: Sensor AWS SAM Inline template file sensor [security]
INFO: Sensor AWS SAM Inline template file sensor [security] (done) | time=0ms
INFO: Sensor javabugs [dbd]
INFO: Reading IR files from: /builds/engineering/----/---------/.scannerwork/ir/java
INFO: Analyzing 339 functions to detect bugs.
INFO: Sensor javabugs [dbd] (done) | time=884ms
INFO: Sensor pythonbugs [dbd]
INFO: Reading IR files from: /builds/engineering/----/---------/.scannerwork/ir/python
INFO: No IR files have been included for analysis.
INFO: Sensor pythonbugs [dbd] (done) | time=0ms
INFO: Sensor TextAndSecretsSensor [text]
INFO: Available processors: 8
INFO: Using 8 threads for analysis.
INFO: The property "sonar.tests" is not set. To improve the analysis accuracy, we categorize a file as a test file if any of the following is true:
* The filename starts with "test"
* The filename contains "test." or "tests."
* Any directory in the file path is named: "doc", "docs", "test" or "tests"
* Any directory in the file path has a name ending in "test" or "tests"
INFO: Using git CLI to retrieve untracked files
INFO: Analyzing language associated files and files included via "sonar.text.inclusions" that are tracked by git
INFO: 66 source files to be analyzed
INFO: 66/66 source files have been analyzed
INFO: Sensor TextAndSecretsSensor [text] (done) | time=862ms
INFO: Sensor JavaSecuritySensor [security]
INFO: Enabled taint analysis rules: S2076, S2078, S2083, S2091, S2631, S3649, S5131, S5135, S5144, S5145, S5146, S5147, S5334, S5883, S6096, S6173, S6287, S6350, S6384, S6390, S6398, S6399, S6547, S6549
INFO: Load type hierarchy and UCFGs: Starting
INFO: Load type hierarchy: Starting
INFO: Reading type hierarchy from: /builds/engineering/----/---------/.scannerwork/ucfg2/java
INFO: Read 238 type definitions
INFO: Load type hierarchy: Time spent was 00:00:00.073
INFO: Load UCFGs: Starting
INFO: Reading UCFGs from: /builds/engineering/----/---------/.scannerwork/ucfg2/java
INFO: Load UCFGs: Time spent was 00:00:00.251
INFO: Load type hierarchy and UCFGs: Time spent was 00:00:00.326
INFO: Analyzing 280 UCFGs to detect vulnerabilities.
INFO: Check cache: Starting
INFO: Load cache: Starting
INFO: Load cache: Time spent was 00:00:00.000
INFO: Check cache: Time spent was 00:00:00.000
INFO: Create runtime call graph: Starting
INFO: Variable Type Analysis #1: Starting
INFO: Create runtime type propagation graph: Starting
INFO: Create runtime type propagation graph: Time spent was 00:00:00.028
INFO: Run SCC (Tarjan) on 1368 nodes: Starting
INFO: Run SCC (Tarjan) on 1368 nodes: Time spent was 00:00:00.004
INFO: Tarjan found 1357 strongly connected components
INFO: Propagate runtime types to strongly connected components: Starting
INFO: Propagate runtime types to strongly connected components: Time spent was 00:00:00.008
INFO: Variable Type Analysis #1: Time spent was 00:00:00.045
INFO: Variable Type Analysis #2: Starting
INFO: Create runtime type propagation graph: Starting
INFO: Create runtime type propagation graph: Time spent was 00:00:00.015
INFO: Run SCC (Tarjan) on 1368 nodes: Starting
INFO: Run SCC (Tarjan) on 1368 nodes: Time spent was 00:00:00.001
INFO: Tarjan found 1357 strongly connected components
INFO: Propagate runtime types to strongly connected components: Starting
INFO: Propagate runtime types to strongly connected components: Time spent was 00:00:00.004
INFO: Variable Type Analysis #2: Time spent was 00:00:00.022
INFO: Create runtime call graph: Time spent was 00:00:00.074
INFO: Load config: Starting
INFO: Load config: Time spent was 00:00:00.984
INFO: Compute entry points: Starting
INFO: Compute entry points: Time spent was 00:00:01.166
INFO: All rules entry points : 1
INFO: Slice call graph: Starting
INFO: Retained UCFGs : 13
INFO: Slice call graph: Time spent was 00:00:00.001
INFO: Live variable analysis: Starting
INFO: Live variable analysis: Time spent was 00:00:00.008
INFO: Taint analysis for java: Starting
INFO: 0 / 13 UCFGs simulated, memory usage: 404 MB
INFO: 13 / 13 UCFGs simulated, memory usage: 412 MB
INFO: Taint analysis for java: Time spent was 00:00:00.189
INFO: Report issues: Starting
INFO: Report issues: Time spent was 00:00:00.006
INFO: Store cache: Starting
INFO: Store cache: Time spent was 00:00:00.004
INFO: java security sensor: Time spent was 00:00:02.767
INFO: java security sensor: Begin: 2024-11-20T16:56:37.244716989Z, End: 2024-11-20T16:56:40.012082282Z, Duration: 00:00:02.767
Load type hierarchy and UCFGs: Begin: 2024-11-20T16:56:37.247095209Z, End: 2024-11-20T16:56:37.573537764Z, Duration: 00:00:00.326
Load type hierarchy: Begin: 2024-11-20T16:56:37.247211251Z, End: 2024-11-20T16:56:37.321105054Z, Duration: 00:00:00.073
Load UCFGs: Begin: 2024-11-20T16:56:37.321395420Z, End: 2024-11-20T16:56:37.573320859Z, Duration: 00:00:00.251
Check cache: Begin: 2024-11-20T16:56:37.573777724Z, End: 2024-11-20T16:56:37.574494597Z, Duration: 00:00:00.000
Load cache: Begin: 2024-11-20T16:56:37.573856505Z, End: 2024-11-20T16:56:37.573928857Z, Duration: 00:00:00.000
Create runtime call graph: Begin: 2024-11-20T16:56:37.574677572Z, End: 2024-11-20T16:56:37.648873431Z, Duration: 00:00:00.074
Variable Type Analysis #1: Begin: 2024-11-20T16:56:37.575626033Z, End: 2024-11-20T16:56:37.620743884Z, Duration: 00:00:00.045
Create runtime type propagation graph: Begin: 2024-11-20T16:56:37.577238485Z, End: 2024-11-20T16:56:37.605473719Z, Duration: 00:00:00.028
Run SCC (Tarjan) on 1368 nodes: Begin: 2024-11-20T16:56:37.606319762Z, End: 2024-11-20T16:56:37.611313122Z, Duration: 00:00:00.004
Propagate runtime types to strongly connected components: Begin: 2024-11-20T16:56:37.611594810Z, End: 2024-11-20T16:56:37.620504579Z, Duration: 00:00:00.008
Variable Type Analysis #2: Begin: 2024-11-20T16:56:37.624725796Z, End: 2024-11-20T16:56:37.647275838Z, Duration: 00:00:00.022
Create runtime type propagation graph: Begin: 2024-11-20T16:56:37.624852959Z, End: 2024-11-20T16:56:37.640677766Z, Duration: 00:00:00.015
Run SCC (Tarjan) on 1368 nodes: Begin: 2024-11-20T16:56:37.640922579Z, End: 2024-11-20T16:56:37.642623817Z, Duration: 00:00:00.001
Propagate runtime types to strongly connected components: Begin: 2024-11-20T16:56:37.642890505Z, End: 2024-11-20T16:56:37.647116343Z, Duration: 00:00:00.004
Load config: Begin: 2024-11-20T16:56:37.649024747Z, End: 2024-11-20T16:56:38.633291051Z, Duration: 00:00:00.984
Compute entry points: Begin: 2024-11-20T16:56:38.633507859Z, End: 2024-11-20T16:56:39.799626799Z, Duration: 00:00:01.166
Slice call graph: Begin: 2024-11-20T16:56:39.799884256Z, End: 2024-11-20T16:56:39.801369893Z, Duration: 00:00:00.001
Live variable analysis: Begin: 2024-11-20T16:56:39.801485455Z, End: 2024-11-20T16:56:39.809826920Z, Duration: 00:00:00.008
Taint analysis for java: Begin: 2024-11-20T16:56:39.810125795Z, End: 2024-11-20T16:56:39.999394337Z, Duration: 00:00:00.189
Report issues: Begin: 2024-11-20T16:56:39.999564221Z, End: 2024-11-20T16:56:40.005578909Z, Duration: 00:00:00.006
Store cache: Begin: 2024-11-20T16:56:40.005749163Z, End: 2024-11-20T16:56:40.010248934Z, Duration: 00:00:00.004
INFO: java security sensor peak memory: 784 MB
INFO: Sensor JavaSecuritySensor [security] (done) | time=2772ms
INFO: Sensor CSharpSecuritySensor [security]
INFO: Enabled taint analysis rules: S2076, S2078, S2083, S2091, S2631, S3649, S5131, S5135, S5144, S5145, S5146, S5334, S5883, S6096, S6173, S6287, S6350, S6399, S6639, S6641
INFO: Load type hierarchy and UCFGs: Starting
INFO: Load type hierarchy: Starting
INFO: Reading type hierarchy from: /builds/engineering/----/---------/ucfg2/cs
INFO: Read 0 type definitions
INFO: Load type hierarchy: Time spent was 00:00:00.000
INFO: Load UCFGs: Starting
INFO: Load UCFGs: Time spent was 00:00:00.000
INFO: Load type hierarchy and UCFGs: Time spent was 00:00:00.000
INFO: No UCFGs have been included for analysis.
INFO: csharp security sensor: Time spent was 00:00:00.000
INFO: csharp security sensor: Begin: 2024-11-20T16:56:40.013523391Z, End: 2024-11-20T16:56:40.014440984Z, Duration: 00:00:00.000
Load type hierarchy and UCFGs: Begin: 2024-11-20T16:56:40.013747398Z, End: 2024-11-20T16:56:40.014187958Z, Duration: 00:00:00.000
Load type hierarchy: Begin: 2024-11-20T16:56:40.013766114Z, End: 2024-11-20T16:56:40.014028667Z, Duration: 00:00:00.000
Load UCFGs: Begin: 2024-11-20T16:56:40.014098276Z, End: 2024-11-20T16:56:40.014145614Z, Duration: 00:00:00.000
INFO: csharp security sensor peak memory: 784 MB
INFO: Sensor CSharpSecuritySensor [security] (done) | time=1ms
INFO: Sensor PhpSecuritySensor [security]
INFO: Enabled taint analysis rules: S2076, S2078, S2083, S2091, S2631, S3649, S5131, S5135, S5144, S5145, S5146, S5334, S5335, S5883, S6173, S6287, S6350
INFO: Load type hierarchy and UCFGs: Starting
INFO: Load type hierarchy: Starting
INFO: Reading type hierarchy from: /builds/engineering/----/---------/.scannerwork/ucfg2/php
INFO: Read 0 type definitions
INFO: Load type hierarchy: Time spent was 00:00:00.000
INFO: Load UCFGs: Starting
INFO: Load UCFGs: Time spent was 00:00:00.000
INFO: Load type hierarchy and UCFGs: Time spent was 00:00:00.000
INFO: No UCFGs have been included for analysis.
INFO: php security sensor: Time spent was 00:00:00.000
INFO: php security sensor: Begin: 2024-11-20T16:56:40.014924148Z, End: 2024-11-20T16:56:40.015729372Z, Duration: 00:00:00.000
Load type hierarchy and UCFGs: Begin: 2024-11-20T16:56:40.015108737Z, End: 2024-11-20T16:56:40.015476552Z, Duration: 00:00:00.000
Load type hierarchy: Begin: 2024-11-20T16:56:40.015135680Z, End: 2024-11-20T16:56:40.015312707Z, Duration: 00:00:00.000
Load UCFGs: Begin: 2024-11-20T16:56:40.015389118Z, End: 2024-11-20T16:56:40.015426808Z, Duration: 00:00:00.000
INFO: php security sensor peak memory: 784 MB
INFO: Sensor PhpSecuritySensor [security] (done) | time=2ms
INFO: Sensor PythonSecuritySensor [security]
INFO: Enabled taint analysis rules: S2076, S2078, S2083, S2091, S2631, S3649, S5131, S5135, S5144, S5145, S5146, S5147, S5334, S5496, S6287, S6350, S6639, S6680, S6776, S6839
INFO: Load type hierarchy and UCFGs: Starting
INFO: Load type hierarchy: Starting
INFO: Reading type hierarchy from: /builds/engineering/----/---------/.scannerwork/ucfg2/python
INFO: Read 0 type definitions
INFO: Load type hierarchy: Time spent was 00:00:00.000
INFO: Load UCFGs: Starting
INFO: Load UCFGs: Time spent was 00:00:00.000
INFO: Load type hierarchy and UCFGs: Time spent was 00:00:00.000
INFO: No UCFGs have been included for analysis.
INFO: python security sensor: Time spent was 00:00:00.000
INFO: python security sensor: Begin: 2024-11-20T16:56:40.016121256Z, End: 2024-11-20T16:56:40.016730439Z, Duration: 00:00:00.000
Load type hierarchy and UCFGs: Begin: 2024-11-20T16:56:40.016251211Z, End: 2024-11-20T16:56:40.016510459Z, Duration: 00:00:00.000
Load type hierarchy: Begin: 2024-11-20T16:56:40.016271453Z, End: 2024-11-20T16:56:40.016394287Z, Duration: 00:00:00.000
Load UCFGs: Begin: 2024-11-20T16:56:40.016446882Z, End: 2024-11-20T16:56:40.016471981Z, Duration: 00:00:00.000
INFO: python security sensor peak memory: 784 MB
INFO: Sensor PythonSecuritySensor [security] (done) | time=1ms
INFO: Sensor JsSecuritySensor [security]
INFO: Enabled taint analysis rules: S6105, S6287, S5146, S5147, S5883, S5696, S3649, S5144, S2631, S5334, S6350, S2076, S5131, S6096, S2083
INFO: Load type hierarchy and UCFGs: Starting
INFO: Load type hierarchy: Starting
INFO: Reading type hierarchy from: /builds/engineering/----/---------/.scannerwork/ucfg2/js
INFO: Read 0 type definitions
INFO: Load type hierarchy: Time spent was 00:00:00.000
INFO: Load UCFGs: Starting
INFO: Load UCFGs: Time spent was 00:00:00.000
INFO: Load type hierarchy and UCFGs: Time spent was 00:00:00.000
INFO: No UCFGs have been included for analysis.
INFO: js security sensor: Time spent was 00:00:00.000
INFO: js security sensor: Begin: 2024-11-20T16:56:40.017102754Z, End: 2024-11-20T16:56:40.017727556Z, Duration: 00:00:00.000
Load type hierarchy and UCFGs: Begin: 2024-11-20T16:56:40.017286851Z, End: 2024-11-20T16:56:40.017500479Z, Duration: 00:00:00.000
Load type hierarchy: Begin: 2024-11-20T16:56:40.017302501Z, End: 2024-11-20T16:56:40.017406941Z, Duration: 00:00:00.000
Load UCFGs: Begin: 2024-11-20T16:56:40.017452110Z, End: 2024-11-20T16:56:40.017472508Z, Duration: 00:00:00.000
INFO: js security sensor peak memory: 784 MB
INFO: Sensor JsSecuritySensor [security] (done) | time=1ms
INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=2ms
INFO: Sensor Java CPD Block Indexer
INFO: Sensor Java CPD Block Indexer (done) | time=67ms
INFO: CPD Executor 17 files had no CPD blocks
INFO: CPD Executor Calculating CPD for 31 files
INFO: CPD Executor CPD calculation finished (done) | time=14ms
INFO: SCM revision ID '3d603d2030191c99dfc14f970e9055ab18c06e67'
INFO: Load New Code definition
INFO: Load New Code definition (done) | time=117ms
INFO: Analysis report generated in 208ms, dir size=739.2 kB
INFO: Analysis report compressed in 108ms, zip size=283.4 kB
INFO: Analysis report uploaded in 71ms
INFO: ------------- Check Quality Gate status
INFO: Waiting for the analysis report to be processed (max 300s)
INFO: ------------------------------------------------------------------------
INFO: EXECUTION FAILURE
INFO: ------------------------------------------------------------------------
INFO: Total time: 39.888s
INFO: Final Memory: 65M/248M
INFO: ------------------------------------------------------------------------
ERROR: Error during SonarScanner execution
ERROR: QUALITY GATE STATUS: FAILED - View details on https://sonar-dev.---------.com/dashboard?id=---------&branch=master
ERROR:
ERROR: Re-run SonarScanner using the -X switch to enable full debug logging.
Notable differences
- Only in the feature branch log:
INFO: SCM collecting changed files in the branch
INFO: Merge base sha1: 6b3bf744f020c38184355c69a86372c76f062420
INFO: SCM collecting changed files in the branch (done) | time=179ms
- Same message in both logs but different content:
Feature branch log:
INFO: The Java analyzer is running in a context where unchanged files can be skipped. Full analysis is performed for changed files, optimized analysis for unchanged files.
Master branch log:
INFO: The Java analyzer cannot skip unchanged files in this context. A full analysis is performed for all files.
