java.lang.StackOverflowError on com.sonar.security.analysis.G.A(na:2290)

Sometimes (more often than a success) one of our builds on Azure DevOps hosted agent, in combination with SonarCloud, gives the error message:
Full log of Run Code Analysis step attached. Any idea what we need to change to make it work?

2019-11-19T12:39:24.9015319Z ##[error]ERROR: Error during SonarQube Scanner execution
2019-11-19T12:39:24.9015776Z ERROR: Error during SonarQube Scanner execution
2019-11-19T12:39:24.9020624Z ##[error]java.lang.StackOverflowError
2019-11-19T12:39:24.9020886Z java.lang.StackOverflowError
2019-11-19T12:39:24.9051201Z ##[error]at java.util.Arrays.hashCode(Arrays.java:4146)
	at java.util.Objects.hash(Objects.java:128)
	at com.sonar.security.analysis.B.<init>(na:1935)
	at com.sonar.security.analysis.G.A(na:2908)
	at com.sonar.security.analysis.G.A(na:2290)
	at java.util.ArrayList.forEach(ArrayList.java:1257)
	at com.sonar.security.analysis.G.A(na:2290)
	at com.sonar.security.analysis.G.A(na:2290)

AFC-20191119.2-SonarCloudFailure.txt (132.1 KB)

Hi Richard,

I think that some part of the logs are missing, or is that failing fast at the very beginning of the analysis ?

Thanks.

Mickaël

Hi,

Indeed I only added the part starting from the failure. See attached here the complete Run Code Analysis log. PS: This is an older application with 1.1M lines of code. We already had excluded some SQL files as they sometimes took > 2 hrs to complete (especially one SQL file of 142K in size)

.AFC-20191119.2-SonarCloudFailure-full run code analysis.txt (833.8 KB)

Thank you, @zaat.

The analysis fails when running rule S2083 : I/O function calls should not be vulnerable to path injection attacks. Until we manage to figure out the root cause, you can disable S2083 from your Quality Profile.

To be able to analyze this issue, we will need access to the UCFG files. These are in the .sonarqube\out\ucfg_cs2 folder. If you want, you can zip that folder and send it in a private conversation on the forum. We will be able to run the analysis locally using those files and eventually find the root problem of this stack overflow.

Please note that the UCFG files are an abstraction of the source code (the Control Flow Graph), so it contains sensitive information: names of namespaces, classes and methods (hence they should be sent via a private message on the forum). Hence the suggestion to send it in a private message rather then on this public topic.

Hi @Andrei_Epure,

Thanks for your response. We removed S2083 from our analysis, and it seems to run fine (although it does not always fail). So will keep on checking for failure there.
Do you have any advise how to get the .sonarcloud\ucfgs files from a hosted build from azure DevOps? As the machine gets destroyed after the build.
I did do a run on my machine, where S2083 was still enabled, with the ucfgs. But I wonder if that run would be helpful, as it does not contain the failure.

Hi @zaat

The UCFGs get created during the build step and are the same locally or on the build machine (they might differ only if different versions of msbuild are used or if the targeted SonarQube instance is different and has a different version).

The stackoverflow error happens during the end step , when the UCFGs get consumed by the taint analysis engine, which follows how not sanitized user input can end up in sensitive places like database calls, system calls etc.

And to answer this point, you can publish a certain folder as an artifact on AzDO (PublishBuildArtifacts@1 - Publish build artifacts v1 task | Microsoft Learn) enabling you to download them afterwards, in the build summary (there is an artifact section).

Mickaël

Hi,

I’ve been trying several folders, but non seem to have the .sonarcloud with the ucfg_cs2 folder (?) I tried agent.workfolder, agent.tempdirectory, pipeline.workspace, agent.toolsdirectory et cetera. Do you know which variable I need to use to get the ucfg files? --> $(folder?/variable name?)

That should be $(Agent.BuildDirectory)\.sonarqube\out\ucfg_cs2

Got it. Apologies for taking a few days. Hosted build was very slow in downloading the 81K files from the folder, but I have the download. It is a 49Mb zip. Do you have a private channel I can use to send you the link to the file?

Hi @mickaelcaro, do you have an update on the S2083 rule?

Hi @zaat,

I’m not sure that we received the zip file with the ucfgs, i send you a PM right now so you can send it to me, i’ll then transfer it to our dedicated language team.

Thanks.