Maven SonarScanner: suspicious references to another Jenkins workspace

• ALM used: GitHub
• CI system used: Jenkins
• Scanner command used when applicable (private details masked):

mvn -Duser.home=/home/<hidden for privacy>/slave/workspace/CI-PR-1517/.home org.sonarsource.scanner.maven:sonar-maven-plugin:sonar --batch-mode -pl --also-make --no-snapshot-updates -Psonar -Dsonar -Dsonar.projectName=<hidden for privacy> -Dsonar.projectKey=<hidden for privacy> -Dsonar.organization=<hidden for privacy> -Dsonar.host.url=https://sonarcloud.io -Dsonar.token=<hidden for privacy> -Dsonar.pullrequest.branch=other/OP-1879-SonarCloud-suspicious-warnings -Dsonar.pullrequest.key=1517 -Dsonar.pullrequest.base=develop -Dmaven.repo.local=/home/<hidden for privacy>/slave/workspace/CI-PR-1517/.home/.m2/repository -f /home/<hidden for privacy>/slave/workspace/CI-PR-1517/Parent/pom.xml

• Languages of the repository: Java/JS/TS
• Warnings observed
  Multiple warnings like this are shown during analyzing of any pull request that is targeting the ‘develop’ (main) branch

[WARNING] 14:18:25.833 Failed to find InputFile for /home/jenkins/workspace/workspace/CI-develop/<…hidden due to privacy…>, check exclusions.

It looks very suspicious: Sonar attempts to access a directory outside of current jenkins workspace (which is /home/<hidden for privacy>/slave/workspace/CI-PR-1517).
More details:
we have Sonar analyzing running on pull requests and pushes to the develop branch.
There are different Jenkins nodes involved in PR and push analyzing, so technically the directory /home/jenkins/workspace/workspace/CI-develop/ cannot be accessed directly from the node where the /home/<hidden for privacy>/slave/workspace/CI-PR-1517 is located.

If you check the mvn sonar scanner above, it can be seen that this command in no way involves the /home/jenkins/workspace/workspace/CI-develop references.

• Additional info

1. If I enable mvn -X --debug keys then even more suspicious references to another workspace appear in the log e.g.

Line 183183: [DEBUG] 14:17:05.177 Issue E at /home/jenkins/workspace/workspace/CI-develop/<hidden for privacy>(347:3 - 347:112) suppressed by unknown constraint

2. If the pull request is targeting another branch (not develop) - the warnings are not shown

So the questions are:

1. Is it correct that sonar scanner attempts to access the directory outside of current Jenkins workspace?
2. Could it be related to some caching-related features, e.g. Sensor Cache for the project (it’s enabled for us)?
3. Could it be a problem in Jenkins itself?
4. Should we ensure that the develop branch must be always analyzed on the same Jenkins node as pull requests for SonarCloud purposes? (it’s a little bit hard requirement, but if needed - achievable).

Thanks @sylvain.kuchen I’ll get the DEBUG logs from them before coming back to you

Hey there.

Sounds a bit weird. I’ve reached out to you for the DEBUG logs you mentioned in order to take a closer look.

Shared in private.

Hello @lrozenblyum,

Thank you for your report! I have spent some time looking at your issue. Here’s my understanding of your situation.

The problem seems indeed related to our caching system. In the log message you shared, the path was cached in a previous analysis. This path is inconsistent because the current analysis is not done at the same absolute path.

Fortunately, these cached paths are only used for reporting and the cache still works correctly. It is still an issue we should fix, so I have opened a ticket in our internal issue tracker.

So, to answer your questions:

1. No, no files outside of the directory of the current Jenkins workspace are accessed.
2. Yes, indeed!
3. Most likely not.
4. No, the analysis should work regardless of the absolute path to the root of your project.

Let me know if you have other questions!

Thank you very much for the comprehensive explanation! @sylvain.kuchen