NPE in FindBugs 3.11

danhersh · July 2, 2020, 5:31pm

UPDATE: FB 4.0.0 seems to work fine. Even FB 3.11.1 may not be generating NPE, just a message about missing classes.

We upgraded to SQ 7.9.3 and so far it looks good, we have successful scans from Jenkins pipelines. One issue we notice is an NPE (trace below) in Findbugs v3.11.1 plugin (Analyze Java, Scala, Closure and JSP code with SpotBugs. 3.1.12). This seems to match https://github.com/find-sec-bugs/find-sec-bugs/issues/477 and a few similar issues. We do indeed use Spring (jhipster 6.6.0 stack).

Now I know this is Sonarqube forum and each plugin team can respond better on which version the fix is or will be in, but I’m just curious in general:

Did anyone encountered and solved it
How likely is it that if I upgrade the jar it will still be compatible (SQ seems to think its up to date)
What are my other options if any, workarounds, etc - short of disabling the plugin.

Here is the stacktrace:

Exception analyzing com.companyname.clp.web.rest.SystemDashboardResource using detector com.h3xstream.findsecbugs.spring.SpringEntityLeakDetector
java.lang.NullPointerException
At com.h3xstream.findsecbugs.spring.SpringEntityLeakDetector.analyzeMethod(SpringEntityLeakDetector.java:107)
At com.h3xstream.findsecbugs.spring.SpringEntityLeakDetector.visitClassContext(SpringEntityLeakDetector.java:68)
At edu.umd.cs.findbugs.DetectorToDetector2Adapter.visitClass(DetectorToDetector2Adapter.java:76)
At edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1080)
At edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:281)
At org.sonar.plugins.findbugs.FindbugsExecutor$FindbugsTask.call(FindbugsExecutor.java:235)
At java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
At java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
At java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
At java.base/java.lang.Thread.run(Thread.java:834)
The following classes needed for analysis were missing:
makeConcatWithConstants
apply
test
get
accept

Thank you!

danhersh · July 2, 2020, 10:33pm

I noticed that FindBugs 4x seems compatible with Sonarqube 7.9.3. Will try it out as well. Interesting that the “Marketplace” section of our SQ 7.9.3 installation only sees the installed Findbugs 3.11.1, even though I selected “All” tab. I was hoping it will allow me to quickly install the 4x version and confirm the compatibility.

danhersh · July 3, 2020, 4:53pm

Tried FB 4.0.0, seems to be working fine for us.

system · July 10, 2020, 4:53pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Sonarqube-findbugs-sonarjava compatibility SonarQube Server / Community Build	6	2208	April 14, 2020
[NEW RELEASE] sonar-findbugs 3.9.2 Plugin Development security , spotbugs , findsecbugs	9	1783	February 23, 2019
[RFF] sonar-findbugs 3.9.0 Plugin Development spotbugs , findsecbugs	12	2112	November 26, 2018
[NEW RELEASE] sonar-findbugs 4.0.3 Plugin Development findbugs , findsecbugs	4	1326	March 3, 2021
[NEW RELEASE] sonar-findbugs 3.9.3 Plugin Development findbugs , security , findsecbugs	5	1839	April 28, 2019

NPE in FindBugs 3.11

Related topics