NPE in sonar-scanner after upgrading to SonarQube 10.5 Dev edition


I just upgraded from version 10.4 to version 10.5 and I’m encountering an error during the scan of my projects I suppose because of my custom plugin and the new feature to only download required plugins for the scan :

[ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin: (default-cli) on project company-project-parent:
Error creating bean with name 'org.sonarsource.scanner.api.internal.IsolatedClassloader@5d7911d5-org.sonar.scanner.bootstrap.ScannerPluginRepository':
Initialization of bean failed; nested exception is java.lang.NullPointerException:
Cannot invoke "org.sonar.core.platform.ExplodedPlugin.getPluginInfo()" because the return value of "java.util.Map.get(Object)" is null
[Root exception :]
Caused by: java.lang.NullPointerException: Cannot invoke "org.sonar.core.platform.ExplodedPlugin.getPluginInfo()" because the return value of "java.util.Map.get(Object)" is null
      at org.sonar.core.platform.PluginClassLoader.basePluginKey (
      at org.sonar.core.platform.PluginClassLoader.defineClassloaders (
      at org.sonar.core.platform.PluginClassLoader.load (

A strange log I saw, considering my project is composed of a java server + client, when I ran the scan in debug is this :

[DEBUG] 12:12:21.865 Plugins not loaded because they are optional: [abap, csharp, cpp, checkstyle, dbd, dbdjavafrontend, dbdpythonfrontend, findbugs, flex, go, web, java, javascript, kotlin, php, plsql, ruby, sonarscala, swift, tsql, vbnet, security, securitycsharpfrontend, securityjsfrontend, securityjavafrontend, securityphpfrontend, securitypythonfrontend] 

Here is my plugin packaging configuration :

          <pluginName>Company Custom Java Rules</pluginName>
          <pluginDescription>Company custom sonar rules</pluginDescription>

and here is the corresponding generated Manifest :

Manifest-Version: 1.0
Archiver-Version: Plexus Archiver
Created-By: Apache Maven 3.9.6
Built-By: [me]
Build-Jdk: 17.0.1
Plugin-ChildFirstClassLoader: false
SonarLint-Supported: true
Plugin-Key: companyjava
Plugin-BuildDate: 2024-04-18T11:04:44+0000
Plugin-Version: 1.8.0
Plugin-Organization: Company
Plugin-Name: Company Custom Java Rules
Plugin-RequiredForLanguages: java
Plugin-Description: Company custom sonar rules
Plugin-Display-Version: 1.8.0
Plugin-Base: java
Plugin-RequirePlugins: java:

I disabled my plugin (renamed it on the server plugin.jar.bak) and the scanner works fine.

There are no depreciation warning or compile error in my plugin code so I don’t know what I’m missing.

There is one strange thing I just saw while making this post. In maven and in my code, my plugin key is company-java but in the manifest, it is companyjava maybe the problem comes from here but I saw nowhere that the plugin key could not have hyphens.
Considering the code fails where a pluginKey is given to a Map to retrieve the parent plugin it could be related.

I also tested building with pluginApiMinVersion= and Plugin-RequirePlugins: java: to no avail.

Hey there.

Let’s find out if it’s really a problem with the new feature to only download required plugins.

Does the issue go away if you disable the feature? Search for the sonar.plugins.downloadOnlyRequired property) in the global Administration.

The analysis works fine when disabling the feature to only download required plugins and I’m seeing my plugin executed in the logs.

Ok so the problem is the one I suspected at the end of my opening post.
I changed my pluginKey to companyjava instead of company-java, to align it with the manifest, with the new feature enabled and the analysis works fine.
And I’m seeing my plugin executed successfully.

The sonar-packaging-maven-plugin should probably fail while building instead of allowing characters in the pluginKey which will be removed and cause problems.

1 Like

Thanks for the feedback. I’ll pass it on.