Plugin resource not found: csharp, version 9.32.0.97167. Resource: SonarAnalyzer-9.32.0.97167.zip

just_here_to_learn · October 28, 2024, 5:10pm

I’m new to SonarQube and the community, and trying to re-implement something that was implemented, then shut down after the previous AppSec Engineer left (it then sat dormant for a little over a year). Originally, it was deployed with Docker. I shut down the docker instance and deployed with .zip (although the docker images were not removed and can easily be spun back up with the previous configs if necessary).

My pipeline tasks:
Use Nuget
NuGet restore
Prepare Analysis on SQ
Build SLN
VsTest Assemblies
Run Code Analysis (SQ)
Publish Quality Gate (SQ)
… (cont’d)

Current version of .zip is 10.7.
Unsure of scanner version, but it’s Azure DevOps.
Trying to use .NET scanner/build
Have tried task v5, v6 and v7

Problem: I keep receiving the following error:
Plugin resource not found: csharp, version 9.32.0.97167. Resource: SonarAnalyzer-9.32.0.97167.zip.

***As I understand it, if I build out the SonarQube server and add the project, the Azure DevOps runner is supposed to execute all of the scanning stuff for me. This is a crucial part I could be missing.

What have I done: Spent several hours searching the docs, re-reading the installation manual, re-reading the DevOps Integration parts, looking at the scanner information (which leads me to believe the scanner part does not apply to my situation because I am using ADO, so ADO will take care of that for me) and searched the community posts here. Several google searches which don’t turn up anything for this error message except a log file of someone else with a similar problem.

More of the error log (truncated)

##[error]Unhandled Exception:
##[error]System.IO.FileNotFoundException: Plugin resource not found: csharp, version 9.32.0.97167. Resource: SonarAnalyzer-9.32.0.97167.zip.
   at SonarScanner.MSBuild.PreProcessor.Roslyn.EmbeddedAnalyzerInstaller.FetchResourceFromServer(Plugin plugin, String targetDir)
   at SonarScanner.MSBuild.PreProcessor.Roslyn.EmbeddedAnalyzerInstaller.GetPluginResourceFiles(Plugin plugin)
   at SonarScanner.MSBuild.PreProcessor.Roslyn.EmbeddedAnalyzerInstaller.InstallAssemblies(IEnumerable`1 plugins)
   at SonarScanner.MSBuild.PreProcessor.Roslyn.RoslynAnalyzerProvider.FetchAnalyzerPlugins(String language, IEnumerable`1 activeRules)
   at SonarScanner.MSBuild.PreProcessor.Roslyn.RoslynAnalyzerProvider.SetupAnalyzer(BuildSettings teamBuildSettings, IAnalysisPropertyProvider sonarProperties, IEnumerable`1 rules, String language)
   at SonarScanner.MSBuild.PreProcessor.PreProcessor.<FetchArgumentsAndRuleSets>d__9.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
(truncated)
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at SonarScanner.MSBuild.Program.<Main>(String[] args)
##[warning]Can't find loc string for key: LIB_ProcessExitCode
##[error][ERROR] SonarQube: Error while executing task Prepare: LIB_ProcessExitCode C:\hostedtoolcache\windows\SonarScanner .NET\9.0.0\x64\SonarScanner.MSBuild.exe 3762504530
##[error]LIB_ProcessExitCode C:\hostedtoolcache\windows\SonarScanner .NET\9.0.0\x64\SonarScanner.MSBuild.exe 3762504530
Finishing: Prepare analysis on SonarQube

ganncamp · October 29, 2024, 2:18pm

Hi,

Could we have the full log, please? With so little context, it’s hard to know where to start.

Ann

just_here_to_learn · October 29, 2024, 2:45pm

Sure. Happy to provide whatever else I can, too. I don’t really know SQ all that well, so I might need some help figuring out what else you need, but here’s the full log (attached).

What else can I provide to offer better context?

SQlog.txt (3.1 KB)

ganncamp · October 29, 2024, 2:49pm

Hi,

Did this log fragment come from the CI? Can we have a full, verbose log?

Share the Scanner for .NET verbose logs

Add /d:"sonar.verbose=true" to the…
- SonarScanner.MSBuild.exe or dotnet sonarscanner begin command to get more detailed logs
  - For example: SonarScanner.MSBuild.exe begin /k:"MyProject" /d:"sonar.verbose=true"
- “SonarQubePrepare” or “SonarCloudPrepare” task’s extraProperties argument if you are using Azure DevOps
  - For example:
```
- task: SonarCloudPrepare@1
    inputs:
      SonarCloud: 'sonarcloud'
      organization: 'foo'
      scannerMode: 'MSBuild'
      projectKey: 'foo_sonar-scanning-someconsoleapp'
      projectName: 'sonar-scanning-someconsoleapp'
      extraProperties: |
        sonar.verbose=true
```
The important logs are in the END step (i.e. SonarQubeAnalyze / SonarCloudAnalyze / “Run Code Analysis”)

Share the msbuild detailed logs

MsBuild.exe /t:Rebuild /v:d

or

dotnet build -v:d

Thx,
Ann

just_here_to_learn · October 29, 2024, 3:10pm

Please pardon my ignorance here, but when you say to run:

MsBuild.exe /t:Rebuild /v:d

or

dotnet build -v:d

Where/how do I run this? Is this part of the YAML file on one of the tasks? Or is it a task I need to build to run it separately? I have checked through many forums and seen similar instructions, but have never understood where to actually type the command in or if it was a parameter for a step I should enter as a task.

Sorry, I really am on a learning curve here

ganncamp · October 29, 2024, 3:14pm

Hi,

It’s this part:

Note that analysis requires a full (re)build. You can’t just update the parts that have changed because analysis coat-tails the build, so the parts that don’t get built don’t get analyzed.

HTH,
Ann

just_here_to_learn · October 29, 2024, 3:17pm

Thank you for being so helpful! That makes a lot of sense, actually. I am very new to this and appreciate you taking the time to be actually helpful and not just saying RTFM (I have done this for hours and hours, I’m just new to AppSec and don’t have the contextual background).

I will do this and drop the log here. Thanks again!

ganncamp · October 29, 2024, 3:25pm

Hi,

We were all new once.

I may point you to the docs, but I won’t (just) say RTFM.

Ann

just_here_to_learn · October 29, 2024, 3:43pm

Is this a more helpful log?

I see something in here about the cache miss, which is where the csharp plugin might go? I don’t really understand what’s under the hood all the way just yet.

SQlog.txt (19.5 KB)

ganncamp · October 29, 2024, 3:54pm

Hi,

Yes, this log is more helpful.

Well… it’s not helpful to me, but I assume it’ll be more helpful to the experts I’m going to flag this for.

Ann

Lucas_Paulger · October 31, 2024, 3:39pm

Hello Mark,
It looks like the problem is that even after downloading the SonarAnalyzer, it doesn’t actually exist on the CI and we see the error.

The resource that does to not exist is being pulled from https://<redacted>/static/csharp/SonarAnalyzer-9.32.0.97167.zip.

Could you try and download it in the command line to see if it really exists? This will help us understand if there is a problem with the file or where it’s hosted.

Thanks,

just_here_to_learn · November 4, 2024, 3:09pm

I’m getting a 404 error. How can I make sure this is downloaded where it needs to be?
Thanks!

Lucas_Paulger · November 5, 2024, 9:03am

That is interesting,

If you have access to the SonarQube installation, could you check {SQ_HOME}/lib/extensions/? You should see the requested file in this directory. (sonar-csharp-plugin-9.32.0.97167.jar)

Assuming it is there, I’m more inclined to think it is a network issue. I would ask you to try and call that endpoint /static/csharp/SonarAnalyzer-9.32.0.97167.zip from the host machine directly (If this works, this would tell you that there is something interfering between the host machine and the scanner environment)

just_here_to_learn · November 5, 2024, 3:23pm

Yes, the .jar is there. But for some reason, the /static/ directory is still a 404. Where is the /static being served from?

just_here_to_learn · November 5, 2024, 10:11pm

Is the /static/ directory something that should have been created during install? I do not see it in the .zip and not sure what governs/creates that directory. I do see a reference to it pointing at /usr/share/html/static in the nginx.conf but I cannot find in the docs what creates and manages that /static dir?

Lucas_Paulger · November 14, 2024, 2:30pm

is the /static/ directory something that should have been created during install?

No, it’s just a route for serving static assets.

Could it be an issues with the downloaded file itself?
2024-10-29T15:21:20.7368089Z 15:21:20.724 Downloading SonarAnalyzer-9.32.0.97167.zip to C:\Users\VssAdministrator\AppData\Local\Temp\.sonarqube\resources\0

Can you check that the file exists here? It might be that the download doesn’t have permission to write to this directory.

You can also use sonar.userHome to configure the root directory for the scanner as well
(Analysis parameters & SonarQube)

just_here_to_learn · November 19, 2024, 5:26pm

So, maybe a dumb question, but let me back up a bit. I’ve spent more time reading, digging around servers, etc and have a little better understanding here.

Where does the csharp plugin come from? Is this something I am supposed to download to either my agent or the sonar scanner server? I see csharp plugin downloads available on the Sonar GitHub, but they are all .jar files (which I already have in /lib/extensions). In recent logs (which are virtually identical, save the date/time):

024-11-19T17:02:25.3794095Z 11:02:25.369  Updating build integration targets...
2024-11-19T17:02:25.8415207Z 11:02:25.837  Using SonarQube v10.7.0.96327.
2024-11-19T17:02:25.9712738Z 11:02:25.962  The JRE provisioning is a time consuming operation.
2024-11-19T17:02:25.9713216Z JRE provisioned: OpenJDK17U-jre_x64_windows_hotspot_17.0.11_9.zip.
2024-11-19T17:02:25.9713591Z If you already have a compatible java version installed, please add either the parameter "/d:sonar.scanner.skipJreProvisioning=true" or "/d:sonar.scanner.javaExePath=<PATH>".
2024-11-19T17:02:30.0505384Z 11:02:30.041  Fetching analysis configuration settings...
2024-11-19T17:02:30.6058096Z 11:02:30.603  Provisioning analyzer assemblies for cs...
2024-11-19T17:02:30.6069303Z 11:02:30.603  Installing required Roslyn analyzers...
2024-11-19T17:02:30.6077199Z 11:02:30.603  Processing plugin: csharp version 9.32.0.97167
2024-11-19T17:02:30.6666848Z 
2024-11-19T17:02:30.6667921Z ##[error]Unhandled Exception:
2024-11-19T17:02:30.6676098Z ##[error]System.IO.FileNotFoundException: Plugin resource not found: csharp, version 9.32.0.97167. Resource: SonarAnalyzer-9.32.0.97167.zip.
   at SonarScanner.MSBuild.PreProcessor.Roslyn.EmbeddedAnalyzerInstaller.FetchResourceFromServer(Plugin plugin, String targetDir)
   at SonarScanner.MSBuild.PreProcessor.Roslyn.EmbeddedAnalyzerInstaller.GetPluginResourceFiles(Plugin plugin)
   at SonarScanner.MSBuild.PreProcessor.Roslyn.EmbeddedAnalyzerInstaller.InstallAssemblies(IEnumerable`1 plugins)
   at SonarScanner.MSBuild.PreProcessor.Roslyn.RoslynAnalyzerProvider.FetchAnalyzerPlugins(String language, IEnumerable`1 activeRules)
   at SonarScanner.MSBuild.PreProcessor.Roslyn.RoslynAnalyzerProvider.SetupAnalyzer(BuildSettings teamBuildSettings, IAnalysisPropertyProvider sonarProperties, IEnumerable`1 rules, String language)
   at SonarScanner.MSBuild.PreProcessor.PreProcessor.<FetchArgumentsAndRuleSets>d__9.MoveNext()

It looks like Java is calling the .zip or something, which makes me wonder if the csharp is the same as the .jar here on GitHub, but is a .zip instead of a .jar for some “under the hood” reason? Or, is this in fact, something I need to install with NuGet like that found here? (I am working on the NuGet route now to see if that solves it, but I don’t think that’s it).