Running in docker of GitLab CI results in java.io.IOException: Operation not permitted (from computeCanonicalPath)

SonarQube
, , ,
1

#bug:fault

The error is observed in a docker containter while running as a CI job in GitLab:
Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties
Project root configuration file: /builds//sonar-project.properties
SonarScanner 4.6.0.2311
Analyzing on SonarQube server Developer 8.6.0.39681
Java 11.0.12 Oracle Corporation (64-bit)
Linux 4.9.0-14-amd64 amd64

Plugins:

  • CFamily Code Quality and Security 6.15.0.25047 (cpp)
ERROR: Exception in thread pool-3-thread-1
java.lang.IllegalStateException: java.io.IOException: Operation not permitted
	at com.sonar.cpp.plugin.CFamilySensor.computeCanonicalPath(CFamilySensor.java:915)
	at java.base/java.util.HashMap.computeIfAbsent(HashMap.java:1133)
	at com.sonar.cpp.plugin.CFamilySensor.save(CFamilySensor.java:660)
	at com.sonar.cpp.plugin.CFamilySensor.lambda$process$8(CFamilySensor.java:646)
	at com.sonar.cpp.analyzer.AnalysisExecutor.lambda$submit$0(AnalysisExecutor.java:59)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.io.IOException: Operation not permitted
	at java.base/java.io.UnixFileSystem.canonicalize0(Native Method)
	at java.base/java.io.UnixFileSystem.canonicalize(UnixFileSystem.java:178)
	at java.base/java.io.File.getCanonicalPath(File.java:626)
	at com.sonar.cpp.plugin.CFamilySensor.computeCanonicalPath(CFamilySensor.java:913)
	... 9 common frames omitted

The error occurs when analyzing CPP code from a QT application on linux (inside docker container). Analysis works perfectly when run on a regular linux with the same packages installed.

UPDATE: I updated SonarQube to the latest LTS version (8.9.2) but the issue still persists.

UPDATE (2): Also changing to the docker container of sonarsource (sonarsource/sonar-scanner-cli:latest) gives the same exception:

12:04:05.097 ERROR: Error during SonarScanner execution
java.lang.IllegalStateException: java.io.IOException: Operation not permitted
	at com.sonar.cpp.plugin.CFamilySensor.computeCanonicalPath(CFamilySensor.java:1047)
...
	at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:189)
	at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:138)
	at org.sonarsource.scanner.cli.Main.execute(Main.java:112)
	at org.sonarsource.scanner.cli.Main.execute(Main.java:75)
	at org.sonarsource.scanner.cli.Main.main(Main.java:61)
Caused by: java.io.IOException: Operation not permitted
	at java.base/java.io.UnixFileSystem.canonicalize0(Native Method)
	at java.base/java.io.UnixFileSystem.canonicalize(Unknown Source)
	at java.base/java.io.File.getCanonicalPath(Unknown Source)
	at com.sonar.cpp.plugin.CFamilySensor.computeCanonicalPath(CFamilySensor.java:1045)
	... 33 more
2

Hi @farmann ,

a couple of notes to help you understanding what could be wrong:

  • build and analysis should be run within the same environment, which means not in different containers, ideally right after build command
  • given the error java.io.IOException: Operation not permitted there could be different possibilities: process doesn’t have access to the file, the file is in a network drive
3

Thank you for your reply @mpaladin .

Unfortunately it is not a build/analysis issue (and I was able to have successful build/analysis when running the docker containers locally in interactive mode). This also excludes the second suggestion (permission error) as it worked in interactive mode.

BUT in the process of researching other options/causes I discovered that there are general issues with alpine linux and UnixFileSystem.canonicalize0 JNI call.
Sources:
https://discourse.metabase.com/t/problem-while-building-custom-image/14985
https://forums.docker.com/t/builds-with-alpine-linux-3-14-fail-on-docker-hub/112469/4

In the latest Dockerfile of the sonar-scanner-cli-docker image the following base-image is used: adoptopenjdk/openjdk11:alpine-jre

The solution for me was to build the image from scratch and swapping the base-image for a debian based one: adoptopenjdk/openjdk11:debian-jre
(I had to adapt the dependency install - “apk” commands replaced with “apt”, different package names.)

Now everything works as it is supposed to. I hope this will also help others :slight_smile:

4

Hi @farmann ,

thank you for coming back.

For C and C++ analysis we don’t recommend to use the sonar-scanner-cli-docker, we recommend to use the standalone sonar-scanner-cli.

From https://github.com/SonarSource/sonar-scanner-cli-docker:

NB: These Docker images are not compatible with C/C#/C++/Objective-C projects.

For C and C++ it is easier to download sonar-scanner-cli in your already existing build environment.

5

Hi @mpaladin,
Thanks for that clarification. As I am using it in a GitLab pipeline, this was the simplest way.
I had tried to install the sonar-scanner-cli in the build container, but of course now in hindsight that container was also based on alpine linux.
Is there a particular reason why C/C++ projects are not supported (recommended) by the docker image?

6

Hi @farmann ,

Yes, during the analysis of C and C++ project we have the strict requirement of running in the same build environment in order to access the same system headers and third-party headers used during build. When running sonar-scanner-cli-docker those header files are not available on the machine leading to a poor quality analysis.

7

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.