S2631, s2083, s3649, s2091 "EXECUTION FAILURE"

sonarcloud
msbuild
sonarsecurity

(Duncan) #1

Had to disable these rules on our project to get analysis to finish.

Versions:

  • SonarScanner for MSBuild 4.5
  • SonarQube Scanner 3.2.0.1227
  • Java 1.8.0_201
  • SonarQube server 7.6.0

Steps to reproduce

  • It’s reproducible on our project, which is private but we might be able to get what you guys need to debug it.
  • I re-enabled s2631 and have the .sonarqube/out/ucfg_cs2 but I’d prefer not to share it publicly.
  • I can do that for the remaining issues as well if that would help.
  • Error is basically the same as this one: S2631 crashes analyzer

Workaround

  • disable the rules.

Error

  • Started with initialization then jumps to failure
    [10:03:19]

    **[Step 6/8]* Starting: C:\BuildAgent\temp\agentTmp\custom_script109244475471025413.cmd*

    [10:03:19]

    **[Step 6/8]* in directory: C:\BuildAgent\work\d09f7763a6e9e4f8*

    [10:03:19]

    **[Step 6/8]* SonarScanner for MSBuild 4.5*

    [10:03:19]

    **[Step 6/8]* Using the .NET Framework version of the Scanner for MSBuild*

    [10:03:19]

    **[Step 6/8]* Default properties file was found at C:\sonar-scanner-msbuild\SonarQube.Analysis.xml*

    [10:03:19]

    **[Step 6/8]* Loading analysis properties from C:\sonar-scanner-msbuild\SonarQube.Analysis.xml*

    [10:03:19]

    **[Step 6/8]* Post-processing started.*

    [10:03:20]

    **[Step 6/8]* SONAR_SCANNER_OPTS is not configured. Setting it to the default value of -Xmx1024m*

    [10:03:20]

    **[Step 6/8]* Calling the SonarQube Scanner...*

    [10:03:20]

    **[Step 6/8]* INFO: Scanner configuration file: C:\sonar-scanner-msbuild\sonar-scanner-3.2.0.1227\bin\..\conf\sonar-scanner.properties*

    [10:03:20]

    **[Step 6/8]* INFO: Project root configuration file: C:\BuildAgent\work\d09f7763a6e9e4f8\.sonarqube\out\sonar-project.properties*

    [10:03:20]

    **[Step 6/8]* INFO: SonarQube Scanner 3.2.0.1227*

    [10:03:20]

    **[Step 6/8]* INFO: Java 1.8.0_201 Oracle Corporation (64-bit)*

    [10:03:20]

    **[Step 6/8]* INFO: Windows 10 10.0 amd64*

    [10:03:20]

    **[Step 6/8]* INFO: SONAR_SCANNER_OPTS=-Xmx1024m*

    [10:03:21]

    **[Step 6/8]* INFO: User cache: C:\WINDOWS\system32\config\systemprofile\.sonar\cache*

    [10:03:21]

    **[Step 6/8]* INFO: SonarQube server 7.6.0*
    [10:04:07]

    **[Step 6/8]* INFO: Importing 57 Roslyn reports*

    [10:04:08]

    **[Step 6/8]* INFO: Sensor C# [csharp] (done) | time=4517ms*

    [10:04:08]

    **[Step 6/8]* INFO: Sensor Zero Coverage Sensor*

    [10:04:09]

    **[Step 6/8]* INFO: Sensor Zero Coverage Sensor (done) | time=492ms*

    [10:04:09]

    **[Step 6/8]* INFO: Sensor JavaSecuritySensor [security]*

    [10:04:09]

    **[Step 6/8]* INFO: Reading UCFGs from: C:\BuildAgent\work\d09f7763a6e9e4f8\.sonarqube\out\.sonar\ucfg2\java*

    [10:04:09]

    **[Step 6/8]* INFO: UCFGs: 0, excluded: 0, source entrypoints: 0*

    [10:04:09]

    **[Step 6/8]* INFO: No UCFGs have been included for analysis.*

    [10:04:09]

    **[Step 6/8]* INFO: Sensor JavaSecuritySensor [security] (done) | time=4ms*

    [10:04:09]

    **[Step 6/8]* INFO: Sensor CSharpSecuritySensor [security]*

    [10:04:09]

    **[Step 6/8]* INFO: Reading UCFGs from: C:\BuildAgent\work\d09f7763a6e9e4f8\.sonarqube\out\ucfg_cs2*

    [10:04:12]

    **[Step 6/8]* INFO: UCFGs: 9813, excluded: 9508, source entrypoints: 305*

    [10:04:12]

    **[Step 6/8]* INFO: Analyzing 9813 ucfgs to detect vulnerabilities.*

    [10:04:12]

    **[Step 6/8]* INFO: rule: S2076, entrypoints: 0*

    [10:04:12]

    **[Step 6/8]* INFO: rule: S2076 done*

    [10:04:12]

    **[Step 6/8]* INFO: rule: S2078, entrypoints: 0*

    [10:04:12]

    **[Step 6/8]* INFO: rule: S2078 done*

    [10:04:12]

    **[Step 6/8]* INFO: rule: S2631, entrypoints: 227*

    [10:04:15]

    **[Step 6/8]* INFO: ------------------------------------------------------------------------*

    [10:04:15]

    **[Step 6/8]* INFO: EXECUTION FAILURE*

    [10:04:15]

    **[Step 6/8]* INFO: ------------------------------------------------------------------------*

    [10:04:15]

    **[Step 6/8]* INFO: Total time: 54.897s*

    [10:04:15]

    **[Step 6/8]* ERROR: Error during SonarQube Scanner execution*

    [10:04:15]

    **[Step 6/8]* INFO: Final Memory: 33M/644M*

    [10:04:15]

    **[Step 6/8]* INFO: ------------------------------------------------------------------------*

    [10:04:15]

    **[Step 6/8]* ERROR: null*

    [10:04:15]

    **[Step 6/8]* ERROR:*

    [10:04:15]

    **[Step 6/8]* The SonarQube Scanner did not complete successfully*

(Nicolas Peru) #3

Hi,

We are very interested by the ucfgs, if you can send them to me in private message that would be perfect for us to try to reproduce (and fix) the problem.


(Andrei Epure) #4

Hi @duncanc

I just want to double check: you are integrating with SonarCloud, and not with an on-premise SonarQube instance, right?


(Andrei Epure) #5

@duncanc - we verified now and the latest version of the analyzer has been deployed on Monday 28th to :sonarcloud: (so after you encountered the problem - on January 23rd).

Could you please try to re-enable S2631 and re-run your analysis? The fix should already be in production.

Thanks,
Andrei


(Duncan) #6

RE: Analysis - we use TeamCity as our CI server and it uses build steps to run the analysis. It appears the packages for analysis are pulled from sonarcloud.io but the analysis itself (based on CPU usage) is run on the CI server (or its build agents).
I wasn’t aware I could have the analysis run on SonarCloud.

I do view the results on SonarCloud, if that’s what you’re asking?
We followed these directions: https://sonarcloud.io/documentation/integrations/github/


(Duncan) #7

I’m trying another build. We were blocked from building for a few days due to this bug: Build started breaking on existing XML code today v7.6.0.3134


(Andrei Epure) #8

Sorry, I meant integrating with SonarCloud service vs your own SonarQube instance. I’ve updated my question.

Indeed, you are using SonarCloud.


(Duncan) #9

Unfortunately something else is going on with the build and I can’t get it to complete, but it didn’t fail on this error. So that means I can’t get any cfg files for the other analysis rules.
We also need to cancel our sonarcloud trial for now, partially because we could never get the github integration working and partially because it ended up being a bit too expensive because we vastly underestimated our lines of code.
Also the onboarding has been quite bumpy for our TeamCity integration which means my setup time is taking away from dev, also the CPU load on our build agents (dev computers :wink: ) was a bit higher than expected. We’ll keep an eye on it as it evolves.
The move towards the OWASP Top 10 analyzers is important to us.

Thanks for the help!