Scanner cannot access C++ header files

We run sonar-scanner for a C++20 project within a debian bookworm docker in a GitLab CI pipeline.
We use gcc-11. The following problem occurs both with the build-wrapper and with the CMake Compilation Database:

Running sonar-scanner results in

$ sonar-scanner
Could not find 'java' executable in JAVA_HOME or PATH.

running the jar directly results in:

$ /sonar-scanner-4.7.0.2747-linux/jre/bin/java -jar /sonar-scanner-4.7.0.2747-linux/lib/sonar-scanner-cli-4.7.0.2747.jar
INFO: Sensor CFamily [cpp]
INFO: CFamily plugin version: 6.32.0.44918
INFO: Using compile commands: /builds/gdsa/clg007-multicontainer-packer/compile_commands.json
INFO: Available processors: 8
INFO: Using 8 threads for analysis according to value of "sonar.cfamily.threads" property.
INFO: Cache is explicitly disabled: Optional[false]
INFO: ------------------------------------------------------------------------
INFO: EXECUTION FAILURE
INFO: ------------------------------------------------------------------------
INFO: Total time: 18.993s
INFO: Final Memory: 37M/148M
INFO: ------------------------------------------------------------------------
ERROR: Error during SonarScanner execution
java.lang.IllegalStateException: java.nio.file.FileSystemException: /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11: Operation not permitted
	at com.sonar.cpp.jni.FileSystemOperations.realPath(FileSystemOperations.java:63)
	at java.base/java.util.HashMap.computeIfAbsent(Unknown Source)
	at com.sonar.cpp.fs.CanonicalPathCache.computeIfAbsent(CanonicalPathCache.java:17)
	at java.base/java.util.stream.ReferencePipeline$3$1.accept(Unknown Source)
	at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(Unknown Source)
	at java.base/java.util.stream.AbstractPipeline.copyInto(Unknown Source)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(Unknown Source)
	at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(Unknown Source)
	at java.base/java.util.stream.AbstractPipeline.evaluate(Unknown Source)
	at java.base/java.util.stream.ReferencePipeline.collect(Unknown Source)
	at com.sonar.cpp.analyzer.GCCBasedDriverUtil.removeIncludesWhichAreSystemIncludes(GCCBasedDriverUtil.java:218)
	at com.sonar.cpp.analyzer.ClangDriver.onCapture(ClangDriver.java:442)
	at com.sonar.cpp.analyzer.CompilerDrivers.onCapture(CompilerDrivers.java:35)
	at com.sonar.cpp.plugin.CFamilySensor.lambda$process$12(CFamilySensor.java:648)
	at com.sonar.cpp.plugin.CompileCommandsReader.readCaptures(CompileCommandsReader.java:46)
	at com.sonar.cpp.plugin.CFamilySensor.process(CFamilySensor.java:645)
	at com.sonar.cpp.plugin.CFamilySensor.process(CFamilySensor.java:416)
	at com.sonar.cpp.plugin.CFamilySensor.execute(CFamilySensor.java:186)
	at org.sonar.scanner.sensor.AbstractSensorWrapper.analyse(AbstractSensorWrapper.java:64)
	at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:85)
	at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:62)
	at org.sonar.scanner.scan.SpringModuleScanContainer.doAfterStart(SpringModuleScanContainer.java:81)
	at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:188)
	at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:167)
	at org.sonar.scanner.scan.SpringProjectScanContainer.scan(SpringProjectScanContainer.java:392)
	at org.sonar.scanner.scan.SpringProjectScanContainer.scanRecursively(SpringProjectScanContainer.java:388)
	at org.sonar.scanner.scan.SpringProjectScanContainer.doAfterStart(SpringProjectScanContainer.java:357)
	at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:188)
	at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:167)
	at org.sonar.scanner.bootstrap.SpringGlobalContainer.doAfterStart(SpringGlobalContainer.java:134)
	at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:188)
	at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:167)
	at org.sonar.batch.bootstrapper.Batch.doExecute(Batch.java:72)
	at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:66)
	at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60)
	at com.sun.proxy.$Proxy0.execute(Unknown Source)
	at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:189)
	at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:138)
	at org.sonarsource.scanner.cli.Main.execute(Main.java:112)
	at org.sonarsource.scanner.cli.Main.execute(Main.java:75)
	at org.sonarsource.scanner.cli.Main.main(Main.java:61)
Caused by: java.nio.file.FileSystemException: /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11: Operation not permitted
	at java.base/sun.nio.fs.UnixException.translateToIOException(Unknown Source)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(Unknown Source)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(Unknown Source)
	at java.base/sun.nio.fs.UnixPath.toRealPath(Unknown Source)
	at com.sonar.cpp.jni.FileSystemOperations.realPath(FileSystemOperations.java:61)
	... 45 more
ERROR: 
ERROR: Re-run SonarScanner using the -X switch to enable full debug logging.

The path /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11 exists. The scanner runs as root, so it can see into the directory.

The docker image used is:

FROM debian:bookworm-slim

RUN apt update \
 && apt install -y wget git unzip cmake g++ gcovr file valgrind clang-tidy clang-format python3-pip \
 && rm -rf /var/lib/apt/lists/*

RUN pip install conan

ENTRYPOINT [ "/bin/bash", "-c", "ln -snf /bin/bash /bin/sh && /bin/bash -c $0" ]

the scanner is installed via

wget -q https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.7.0.2747-linux.zip
unzip -q sonar-scanner-cli-4.7.0.2747-linux.zip -d /
export PATH="/sonar-scanner-4.7.0.2747-linux/bin:$PATH"

version:
scanner 4.7.0.2747
sonarqube 9.4

It works with the official gcc:11 image, but not with gcc11 on debian.

Hi @ivo.hedtke
Based on the information in your post I could not reproduce your failure.

I run a local instance of SQ on localhost:9000. Running your docker image debian:bookworm-slim:

docker run -it --rm --add-host=host.docker.internal:host-gateway debian:bookworm-slim

and adding the necessary packages, I ran SonarScanner and encountered no failure:

apt update
apt install -y wget git unzip cmake g++ gcovr file valgrind clang-tidy clang-format python3-pip autoconf curl
git clone https://github.com/arseniy-sonar/sq-analysis-repo
cd sq-analysis-repo/
sed -i 's/localhost/host.docker.internal/g' build-analyze-project.sh
sed -i 's/localhost/host.docker.internal/g' sonar-project.properties
export SONAR_TOKEN=sqp_....

# This is necessary for the libc6 required by Build Wrapper:
echo "deb http://deb.debian.org/debian experimental main" >> /etc/apt/sources.list
apt update
apt -t experimental install -y libc6
bash build-analyze-project.sh

And here is the tail of the result:

INFO: ANALYSIS SUCCESSFUL, you can find the results at: http://host.docker.internal:9000/dashboard?id=sq-analysis-repo
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at http://host.docker.internal:9000/api/ce/task?id=AYJubJeA_24S3Gnx0eWj
INFO: Analysis total time: 6.030 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 6.861s
INFO: Final Memory: 30M/256M

You can try it on your machine, sq-analysis-repo is public.

What did I do differently from your script that I missed the failure you are writing about?