Sonar Analysis Completely Fails

I am using the sonar cli tool to try to run analysis but the analyses simply fails we keep getting the following error:

tonderai-bhpartners-generic-pipeline_1  | 21:20:58.402 ERROR: Error during SonarScanner execution
tonderai-bhpartners-generic-pipeline_1  | java.lang.NullPointerException
tonderai-bhpartners-generic-pipeline_1  | 	at org.eclipse.jgit.internal.storage.file.UnpackedObjectCache$Table.index(UnpackedObjectCache.java:115)
tonderai-bhpartners-generic-pipeline_1  | 	at org.eclipse.jgit.internal.storage.file.UnpackedObjectCache$Table.contains(UnpackedObjectCache.java:76)
tonderai-bhpartners-generic-pipeline_1  | 	at org.eclipse.jgit.internal.storage.file.UnpackedObjectCache.isUnpacked(UnpackedObjectCache.java:31)
tonderai-bhpartners-generic-pipeline_1  | 	at org.eclipse.jgit.internal.storage.file.LooseObjects.hasCached(LooseObjects.java:82)
tonderai-bhpartners-generic-pipeline_1  | 	at org.eclipse.jgit.internal.storage.file.ObjectDirectory.openObjectWithoutRestoring(ObjectDirectory.java:339)
tonderai-bhpartners-generic-pipeline_1  | 	at org.eclipse.jgit.internal.storage.file.ObjectDirectory.openObject(ObjectDirectory.java:330)
tonderai-bhpartners-generic-pipeline_1  | 	at org.eclipse.jgit.internal.storage.file.WindowCursor.open(WindowCursor.java:132)
tonderai-bhpartners-generic-pipeline_1  | 	at org.eclipse.jgit.lib.ObjectReader.open(ObjectReader.java:212)
tonderai-bhpartners-generic-pipeline_1  | 	at org.eclipse.jgit.revwalk.RevWalk.parseAny(RevWalk.java:917)
tonderai-bhpartners-generic-pipeline_1  | 	at org.eclipse.jgit.revwalk.RevWalk.parseCommit(RevWalk.java:827)
tonderai-bhpartners-generic-pipeline_1  | 	at org.sonar.scm.git.CompositeBlameCommand.collectAllCommittedFiles(CompositeBlameCommand.java:94)
tonderai-bhpartners-generic-pipeline_1  | 	at org.sonar.scm.git.CompositeBlameCommand.blame(CompositeBlameCommand.java:61)
tonderai-bhpartners-generic-pipeline_1  | 	at org.sonar.scanner.scm.ScmPublisher.publish(ScmPublisher.java:76)
tonderai-bhpartners-generic-pipeline_1  | 	at org.sonar.scanner.scan.ProjectScanContainer.doAfterStart(ProjectScanContainer.java:405)
tonderai-bhpartners-generic-pipeline_1  | 	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:123)
tonderai-bhpartners-generic-pipeline_1  | 	at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:109)
tonderai-bhpartners-generic-pipeline_1  | 	at org.sonar.scanner.bootstrap.GlobalContainer.doAfterStart(GlobalContainer.java:128)
tonderai-bhpartners-generic-pipeline_1  | 	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:123)
tonderai-bhpartners-generic-pipeline_1  | 	at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:109)
tonderai-bhpartners-generic-pipeline_1  | 	at org.sonar.batch.bootstrapper.Batch.doExecute(Batch.java:58)
tonderai-bhpartners-generic-pipeline_1  | 	at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:52)
tonderai-bhpartners-generic-pipeline_1  | 	at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46)
tonderai-bhpartners-generic-pipeline_1  | 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
tonderai-bhpartners-generic-pipeline_1  | 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
tonderai-bhpartners-generic-pipeline_1  | 	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
tonderai-bhpartners-generic-pipeline_1  | 	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
tonderai-bhpartners-generic-pipeline_1  | 	at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60)
tonderai-bhpartners-generic-pipeline_1  | 	at com.sun.proxy.$Proxy0.execute(Unknown Source)
tonderai-bhpartners-generic-pipeline_1  | 	at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:189)
tonderai-bhpartners-generic-pipeline_1  | 	at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:138)
tonderai-bhpartners-generic-pipeline_1  | 	at org.sonarsource.scanner.cli.Main.execute(Main.java:112)
tonderai-bhpartners-generic-pipeline_1  | 	at org.sonarsource.scanner.cli.Main.execute(Main.java:75)
tonderai-bhpartners-generic-pipeline_1  | 	at org.sonarsource.scanner.cli.Main.main(Main.java:61)

Our confiugration file is as follow

# Project identification
sonar.exclusions=**/build/**,**/coverage/**,**/logs/**,**/chart/**,**/*.go,**/spinnaker/**,**/stages/**
sonar.projectKey=xxxxx
sonar.projectVersion="v0.0.1"
sonar.projectName=xxxxx
sonar.organization=xxxx
sonar.host.url=https://sonarcloud.io
# Info required for Sonar
sonar.sources=.
sonar.coverage.jacoco.xmlReportPaths=**/jacoco/test/jacocoTestReport.xml
sonar.coverage.exclusions=**/test/**
sonar.cpd.exclusions=**/test/**

We are simply trying to run the command sonar-scanner but it fails. Not sure what’s wrong. Any assistance will be really helpful as we have been experiencing this for some time now. We are make use of the latest version of the cli tool.

Hi @Roger_Bukuru and welcome to our Community!

I would like to ask you to:

1. Add the “-X” parameter to the scanner invocation in order to enable debug output.
2. Provide us with the full scanner log output.

I will send you a private message for you to do that. This way we can have much more information that we need to understand your problem.

Thanks.

Facing the same issue:

$ sonar-scanner -X \ 
  -Dsonar.projectKey=Demo1 \
  -Dsonar.sources=. \
  -Dsonar.host.url=http://localhost:9000 \
 -Dsonar.login=sqp.xxxxxxxxxxxxxxxxxxxxxxxxxx

output:
output.txt (41.2 KB)

Hi, are the failing projects in a valid git repository? Does the file {project_dir}/.git/HEAD exist?

Oh okay, it has to be a valid git repo. Now it’s working, didn’t think about it cause I was testing a single .php file. However, the results don’t show any vulnerabilities, although there are clear SQL injections in my .php file. any advice?

Hi,

Yes it’s in a valid git repo

You can try adding the following parameter to disable SCM features, but it will disable related features as well, like auto assignment of new issues:

sonar.scm.disabled=true

This is a different subject and you should create a new topic for that, providing all the information. Thanks!

We are still investigating! Could you tell me anything related to the status of the GIT repository that you are scanning with SonarCloud? Like, for example:

1. Do you have any non-committed files (staged or not)?
2. Any detached head scenario?
3. The branch exists at origin?
4. There is at least one commit at your repository?

1. No there are no non-committed files
2. I have checked and have seen none
3. Yes
4. Yes

We are having this issues across 3-5 different projects, that all have valid git repos.

Thanks for the information.

Any public project so we can try to reproduce here?

Unfortunately they are all private, any other way ?

I sent a private message to you in order to acquire more data to investigate this problem. So far, i found that we fail when there is no HEAD commit, which should happen only in a git repository without any commit. Maybe there are other scenarios that i don’t know.

We are still investigating this issue, but we just deployed a fix that could mitigate your problem as well. Could you please try to run a new analysis and check if it succeeds? Also, please send use the scanner logs if possible, you can use the private message for this.

Ok great, is this a fix on the cli-scanner on just on sonar-cloud ?

I just gave it a try and it works! Thank you so much

It is for SonarCloud, including the scanner as well.

Happy to know!! But i still want to investigate a bit more… is it possible for you to provide us with the scanner log for this successful analysis?

Hello @Roger_Bukuru , your analysis now succeeds but you are missing blame information (extract from the logs you send to me):

WARN: Could not find HEAD commit
INFO: Blaming files using native implementation
INFO: SCM Publisher 0/1043 source files have been analyzed (done) | time=55ms
WARN: Missing blame information for the following files:

This means that the cloned git repository at your pipeline is missing HEAD commit. We recommend to try diagnose this, getting more information about the state of the cloned git repository at your pipeline, maybe you can add some commands like:

git log -n 2
git status

Let me know if you want do dig more into this issue, happy to help.