Sonar-java-plugin has dependencies with invalid pom's

SonarLint
1

org.sonarsource.java:sonar-java-plugin:7.22.0.31918 (the current latest version) has dependencies with invalid poms. For example, it depends on org.eclipse.platform:org.eclipse.equinox.preferences:3.10.100 which has <modelVersion>4.0</modelVersion> in its pom (The version must be 4.0.0 - not 4.0). Eclipse fixed this problem with a new version of that artifact, see Gradle cannot build effective model because of failure in pom.xml · Issue #180 · eclipse-platform/eclipse.platform · GitHub for history and details.

Can org.sonarsource.java:sonar-java-plugin please update its dependencies’ versions to ones that have valid poms? I’ve submitted a PR with that change, hoping that doing so would help with the timely solution of this problem: Update eclipse dependencies by candrews · Pull Request #4421 · SonarSource/sonar-java · GitHub

For full background, you can reproduce this issue using Gradle, expressing a dependency on org.sonarsource.java:sonar-java-plugin, and having the io.spring.dependency-management plugin (this plugin makes the error more apparent).

I’m using gradle 8.1.1 (the current latest version).

Example build.gradle.kts:

repositories {
  gradlePluginPortal()
  mavenCentral()
}

plugins {
  id("io.spring.dependency-management") version "1.1.2"
  id("java")
}

dependencies {
  implementation("org.sonarsource.java:sonar-java-plugin:7.22.0.31918")
}

And the error is:

$ ./gradlew dependencies

> Task :dependencies FAILED

------------------------------------------------------------
Root project 'example'
------------------------------------------------------------

annotationProcessor - Annotation processors and their dependencies for source set 'main'.
No dependencies

compileClasspath - Compile classpath for source set 'main'.
Errors occurred while build effective model from /home/candrews/.gradle/caches/modules-2/files-2.1/org.eclipse.platform/org.eclipse.equinox.preferences/3.10.100/43fe3c49d5a6a30090b7081015e4a57bd0a6cb98/org.eclipse.equinox.preferences-3.10.100.pom:
Errors occurred while build effective model from /home/candrews/.gradle/caches/modules-2/files-2.1/org.eclipse.platform/org.eclipse.core.contenttype/3.8.200/e2fdb068262514474d73f236adaa821d9c861786/org.eclipse.core.contenttype-3.8.200.pom:

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':dependencies'.
> Cannot invoke "io.spring.gradle.dependencymanagement.org.apache.maven.model.Model.getGroupId()" because "effectiveModel" is null

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 504ms
1 actionable task: 1 executed

Thank you!

2 Likes
2

Hi @candrews,

thank you for providing all the information. May I ask for some other information from you:

  • Which SonarLint flavor and version you are using?
  • Based on that which IDE and its version are you using?
  • Are you in connected mode and if so which version of SonarQube are you using (or SonarCloud)?

Thank you in advance, I’ll also forward you to the specific experts.

Best,
Tobias from SonarLint for Eclipse

4

Which SonarLint flavor and version you are using?

The artifact and version is org.sonarsource.java:sonar-java-plugin:7.22.0.31918

Based on that which IDE and its version are you using?

The issue is reproducible in any IDE.

Are you in connected mode and if so which version of SonarQube are you using (or SonarCloud)?

One does not need to be connected to SonarQube or SonarCloud to reproduce this issue. The Gradle build I provided is enough to reproduce this issue without any Sonar connectivity, and in any IDE - I provided it in that way as a minimal reproducible example so it’s as easy as possible to reproduce and see the issue.

6

Hello @candrews,

We tried to reproduce the scenario you described and found that the problem happens when the io.spring.dependency-management Gradle plugin is used.

The org.sonarsource.java:sonar-java-plugin dependency tree looks clean:

[INFO] \- org.sonarsource.java:sonar-java-plugin:jar:7.22.0.31918:compile
[INFO]    +- org.sonarsource.java:java-surefire:jar:7.22.0.31918:compile
[INFO]    |  \- com.fasterxml.staxmate:staxmate:jar:2.4.0:compile
[INFO]    |     \- org.codehaus.woodstox:stax2-api:jar:4.2.1:compile
[INFO]    +- org.sonarsource.java:java-frontend:jar:7.22.0.31918:compile
[INFO]    |  +- org.sonarsource.java:jdt:jar:shaded:7.22.0.31918:compile
[INFO]    |  |  \- org.eclipse.jdt:org.eclipse.jdt.core:jar:3.33.0:compile
[INFO]    |  |     +- org.eclipse.platform:org.eclipse.core.resources:jar:3.18.200:compile
[INFO]    |  |     |  \- org.eclipse.platform:org.eclipse.osgi:jar:3.18.300:compile
[INFO]    |  |     +- org.eclipse.platform:org.eclipse.core.runtime:jar:3.26.100:compile
[INFO]    |  |     |  +- org.eclipse.platform:org.eclipse.equinox.common:jar:3.17.0:compile
[INFO]    |  |     |  +- org.eclipse.platform:org.eclipse.core.jobs:jar:3.13.200:compile
[INFO]    |  |     |  +- org.eclipse.platform:org.eclipse.equinox.preferences:jar:3.10.100:compile
[INFO]    |  |     |  |  \- org.osgi:org.osgi.service.prefs:jar:1.1.2:compile (version selected from constraint [1.1.0,1.2.0))
[INFO]    |  |     |  |     \- org.osgi:osgi.annotation:jar:8.0.1:compile
[INFO]    |  |     |  \- org.eclipse.platform:org.eclipse.core.contenttype:jar:3.8.200:compile
[INFO]    |  |     +- org.eclipse.platform:org.eclipse.text:jar:3.12.300:compile
[INFO]    |  |     |  \- org.eclipse.platform:org.eclipse.core.commands:jar:3.10.300:compile
[INFO]    |  |     \- org.eclipse.jdt:ecj:jar:3.33.0:compile
[INFO]    |  +- org.sonarsource.sslr:sslr-core:jar:1.24.0.633:compile
[INFO]    |  +- org.apache.commons:commons-lang3:jar:3.12.0:compile
[INFO]    |  \- org.sonarsource.analyzer-commons:sonar-regex-parsing:jar:2.5.0.1358:compile
[INFO]    +- org.sonarsource.java:java-symbolic-execution:jar:7.22.0.31918:compile
[INFO]    +- org.sonarsource.java:java-checks:jar:7.22.0.31918:compile
[INFO]    |  \- org.sonarsource.analyzer-commons:sonar-analyzer-recognizers:jar:2.5.0.1358:compile
[INFO]    +- org.sonarsource.java:external-reports:jar:7.22.0.31918:compile
[INFO]    +- org.sonarsource.java:java-jsp:jar:7.22.0.31918:compile
[INFO]    |  \- org.apache.tomcat.embed:tomcat-embed-jasper:jar:9.0.75:compile
[INFO]    |     +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.75:compile
[INFO]    |     |  \- org.apache.tomcat:tomcat-annotations-api:jar:9.0.75:compile
[INFO]    |     \- org.apache.tomcat.embed:tomcat-embed-el:jar:9.0.75:compile
[INFO]    +- org.sonarsource.analyzer-commons:sonar-analyzer-commons:jar:2.5.0.1358:compile
[INFO]    +- org.sonarsource.analyzer-commons:sonar-xml-parsing:jar:2.5.0.1358:compile
[INFO]    |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO]    |  +- xerces:xercesImpl:jar:2.12.2:compile
[INFO]    |  +- xml-apis:xml-apis:jar:1.4.01:compile
[INFO]    |  \- com.fasterxml.woodstox:woodstox-core:jar:6.4.0:compile
[INFO]    \- org.sonarsource.analyzer-commons:sonar-performance-measure:jar:2.5.0.1358:compile
[INFO]       \- com.google.code.gson:gson:jar:2.8.9:compile

I suggest investigating the io.spring.dependency-management Gradle plugin. Alternatively, I recommend using Maven since it works correctly on all projects that add custom rules, and thus use the org.sonarsource.java:sonar-java-plugin dependency (see sonar java custom rules guide).

We are working on the update of the org.eclipse.jdt.core dependency. Unfortunately, it is not easy since the upgrade will force users to move to Java 17 runtime, and not all of them can do it on short notice. There are also unresolved bugs in org.eclipse.jdt.core that are stopping us from upgrading.

I hope you will find a suitable solution to your problem.

Cheers

3 Likes
7

As you said, the problem is exacerbated by Spring’s Dependency Management Plugin, which sees the invalid pom in the dependency tree and errors out. That issue is being tracked at NullPointerException when Maven-style exclusions are enabled and a dependency has a pom which Maven's Model Builder considers to be invalid · Issue #365 · spring-gradle-plugins/dependency-management-plugin · GitHub The workaround for that issue is to add:

dependencyManagement {
    // workaround for https://github.com/spring-gradle-plugins/dependency-management-plugin/issues/365
    applyMavenExclusions = false
}

to the gradle build.

Arguably (and note that Spring isn’t taking this position) Spring is doing the right thing, as those POMs are invalid and thus failing because of them isn’t unreasonable.

We are working on the update of the org.eclipse.jdt.core dependency. Unfortunately, it is not easy since the upgrade will force users to move to Java 17 runtime, and not all of them can do it on short notice. There are also unresolved bugs in org.eclipse.jdt.core that are stopping us from upgrading.

I’m glad to hear that Sonar is working on addressing the real problem of those invalid POMs :slight_smile:

Is there a Jira issue or something else that I could follow to know when Sonar rids itself of those dependencies with invalid POMs?

2 Likes
8

Hi @candrews, you can check the old investigation regarding the update of the org.eclipse.jdt.core dependency in [SONARJAVA-4526] - Jira.

The progress with the upgrade of such dependency falls under the task of supporting Java 21, which is on the roadmap for next year.

Cheers

2 Likes