Sonar Scanner CLI 10/11 (container image) files permission AccessDeniedException in GitLab CI

trhsrtrsdghgfhtrdgh · August 18, 2024, 11:01pm

Hi all,

I am running a SonarQube Community edition and have successfully used the GitLab CI integration with the following config successfully for a while now:

sonar-scanner:
  image:
    name: sonarsource/sonar-scanner-cli:5
    entrypoint: [""]
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  script:
    - sonar-scanner -Dsonar.qualitygate.wait=true
  allow_failure: true
  rules:
    - if: $CI_COMMIT_REF_NAME == 'main' || $CI_PIPELINE_SOURCE == 'merge_request_event'

I recently switched the version of the container image to 11 and noticed that I get permission denied errors for some reason:

The following error occurs when cache is not utilized:

22:22:52.686 ERROR Error during SonarScanner CLI execution
java.lang.IllegalStateException: Fail to create temp file in /builds/noc/cicd-components/.sonar/cache/_tmp
	at org.sonarsource.scanner.lib.internal.cache.FileCache.newTempFile(FileCache.java:141)
	at org.sonarsource.scanner.lib.internal.cache.FileCache.getOrDownload(FileCache.java:87)
	at org.sonarsource.scanner.lib.internal.JavaRunnerFactory.getJreFromServer(JavaRunnerFactory.java:143)
	at org.sonarsource.scanner.lib.internal.JavaRunnerFactory.createRunner(JavaRunnerFactory.java:85)
	at org.sonarsource.scanner.lib.internal.ScannerEngineLauncherFactory.createLauncher(ScannerEngineLauncherFactory.java:53)
	at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:118)
	at org.sonarsource.scanner.cli.Main.analyze(Main.java:75)
	at org.sonarsource.scanner.cli.Main.main(Main.java:63)
Caused by: java.nio.file.AccessDeniedException: /builds/noc/cicd-components/.sonar/cache/_tmp/fileCache9114681223999053535.tmp
	at java.base/sun.nio.fs.UnixException.translateToIOException(Unknown Source)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(Unknown Source)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(Unknown Source)
	at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(Unknown Source)
	at java.base/java.nio.file.Files.newByteChannel(Unknown Source)
	at java.base/java.nio.file.Files.createFile(Unknown Source)
	at java.base/java.nio.file.TempFileHelper.create(Unknown Source)
	at java.base/java.nio.file.TempFileHelper.createTempFile(Unknown Source)
	at java.base/java.nio.file.Files.createTempFile(Unknown Source)
	at org.sonarsource.scanner.lib.internal.cache.FileCache.newTempFile(FileCache.java:139)
	... 7 common frames omitted
22:22:52.688 ERROR

The following error occurs when cache is utilized:

ERROR: Error during SonarScanner execution
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.sonarsource.scanner.api.internal.IsolatedClassloader@27ce24aa-org.sonar.scanner.bootstrap.ScannerPluginRepository': Initialization of bean failed; nested exception is java.lang.IllegalStateException: Unable to read plugin manifest from jar : /builds/noc/cicd-components/.sonar/cache/2b053e6515d3c6b09a797addc204a4ed/sonar-cayc-plugin.jar
INFO: Final Memory: 10M/56M
INFO: ------------------------------------------------------------------------
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:628)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:542)
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:335)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:333)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:208)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:955)
	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:929)
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:591)
	at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:225)
	at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:205)
	at org.sonar.batch.bootstrapper.Batch.doExecute(Batch.java:73)
	at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:67)
	at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60)
	at jdk.proxy1/jdk.proxy1.$Proxy0.execute(Unknown Source)
	at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:189)
	at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:138)
	at org.sonarsource.scanner.cli.Main.execute(Main.java:126)
	at org.sonarsource.scanner.cli.Main.execute(Main.java:81)
	at org.sonarsource.scanner.cli.Main.main(Main.java:62)
Caused by: java.lang.IllegalStateException: Unable to read plugin manifest from jar : /builds/noc/cicd-components/.sonar/cache/2b053e6515d3c6b09a797addc204a4ed/sonar-cayc-plugin.jar
	at org.sonar.updatecenter.common.PluginManifest.<init>(PluginManifest.java:131)
	at org.sonar.core.platform.PluginInfo.create(PluginInfo.java:368)
	at org.sonar.scanner.bootstrap.ScannerPluginInstaller.loadPlugins(ScannerPluginInstaller.java:128)
	at org.sonar.scanner.bootstrap.ScannerPluginInstaller.installPlugins(ScannerPluginInstaller.java:102)
	at org.sonar.scanner.bootstrap.ScannerPluginInstaller.installRequiredPlugins(ScannerPluginInstaller.java:72)
	at org.sonar.scanner.bootstrap.ScannerPluginRepository.start(ScannerPluginRepository.java:76)
	at org.sonar.core.platform.StartableBeanPostProcessor.postProcessBeforeInitialization(StartableBeanPostProcessor.java:33)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsBeforeInitialization(AbstractAutowireCapableBeanFactory.java:440)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1796)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:620)
	... 24 more
Caused by: java.io.FileNotFoundException: /builds/noc/cicd-components/.sonar/cache/2b053e6515d3c6b09a797addc204a4ed/sonar-cayc-plugin.jar (Permission denied)
	at java.base/java.io.RandomAccessFile.open0(Native Method)
	at java.base/java.io.RandomAccessFile.open(RandomAccessFile.java:344)
	at java.base/java.io.RandomAccessFile.<init>(RandomAccessFile.java:259)
	at java.base/java.io.RandomAccessFile.<init>(RandomAccessFile.java:213)
	at java.base/java.util.zip.ZipFile$Source.<init>(ZipFile.java:1476)
	at java.base/java.util.zip.ZipFile$Source.get(ZipFile.java:1441)
	at java.base/java.util.zip.ZipFile$CleanableResource.<init>(ZipFile.java:718)
	at java.base/java.util.zip.ZipFile.<init>(ZipFile.java:252)
	at java.base/java.util.zip.ZipFile.<init>(ZipFile.java:181)
	at java.base/java.util.jar.JarFile.<init>(JarFile.java:346)
	at java.base/java.util.jar.JarFile.<init>(JarFile.java:317)
	at java.base/java.util.jar.JarFile.<init>(JarFile.java:283)
	at org.sonar.updatecenter.common.PluginManifest.<init>(PluginManifest.java:126)
	... 33 more
ERROR: 
ERROR: Re-run SonarScanner using the -X switch to enable full debug logging.

I created the following debug pipeline which resultet in the following output:

debug:
  stage: debug
  image: sonarsource/sonar-scanner-cli:10
  script:
    - id
    - pwd
    - ls -la
    - mkdir -p /builds/noc/cicd-components/.sonar/cache/_tmp
    - touch /builds/noc/cicd-components/.sonar/cache/_tmp/fileCache16198085451446314978.tmp
    - ls -laZ /builds/noc/cicd-components/.sonar/cache/_tmp

$ id
uid=1000(scanner-cli) gid=1000(scanner-cli) groups=1000(scanner-cli)
$ pwd
/builds/noc/cicd-components
$ ls -la
total 8
drwxrwxrwx. 4 root root  74 Aug 18 22:22 .
drwxrwxrwx. 4 root root  56 Aug 18 22:22 ..
drwxrwxrwx. 6 root root 128 Aug 18 22:22 .git
-rw-rw-rw-. 1 root root 542 Aug 18 22:22 .gitlab-ci.yml
-rw-rw-rw-. 1 root root 327 Aug 18 22:22 README.md
drwxrwxrwx. 4 root root  50 Aug 18 22:22 templates
$ mkdir -p /builds/noc/cicd-components/.sonar/cache/_tmp
$ touch /builds/noc/cicd-components/.sonar/cache/_tmp/fileCache16198085451446314978.tmp
$ ls -laZ /builds/noc/cicd-components/.sonar/cache/_tmp
total 0
drwxr-xr-x. 2 scanner-cli scanner-cli system_u:object_r:container_file_t:s0:c746,c867 47 Aug 18 22:22 .
drwxr-xr-x. 3 scanner-cli scanner-cli system_u:object_r:container_file_t:s0:c746,c867 18 Aug 18 22:22 ..
-rw-r--r--. 1 scanner-cli scanner-cli system_u:object_r:container_file_t:s0:c746,c867  0 Aug 18 22:22 fileCache16198085451446314978.tmp
Cleaning up project directory and file based variables 00:00
Job succeeded

Any help resolving this issue is appreciated, I’ve downgraded to scanner version 5 for now…
This happen for the tags 10 and 11 and is likely related to the rootless user that was introduced with 10.X: Release 10.0.0.1370_5.0.1 · SonarSource/sonar-scanner-cli-docker · GitHub

Other pipelines running with a rootless container image work fine though, even the same image can create files using mkdir and touch. Why does Sonar fail when creating a file programmatically?

Colin · August 20, 2024, 8:07am

Hey there.

Have you tried clearing your runner cache?

trhsrtrsdghgfhtrdgh · August 20, 2024, 9:57am

Thanks a lot, it seems like this resolved the issue!

system · August 27, 2024, 9:57am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.