Sonar Scanner ERROR: Unable to create symbol table for :<some src file>' java.lang.SecurityException: invalid SHA1 signature file digest for org/apache/commons/lang/math/JVMRandom.class

Template for a good bug report, formatted with Markdown:

  • versions used (SonarQube, Scanner, Plugin, and any relevant extension)
  • error observed (wrap logs/code around triple quote ``` for proper formatting)
  • steps to reproduce
  • potential workaround

P.S.: use the #bug:fault sub-category if you’re hitting a specific crash/error , or the #bug:fp sub-category for rules-related behavior

Hi,

I got this error during sonar analysis using sonar scanner plugin in Jenkins. The class reported with invalid SHA is a 3rd party dependency of the actual source code. Is there a way how to fix or ignore that specific 3rd party class with invalid SHA.? Please advise. Thank you in advance.

SonarQube Version: Enterprise Edition -Version 7.9.1
SonarQube Scanner for Jenkins: 2.6.1
Java: 1.8.0_251

Error Encountered:

10:02:59 ERROR: Unable to create symbol table for : 'MDD/Core/com.comp.fso.mdd.common/src/com/comp/fso/mdd/common/util/ProjectUtil.java'
10:02:59 java.lang.SecurityException: invalid SHA1 signature file digest for org/apache/commons/lang/math/JVMRandom.class
10:02:59 	at sun.security.util.SignatureFileVerifier.verifySection(SignatureFileVerifier.java:677)
10:02:59 	at sun.security.util.SignatureFileVerifier.processImpl(SignatureFileVerifier.java:341)
10:02:59 	at sun.security.util.SignatureFileVerifier.process(SignatureFileVerifier.java:263)
10:02:59 	at java.util.jar.JarVerifier.processEntry(JarVerifier.java:318)
10:02:59 	at java.util.jar.JarVerifier.update(JarVerifier.java:230)
10:02:59 	at java.util.jar.JarFile.initializeVerifier(JarFile.java:384)
10:02:59 	at java.util.jar.JarFile.getInputStream(JarFile.java:451)
10:02:59 	at org.sonar.java.bytecode.loader.JarLoader$JarEntryHandler$1.getInputStream(JarLoader.java:124)
10:02:59 	at java.net.URL.openStream(URL.java:1067)
10:02:59 	at java.lang.ClassLoader.getResourceAsStream(ClassLoader.java:1302)
10:02:59 	at org.sonar.java.bytecode.loader.SquidClassLoader.getBytesForClass(SquidClassLoader.java:151)
10:02:59 	at org.sonar.java.resolve.BytecodeCompleter.loadClass(BytecodeCompleter.java:239)
10:02:59 	at org.sonar.java.resolve.Resolve.findIdentInPackage(Resolve.java:344)
10:02:59 	at org.sonar.java.resolve.FirstPass$ImportResolverVisitor.visitIdentifier(FirstPass.java:206)
10:02:59 	at org.sonar.java.model.expression.IdentifierTreeImpl.accept(IdentifierTreeImpl.java:81)
10:02:59 	at org.sonar.plugins.java.api.tree.BaseTreeVisitor.scan(BaseTreeVisitor.java:40)
10:02:59 	at org.sonar.plugins.java.api.tree.BaseTreeVisitor.visitMemberSelectExpression(BaseTreeVisitor.java:234)
10:02:59 	at org.sonar.java.model.expression.MemberSelectExpressionTreeImpl.accept(MemberSelectExpressionTreeImpl.java:117)
10:02:59 	at org.sonar.java.resolve.FirstPass$ImportResolverVisitor.visitImport(FirstPass.java:168)
10:02:59 	at org.sonar.java.model.JavaTree$ImportTreeImpl.accept(JavaTree.java:352)
10:02:59 	at org.sonar.java.resolve.FirstPass.resolveImports(FirstPass.java:154)
10:02:59 	at org.sonar.java.resolve.FirstPass.visitCompilationUnit(FirstPass.java:131)
10:02:59 	at org.sonar.java.resolve.SemanticModel.createFor(SemanticModel.java:64)
10:02:59 	at org.sonar.java.model.VisitorsBridge.visitFile(VisitorsBridge.java:122)
10:02:59 	at org.sonar.java.ast.JavaAstScanner.simpleScan(JavaAstScanner.java:90)
10:02:59 	at org.sonar.java.ast.JavaAstScanner.scan(JavaAstScanner.java:67)
10:02:59 	at org.sonar.java.JavaSquid.scanSources(JavaSquid.java:115)
10:02:59 	at org.sonar.java.JavaSquid.scan(JavaSquid.java:109)
10:02:59 	at org.sonar.plugins.java.JavaSquidSensor.execute(JavaSquidSensor.java:88)
10:02:59 	at org.sonar.scanner.sensor.AbstractSensorWrapper.analyse(AbstractSensorWrapper.java:48)
10:02:59 	at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:85)
10:02:59 	at org.sonar.scanner.sensor.ModuleSensorsExecutor.lambda$execute$1(ModuleSensorsExecutor.java:59)
10:02:59 	at org.sonar.scanner.sensor.ModuleSensorsExecutor.withModuleStrategy(ModuleSensorsExecutor.java:77)
10:02:59 	at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:59)
10:02:59 	at org.sonar.scanner.scan.ModuleScanContainer.doAfterStart(ModuleScanContainer.java:82)
10:02:59 	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:136)
10:02:59 	at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:122)
10:02:59 	at org.sonar.scanner.scan.ProjectScanContainer.scan(ProjectScanContainer.java:400)
10:02:59 	at org.sonar.scanner.scan.ProjectScanContainer.scanRecursively(ProjectScanContainer.java:395)
10:02:59 	at org.sonar.scanner.scan.ProjectScanContainer.scanRecursively(ProjectScanContainer.java:392)
10:02:59 	at org.sonar.scanner.scan.ProjectScanContainer.doAfterStart(ProjectScanContainer.java:358)
10:02:59 	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:136)
10:02:59 	at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:122)
10:02:59 	at org.sonar.scanner.bootstrap.GlobalContainer.doAfterStart(GlobalContainer.java:141)
10:02:59 	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:136)
10:02:59 	at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:122)
10:02:59 	at org.sonar.batch.bootstrapper.Batch.doExecute(Batch.java:73)
10:02:59 	at org.sonar.batch.bootstrapper.Batch.executeTask(Batch.java:99)
10:02:59 	at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:63)
10:02:59 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
10:02:59 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
10:02:59 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
10:02:59 	at java.lang.reflect.Method.invoke(Method.java:498)
10:02:59 	at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60)
10:02:59 	at com.sun.proxy.$Proxy0.execute(Unknown Source)
10:02:59 	at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:233)
10:02:59 	at org.sonarsource.scanner.api.EmbeddedScanner.runAnalysis(EmbeddedScanner.java:151)
10:02:59 	at org.sonarsource.scanner.cli.Main.runAnalysis(Main.java:123)
10:02:59 	at org.sonarsource.scanner.cli.Main.execute(Main.java:77)
10:02:59 	at org.sonarsource.scanner.cli.Main.main(Main.java:61)

Thanks,
Lea

Hello @lea.i.abrugena,

Do you still face the issue?
From the error trace, I see classes that were removed many months ago, I expect you are using a version of the Java analyzer which is already quite old.

Could you consider updating the Java analyzer to a version >= 6.3.2?

Hi @Quentin,

Sorry for the late reply.
The error was solved now and as per checking the Java Analyzer is version 6.3.2. Thanks a lot.

regards,
Lea

Hi @Quentin,

Maybe you have idea on another error we’ve encountered. Or maybe i should create new thread for this? Please advise. Thanks!

Exception while analyzing com.xxxxxxx.dddd.mdd.common.util.EntityUtil.<clinit>()V
java.lang.RuntimeException: Unable to call com/xxxxxxx/fso/mdd/common/MddcmnPluginActivator.getHelper()Lcom/xxxxxxx/fso/dddd/logging/LogHelper;
 At com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.visitInvoke(TaintFrameModelingVisitor.java:599)
 At com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.visitINVOKESTATIC(TaintFrameModelingVisitor.java:385)
 At org.apache.bcel.generic.INVOKESTATIC.accept(INVOKESTATIC.java:86)
 At edu.umd.cs.findbugs.ba.AbstractFrameModelingVisitor.analyzeInstruction(AbstractFrameModelingVisitor.java:84)
 At com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.analyzeInstruction(TaintFrameModelingVisitor.java:129)
 At com.h3xstream.findsecbugs.taintanalysis.TaintAnalysis.transferInstruction(TaintAnalysis.java:90)
 At com.h3xstream.findsecbugs.taintanalysis.TaintAnalysis.transferInstruction(TaintAnalysis.java:51)
 At edu.umd.cs.findbugs.ba.AbstractDataflowAnalysis.transfer(AbstractDataflowAnalysis.java:136)
 At edu.umd.cs.findbugs.ba.Dataflow.execute(Dataflow.java:378)
 At com.h3xstream.findsecbugs.taintanalysis.TaintDataflowEngine.analyze(TaintDataflowEngine.java:183)
 At com.h3xstream.findsecbugs.taintanalysis.TaintDataflowEngine.analyze(TaintDataflowEngine.java:56)
 At edu.umd.cs.findbugs.classfile.impl.AnalysisCache.analyzeMethod(AnalysisCache.java:368)
 At edu.umd.cs.findbugs.classfile.impl.AnalysisCache.getMethodAnalysis(AnalysisCache.java:321)
 At com.h3xstream.findsecbugs.injection.AbstractTaintDetector.getTaintDataFlow(AbstractTaintDetector.java:142

From the error trace, I can guess that findsecbugs plugin is causing the error.

Is it possible that it also requires an update to work correctly?

Also, please note that Sonarsource is not the maintainers of findsecbugs plugin, our knowledge on the topic is limited.