Sonar Scanner Java Issue

  • ALM used - GitHub
  • Scanner command used when applicable (private details masked)
  • Languages of the repository - PHP (we exclude other files)
  • SonarCloud project is not public

It looks like sonar-scanner is trying to download and extract Open JDK 17, but then it doesn’t have permissions to execute the file. I recursively 777’d the entire .sonar folder temporarily, but I get the same error message.

I’m also a bit confused why sonar is trying to download a JDK here? I have the JAVA_HOME variable set on my machine, but I noticed that Sonar Scanner always overwrites that variable, regardless of whether you already have one set (I’ll attach a screenshot of the source code where a variable is always true, thus overwriting JAVA_HOME).

Error Logs:

15:45:50.354 INFO  Scanner configuration file: /home/jbolger/sonar-scanner-7.0.2.4839-linux-x64/conf/sonar-scanner.properties
15:45:50.374 INFO  Project root configuration file: NONE
15:45:50.575 INFO  SonarScanner CLI 7.0.2.4839
15:45:50.588 INFO  Java 17.0.13 Eclipse Adoptium (64-bit)
15:45:50.590 INFO  Linux 6.1.0-37-cloud-amd64 amd64
15:45:50.614 DEBUG Scanner max available memory: 1 GB
15:45:50.654 DEBUG Failed to get the architecture using 'uname -m'
java.io.IOException: Cannot run program "uname": error=13, Permission denied
        at java.base/java.lang.ProcessBuilder.start(Unknown Source)
        at java.base/java.lang.ProcessBuilder.start(Unknown Source)
        at org.sonarsource.scanner.lib.internal.util.ProcessWrapperFactory.create(ProcessWrapperFactory.java:30)
        at org.sonarsource.scanner.lib.internal.util.ArchResolver.tryGetArchUsingUname(ArchResolver.java:62)
        at org.sonarsource.scanner.lib.internal.util.ArchResolver.getCpuArch(ArchResolver.java:55)
        at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.initBootstrapDefaultValues(ScannerEngineBootstrapper.java:306)
        at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:128)
        at org.sonarsource.scanner.cli.Main.analyze(Main.java:76)
        at org.sonarsource.scanner.cli.Main.main(Main.java:64)
Caused by: java.io.IOException: error=13, Permission denied
        at java.base/java.lang.ProcessImpl.forkAndExec(Native Method)
        at java.base/java.lang.ProcessImpl.<init>(Unknown Source)
        at java.base/java.lang.ProcessImpl.start(Unknown Source)
        ... 9 common frames omitted
15:45:50.680 DEBUG Using JVM default truststore: /home/jbolger/sonar-scanner-7.0.2.4839-linux-x64/jre/lib/security/cacerts
15:45:50.685 DEBUG Create: /home/jbolger/.sonar/cache
15:45:50.686 INFO  User cache: /home/jbolger/.sonar/cache
15:45:50.687 DEBUG Create: /home/jbolger/.sonar/cache/_tmp
15:45:51.840 DEBUG Loading OS trusted SSL certificates...
15:45:51.841 DEBUG This operation might be slow or even get stuck. You can skip it by passing the scanner property 'sonar.scanner.skipSystemTruststore=true'
15:45:54.596 DEBUG Loaded [429] system trusted certificates
15:45:56.825 DEBUG Loaded truststore from '/home/jbolger/sonar-scanner-7.0.2.4839-linux-x64/jre/lib/security/cacerts' containing 152 certificates
15:45:58.166 INFO  JRE provisioning: os[linux], arch[amd64]
15:45:58.624 DEBUG --> GET https://api.sonarcloud.io/analysis/jres?os=linux&arch=amd64
15:46:00.425 DEBUG <-- 200 https://api.sonarcloud.io/analysis/jres?os=linux&arch=amd64 (1800ms, 471-byte body)
15:46:00.822 DEBUG Executing: /home/jbolger/.sonar/cache/bcb1b7b8ad68c93093f09b591b7cb17161d39891f7d29d33a586f5a328603707/OpenJDK17U-jre_x64_linux_hotspot_17.0.11_9.tar.gz_extracted/jdk-17.0.11+9-jre/bin/java --version
15:46:00.825 INFO  EXECUTION FAILURE
15:46:00.835 INFO  Total time: 10.486s
15:46:00.836 ERROR Error during SonarScanner CLI execution
java.lang.IllegalStateException: Failed to run the Java command
        at org.sonarsource.scanner.lib.internal.facade.forked.JavaRunner.execute(JavaRunner.java:83)
        at org.sonarsource.scanner.lib.internal.facade.forked.ScannerEngineLauncherFactory.jreSanityCheck(ScannerEngineLauncherFactory.java:61)
        at org.sonarsource.scanner.lib.internal.facade.forked.ScannerEngineLauncherFactory.createLauncher(ScannerEngineLauncherFactory.java:55)
        at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:154)
        at org.sonarsource.scanner.cli.Main.analyze(Main.java:76)
        at org.sonarsource.scanner.cli.Main.main(Main.java:64)
Caused by: java.io.IOException: Cannot run program "/home/jbolger/.sonar/cache/bcb1b7b8ad68c93093f09b591b7cb17161d39891f7d29d33a586f5a328603707/OpenJDK17U-jre_x64_linux_hotspot_17.0.11_9.tar.gz_extracted/jdk-17.0.11+9-jre/bin/java": error=13, Permission denied
        at java.base/java.lang.ProcessBuilder.start(Unknown Source)
        at java.base/java.lang.ProcessBuilder.start(Unknown Source)
        at org.sonarsource.scanner.lib.internal.facade.forked.JavaRunner.execute(JavaRunner.java:62)
        ... 5 common frames omitted
Caused by: java.io.IOException: error=13, Permission denied
        at java.base/java.lang.ProcessImpl.forkAndExec(Native Method)
        at java.base/java.lang.ProcessImpl.<init>(Unknown Source)
        at java.base/java.lang.ProcessImpl.start(Unknown Source)
        ... 8 common frames omitted

Command Used:

sonar-scanner \
  -Dsonar.organization=[redacted] \
  -Dsonar.projectKey=[redacted] \
  -Dsonar.sources=[redacted] \
  -Dsonar.host.url=https://sonarcloud.io \
  -Dsonar.c.file.suffixes=- \
  -Dsonar.cpp.file.suffixes=- \
  -Dsonar.objc.file.suffixes=- \
  -Dsonar.exclusions=[redacted]

Just throwing this out there as a possibility since you opened up permissions, and assuming there are no other ACL related or NFS-related access to your home directory if it’s over NFS. But, in confusing matters like this, sometimes Linux’s “fapolicyd” is preventing permission to run apps that are outside the bounds of the “OK” directories to run executables defined the the fapolicyd configuration. Best first way to double check fapolicyd is not in your way, see if fapolicyd is running and the logs it leaves showing your specific failure (systemctl status fapolicyd). If it’s running and you are an admin, try turning fapolicyd off, and rerun the scanner. If it runs, the fapolicyd policies will need an update to allow execs of the executables that are getting “permission denied” errors…. or just leave fapolicyd off if your security people allow for that.

Hi @jbolger4,

To address your question:

I’m also a bit confused why sonar is trying to download a JDK here?

This relates to a feature called JRE Auto-provisioning. It’s designed to automatically download the required Java runtime from SonarQube, helping prepare for a future when we may need to require Java 21. This way, users won’t need to manually upgrade their Java version when that time comes.

If you prefer not to use this feature or it just doesn’t work in your environment, you can disable it by setting sonar.scanner.skipJreProvisioning=true. More details can be found in the documentation.

Perhaps @russfeirstein is onto something with fapolicyd – I’m just not sharp enough on my Linux sysadmin skills to comment!

Ya, if eliminating fapolicyd by turning it off can be done, it will at least “eliminate” one potential blocker. Depends on the security profile on your network. We had a Solarwinds SEIM installer that failed to install due to it using an “unpermitted” folder to run one of it’s executables. The excerpt from the support case was basically: “The resolve for the issue revolves around the installer’s LACK of checking for fapolicyd and it’s configuration that is PREVENTING files from being found, executed, and allowing the JVM portion of the installer to execute and possibly swlem-agent to run properly thereafter”

So, eliminating fapolicyd first, then SELinux configuration second, will at least get you closer to the goal, maybe. No guarantees. Tail light warranty.