Sonar Scanner subprocess fails inside NixOS

SamCristall · January 15, 2025, 8:55am

We have been using SonarCloud for some time, but we are moving to using NixOS for our build images and we’ve hit an issue with sonar-scanner:

ALM used: Bitbucket Cloud
CI system used: Bitbucket Cloud
Command: sonar-scanner -X
Languages: C, C++
Version Info (from my test system):

08:47:05.085 INFO  Scanner configuration file: /nix/store/nl1kjfmz0s1xzg5pk6yfsassg44w1ick-sonar-scanner-cli-6.2.1.4610/conf/sonar-scanner.properties
08:47:05.089 INFO  Project root configuration file: /mnt/project/sonar-project.properties
08:47:05.110 INFO  SonarScanner CLI 6.2.1-SNAPSHOT
08:47:05.111 INFO  Java 21.0.5 N/A (64-bit)
08:47:05.115 INFO  Linux 5.15.167.4-microsoft-standard-WSL2 amd64

Error observed:

08:21:01.050 DEBUG Java memory after lexical analysis (used, peak): 91, 103
08:21:01.079 DEBUG Probing compiler: [/nix/store/rdc1jnyw74mwr2gszqc5zwi433zxs089-gcc-wrapper-13.2.0/bin/g++, -x, c++, --std, gnu++20, -v, -dM, -E, -]
08:21:01.104 DEBUG Java memory after analysis is done (used, peak): 93, 93
08:21:01.161 ERROR Error during SonarScanner Engine execution
java.lang.IllegalStateException: java.io.IOException: Cannot run program "/mnt/project/.scannerwork/.sonartmp/6113319928782672617/subprocess" (in directory "/mnt/project/build/cxx/common"): error=2, No such file or directory
        at com.sonar.cpp.driver.ProcessExecutor.execute(ProcessExecutor.java:73)
        at com.sonar.cpp.driver.ProcessExecutor.execute(ProcessExecutor.java:44)

Digging through the logs a bit, it seems that this “subprocess” executable, is an analyzer downloaded partway through the scan. My best guess is that “No such file or directory” isn’t quite right, but rather “subprocess” cannot be run due to linkage. This would be because NixOS doesn’t easily allow for dynamic binaries. It is not a FHS system meaning that downloaded binaries won’t be able to find typical system libraries without first being patched with patchelf.

The executable that is downloaded appears to be temporary, existing only while the sonar-scanner run is going. This makes it very difficult/impossible to patch.

Has something like this been reported before? Are there any workarounds or settings I’m missing?

mpaladin · January 20, 2025, 2:26pm

Hi @SamCristall ,

You are correct in your guess. A similar problem has been reported on Alpine based distributions.
We have no plan to support NixOS for the time being. Is that a blocker for you?

SamCristall · January 27, 2025, 8:56pm

We are able to work around by using a different base OS (Debian in our case.) I was able to create a fragile solution on NixOS involving pausing the Sonar process, when the analyzer was downloaded, patching the analyzer with Nix’s dynamic linker, then resuming. So I can confirm that this is the core issue at least. In the future, it would be nice to perhaps customize the analyzer command.

mpaladin · January 28, 2025, 8:42am

Hi @SamCristall ,

thank you for confirming that.

I created a ticket to track NixOS requests: Jira.