We use the SonarCloudAnalyze@V3 task in Azure DevOps pipelines to analyze our code during CI/CD. The Agent is on-prem and as of yesterday, one of the pieces it appears to try to download or use is being reported by our company’s antivirus as a virus. It appears to be blocking this jar file: https://scanner.sonarcloud.io/plugins/iac/versions/be400c17dadedacf2c7b5ea8f960683f.jar
Here are some logs showing the failed request and some basic information from security:
Starting: SonarCloudAnalyze
==============================================================================
Task : Run Code Analysis
Description : Run scanner and upload the results to SonarQube Cloud.
Version : 3.4.3
Author : sonarsource
Help : This task is not needed for Maven and Gradle projects since the scanner should be run as part of the build.
[More Information](https://docs.sonarcloud.io/advanced-setup/ci-based-analysis/sonarcloud-extension-for-azure-devops/)
==============================================================================[command]"agents\_work\_tool\SonarScanner .NET\10.1.2\x64\SonarScanner.MSBuild.exe" end
SonarScanner for MSBuild 10.1.2
Using the .NET Framework version of the Scanner for MSBuild
Post-processing started.
Calling the TFS Processor executable...
Fetching code coverage report information from TFS...
Attempting to locate a test results (.trx) file...
Looking for TRX files in: <path>
No test results files found
Did not find any binary coverage files in the expected location.
Falling back on locating coverage files in the agent temp directory.
Searching for coverage files in <path>
All matching files: count=12
Unique coverage files: count=6
Coverage report conversion completed successfully.
The TFS Processor has finished
Calling the SonarScanner CLI...
INFO: Scanner configuration file: <path>
INFO: Project root configuration file: <path>
INFO: SonarScanner 5.0.1.3006
INFO: Java 21.0.9 Eclipse Adoptium (64-bit)
INFO: Windows Server 2022 10.0 amd64
INFO: SONAR_SCANNER_OPTS=<sensitive data removed>
INFO: User cache: <path>
INFO: Analyzing on SonarCloud
INFO: Default locale: "en_US", source code encoding: "UTF-8" (analysis is platform dependent)
INFO: Load global settings
INFO: Load global settings (done) | time=526ms
INFO: Server id: 1BD809FA-AWHW8ct9-T_TB3XqouNu
INFO: Loading required plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=178ms
INFO: Load/download plugins
INFO: Load/download plugins (done) | time=1169ms
INFO: ------------------------------------------------------------------------INFO: EXECUTION FAILURE
INFO: ------------------------------------------------------------------------INFO: Total time: 4.986s
INFO: Final Memory: 10M/34M
INFO: ------------------------------------------------------------------------##[error]ERROR: Error during SonarScanner execution
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.sonarsource.scanner.api.internal.IsolatedClassloader@61862a7f-org.sonar.scanner.bootstrap.ScannerPluginRepository': Fail to request https://scanner.sonarcloud.io/plugins/iac/versions/be400c17dadedacf2c7b5ea8f960683f.jar
ERROR: Error during SonarScanner execution
Looking at the report, it seems that your tool is not raising on any specific finding.
We just released a new version of sonar-iac, which is now available on SonarQube Cloud.
It would be good to know if the new jar is still raising in your security software.
If yes we need to take additional steps, most probably file a false-positive report with the vendor of your security software.
