Sonarqube 10.3 = sonar-maven required class was missing javax/servlet/Filter

SonarQube Server / Community Build
,
1

Hi,

testing sonar-maven with Java 17, Maven 3.9.6, Sonarqube 10.3 and the basic example

with Sonarqube 9.9 LTS
mvn clean verify sonar:sonar -Dsonar.host.url=xxx -Dsonar.login=xxx
there’s no error

but with Sonarqube 10.3
mvn clean verify sonar:sonar -Dsonar.host.url=xxx -Dsonar.token=xxx
i get

[ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.10.0.2594:sonar (default-cli) on project sonarscanner-maven-basic:
        Execution default-cli of goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.10.0.2594:sonar failed: A required class was missing while
        executing org.sonarsource.scanner.maven:sonar-maven-plugin:3.10.0.2594:sonar: javax/servlet/Filter
[ERROR] -----------------------------------------------------
[ERROR] realm =    plugin>org.sonarsource.scanner.maven:sonar-maven-plugin:3.10.0.2594
[ERROR] strategy = org.codehaus.plexus.classworlds.strategy.SelfFirstStrategy
[ERROR] urls[0] = file:<mavencache>/repository/org/sonarsource/scanner/maven/sonar-maven-plugin/3.10.0.2594/sonar-maven-plugin-3.10.0.2594.jar
[ERROR] urls[1] = file:<mavencache>/repository/org/codehaus/plexus/plexus-sec-dispatcher/2.0/plexus-sec-dispatcher-2.0.jar
[ERROR] urls[2] = file:<mavencache>/repository/org/codehaus/plexus/plexus-utils/3.4.1/plexus-utils-3.4.1.jar
[ERROR] urls[3] = file:<mavencache>/repository/org/codehaus/plexus/plexus-cipher/2.0/plexus-cipher-2.0.jar
[ERROR] urls[4] = file:<mavencache>/repository/org/sonarsource/scanner/api/sonar-scanner-api/2.16.3.1081/sonar-scanner-api-2.16.3.1081.jar
[ERROR] urls[5] = file:<mavencache>/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar
[ERROR] Number of foreign imports: 1
[ERROR] import: Entry[import  from realm ClassRealm[maven.api, parent: null]]
[ERROR]
[ERROR] -----------------------------------------------------
[ERROR] : javax.servlet.Filter

Tried also with older version sonar-maven 3.9.1 and other maven projects, but it results in the same error.

Never had this problem before.
This is a showstopper preventing us from updating Sonarqube 9.9 LTS > 10.3

Any ideas ?

Found only this, but it wasn’t helpful

Gilbert

2

Hi Gilbert,

got nerd-sniped and probably not very helpful: I widened the search a bit but still do not really technically understand the cause.

Is it something where the sq-plugin expects a dependency available via maven pom project dependencies and this is not there?

Others cleaned their local maven .m2 cache to remove possibilities of cache failures, others added dependencies to the pom.

As i (try to) understand it right now, this is caused by trying to analyze something and the specific dependencies for this analyzed source needs a specific dependency. also i think “jakarta vs javax” maybe.

sorry for the incoherent ramblings, can anyone with more knowledge maybe chime in? :innocent:

Maybe this (-X …) mentioned here could help narrow the cause? :person_shrugging:

3

Hi Daniel,

tried also cleaning the maven cache and -Dsonar.exclusions=**/*.jsp, didn’t help.
Also the maven-basic example has no JSP files.
Loglevel DEBUG -X didn’t reveal any helpful details - at least for me.
Java 17 and “jakarta vs javax” sounds familiar :thinking:

Gilbert

4

I tried to find info about the moment / time when the naming was changed. Found something here:

From a namespace perspective, Jakarta EE 8 still uses the javax.* naming. However, the Jakarta EE 9 release on Dec 8th, 2020, would introduce jakarta.* as the namespace to replace javax.* for Jakarta EE specifications.

I am not very confident that this might lead in the right direction, tho.

5

hi @Rebse , do you have JSP files in your project? If so, can you try to exclude them to see if they are the culprint?

6

Tried also -Dsonar.exclusions=**/*.jsp - as it was mentioned in the community post i found - without success and the maven-basic example from sonarsource github has no JSP files.

So you may use the maven-basic example as reproducer.

7

Found this related jira ticket with status closed but incomplete
https://sonarsource.atlassian.net/browse/MSONAR-48

8

Hi Gilbert,

What’s the exact Java distro you’re using?

 
Ann

9

Hi Ann,

it’s the 17.0.6 from OpenJDK, but to be sure i will ask my colleague - he’s the Java guy - on Monday.

Gilbert

11

Hi,

Thanks for the detail. I’ve flagged this for the language experts.

 
Ann

12

Did a quick test on my private machine with Windows 11, Sonarqube Community edition 10.3,
Temurin Java 17.0.9 and Java 17.0.6, OpenJDK 17.0.2 (didn’t find a version 17.0.6), Maven 3.9.6
and the maven-basic example.

openjdk version "17.0.9" 2023-10-17
OpenJDK Runtime Environment Temurin-17.0.9+9 (build 17.0.9+9)
OpenJDK 64-Bit Server VM Temurin-17.0.9+9 (build 17.0.9+9, mixed mode, sharing)

openjdk version "17.0.6" 2023-01-17
OpenJDK Runtime Environment Temurin-17.0.6+10 (build 17.0.6+10)
OpenJDK 64-Bit Server VM Temurin-17.0.6+10 (build 17.0.6+10, mixed mode, sharing)

openjdk version "17.0.2" 2022-01-18
OpenJDK Runtime Environment (build 17.0.2+8-86)
OpenJDK 64-Bit Server VM (build 17.0.2+8-86, mixed mode, sharing)

and

mvn clean verify sonar:sonar -Dsonar.host.url=http://localhost:9000 -Dsonar.token=squ_xxx
[...]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------

The differences are

Windows Server 2019 vs. Windows 11 professional
Sonarqube Enterprise 10.3 vs. Sonarqube Community 10.3
OpenJDK 17.0.6 (from OpenJDK directly i believe) vs. OpenJDK Temurin 17.0.6 / 17.0.9 and OpenJDK 17.0.2

I’ve never had any problems before, when using OpenJDK 17.0.6 and it works great with
Maven 3.9.6 and Sonarqube Enterprise 9.9 LTS.

Will do further investigations on Monday.

1 Like
13

Nevermind, i’ve found the reason.
The error comes from a third party plugin.
I’m in contact with the developer and will create an issue.

2 Likes
15

Hi Gilbert,

Thanks for the followup. Is it a Marketplace plugin? If so, I’d like to know which one so I can adjust the compatibility range.

 
Thx,
Ann

16

Hi Ann,

AFAIK it’s not listed as Marketplace plugin

It was a try to fix

Gilbert

1 Like
17

Hi Ann,

after all, I’m wondering how this error came about, because the plugin works otherwise.
There are only problems when starting an analysis, i.e. with Maven - didn’t try other scanners.

Does this possibly have something to do with it and maybe it’s fixed with Sonarqube 10.4 !?

https://sonarsource.atlassian.net/browse/SONAR-19996

Want to give some hints to the developer of Javamelody - we use it for Jenkins also.

Gilbert

18

Hi Gilbert,

Would you mind cobbling together a trial with the vanilla scanner? That way we can maybe isolate SQ10.3 versus “with Maven”.

 
Thx,
Ann

19

Hi Ann,

it’s the same with Java 17.0.6, Sonarqube Community edition 10.3, the activated plugin and the
Sonar CLI scanner, which results in

ERROR: Error during SonarScanner execution
java.lang.NoClassDefFoundError: javax/servlet/Filter
        at java.base/java.lang.ClassLoader.defineClass1(Native Method)
        at java.base/java.lang.ClassLoader.defineClass(Unknown Source)
        at java.base/java.security.SecureClassLoader.defineClass(Unknown Source)
        at java.base/java.net.URLClassLoader.defineClass(Unknown Source)
        at java.base/java.net.URLClassLoader$1.run(Unknown Source)
        at java.base/java.net.URLClassLoader$1.run(Unknown Source)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at java.base/java.net.URLClassLoader.findClass(Unknown Source)
        at org.sonarsource.scanner.api.internal.IsolatedClassloader.loadClass(IsolatedClassloader.java:82)
        at java.base/java.lang.ClassLoader.loadClass(Unknown Source)
        at org.sonar.classloader.ClassRealm.loadClass(ClassRealm.java:84)
        at org.sonar.classloader.ClassRealm.loadClass(ClassRealm.java:76)
        at org.sonar.classloader.DefaultClassloaderRef.loadClassIfPresent(DefaultClassloaderRef.java:40)
        at org.sonar.classloader.ClassRealm.loadClassFromParent(ClassRealm.java:147)
        at org.sonar.classloader.ParentFirstStrategy.loadClass(ParentFirstStrategy.java:35)
        at org.sonar.classloader.ClassRealm.loadClass(ClassRealm.java:87)
        at org.sonar.classloader.ClassRealm.loadClass(ClassRealm.java:76)
        at java.base/java.lang.ClassLoader.defineClass1(Native Method)
        at java.base/java.lang.ClassLoader.defineClass(Unknown Source)
        at java.base/java.security.SecureClassLoader.defineClass(Unknown Source)
        at java.base/java.net.URLClassLoader.defineClass(Unknown Source)
        at java.base/java.net.URLClassLoader$1.run(Unknown Source)
        at java.base/java.net.URLClassLoader$1.run(Unknown Source)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at java.base/java.net.URLClassLoader.findClass(Unknown Source)
        at org.sonar.classloader.ClassRealm.loadClassFromSelf(ClassRealm.java:125)
        at org.sonar.classloader.ParentFirstStrategy.loadClass(ParentFirstStrategy.java:37)
        at org.sonar.classloader.ClassRealm.loadClass(ClassRealm.java:87)
        at org.sonar.classloader.ClassRealm.loadClass(ClassRealm.java:76)
        at org.sonar.plugins.javamelody.SonarJavaMelodyPlugin.define(SonarJavaMelodyPlugin.java:41)
        at org.sonar.scanner.bootstrap.ExtensionInstaller.install(ExtensionInstaller.java:57)
        at org.sonar.scanner.scan.SpringProjectScanContainer.addScannerExtensions(SpringProjectScanContainer.java:323)
        at org.sonar.scanner.scan.SpringProjectScanContainer.doBeforeStart(SpringProjectScanContainer.java:154)
        at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:199)
        at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:180)
        at org.sonar.scanner.bootstrap.SpringGlobalContainer.doAfterStart(SpringGlobalContainer.java:139)
        at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:201)
        at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:180)
        at org.sonar.batch.bootstrapper.Batch.doExecute(Batch.java:71)
        at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:65)
        at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.base/java.lang.reflect.Method.invoke(Unknown Source)
        at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60)
        at com.sun.proxy.$Proxy0.execute(Unknown Source)
        at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:189)
        at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:138)
        at org.sonarsource.scanner.cli.Main.execute(Main.java:126)
        at org.sonarsource.scanner.cli.Main.execute(Main.java:81)
        at org.sonarsource.scanner.cli.Main.main(Main.java:62)
Caused by: java.lang.ClassNotFoundException: javax.servlet.Filter
        at java.base/java.net.URLClassLoader.findClass(Unknown Source)
        at org.sonarsource.scanner.api.internal.IsolatedClassloader.loadClass(IsolatedClassloader.java:82)
        at java.base/java.lang.ClassLoader.loadClass(Unknown Source)
        ... 52 more

we use

See this link for plugin download for your tests

Gilbert

1 Like
20

Hi Gilbert,

Since we’ve isolated this to SonarQube, I come back to your OP, where the comparison point is 9.9. We dropped a lot of deprecated APIs in 10.0 and I can only guess that’s the underlying cause here.

But… JavaMelody is a monitoring program. Why is it participating in analysis to start with? Is it monitoring analysis performance too? I would have expected it to only monitor the SonarQube server itself.

 
Ann

21

Hi Ann,

I ask myself that too, it’s (just) a monitoring plugin - it’s not monitoring analysis performance at all - and it works fine, but there are problems when this plugin is active and i want to do an analysis.

If we/you find the underlying cause, this will be helpful for plugin developers.

Gilbert

23

Hi Gilbert,

We’re making some changes to how plugins are downloaded for analysis (to only download the ones needed for the current project, you’ll be happy to hear). I don’t think any of those changes were started in 10.3. I think it’s all in 10.4. If it did start in 10.3, then my Jira-fu is weak today (not really a shocker).

That said, from a browse through the plugin, it’s not clear to me how this is getting tangled up in analysis. So I’ve flagged this for the product team.

 
Ann

1 Like