Sonarqube 10.7-Rhel 8-Java 17-Please report problem to SonarSource

SonarQube Server / Community Build
, ,
1
  • which versions are you using: SonarQube Server 10.7.0.96327 /Enterprise - Java 17, Rhel 8, sonar-maven-plugin:5.0.0.4389
  • how is SonarQube deployed: from zip file on Rhel8 VM
  • what are you trying to achieve: Trying to complete a scan of a java project.
  • what have you tried so far to achieve this. (Verify environment, clean build area, rerun).

We have a guitlab build than when it completes, the last stage it kicks off the sonarqube scan.

The Sonarqube scan begins on line 13,074 of the build output. The scan runs saying it is processing files for a while, going through the various modules. It Indexes all of the files, Loads the metrics repository, It then list sensors it is using for hundreds of lines. Then it says on 17428 the following error:

[[ERROR] Unable to run check class org.sonar.java.se.SymbolExecutionVisitor - on file ‘[internal path]/client/map/worldwind/render/ThreatTubeVolume.java’, To help improve the SonarSource Java Analyzer, please report this problem to SonarSource: see https://community.sonarsource.com/

*java.lang.IllegalStateException: null**

**at org.sonarsource.analyzer.commons.collections.SinglyLinkList$1.peek(SinglyLinkedList.java:177)**

**at org.sonar.java.se.ProgramState.peekValueSymbol(ProgramValueState.java:242)**

**at org.sonar.java.se.xproc.MethodYield.getReturnSymbolsAsTrackedSymbols(MethodYield.java:199)**

**at org.sonar.java.se.xproc.MethodYield.lambda$flow$5(MethodYield.java:192)**

**at java.base/java.util.HashMap.computeIfAbsent(Unknown Source)**

**at org.sonar.java.se.xproc.MethodYield.flow(MethodYield.java:189)**

**at org.sonar.java.se.FlowComputation$ExecutionPath.lambda$flowFromYields$14(FlowComputation.java:753)**

**at java.base/java.util.stream.ReferencePipeline$3$1.accept(Unknown Source)**

**at java.base/java.util.Iterator.ForEachRemaining(Unknown Source)**

**at java.base/java.util.Spliterators$IteratorSpliterator.forEachRemaining(Unknown Source)**

**at java.base/java.util.stream.AbstractPipeline.copyInto(Unknown Source)**

**at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(Unknown Source)**

**at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(Unknown Source)**

**at java.base/java.util.stream.AbstractPipeline.evaluate(Unknown Source)**

**at java.base/java.util.stream.ReferencePipeline.collect(Unknown Source)**

**at org.sonar.java.se.FlowComputation$ExecutionPath.flowFromYields(FlowComputation.java:761)**

**at org.sonar.java.se.FlowComputation$ExecutionPath.addEdge(FlowComputation.java:345)**](https://)

**at org.sonar.java.se.FlowComputation.lambda$run$7(FlowComputation.java:193)**

The remaining stack trace is an additional 74 lines, and it contains four more lambdas further down. Let us know if you need them

The file it is complaining about is from a common java library…

basic geometry stuff.

After the error this scan continues scanning the rest of the files. It gets to the message [INFO] 9335/9335 files have been analyzed. Then runs more security sensors.

It then shows the scan ended in failure.

[ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:5.0.0.4389:sonar on project [internal] Analysis Failed.

So it scanned all of the files, had a problem with 1, then does not create the scan in sonarqube. Any ideas would help.

Java-error-Please Report.txt (13.9 KB)

2

Hi,

Thanks for reporting this!

SonarQube 10.7 is officially EOL. I don’t suppose it’s possible to upgrade to a current version and try again?

BTW, I don’t see ThreatTubeVolume.java in the version of the lib you’ve linked to.

 
Ann

3

Ann,

Thank you for your help on this, it is truly appreciated.

Our sales rep last fall said wait till 10.7. We waited, and our management wanted it real bad because it had some features they wanted. When 10.7 came out we jumped on it. We downloaded it, scanned it, got it approved by our security team and upgraded our system in early December in the Classified environment. So we have been live since December. 10.8 came out the day before we went live. LOL. We can entertain going to 25. Tell me if it is mandatory to get help on this. But it is a process to get this done on our classified environment.

That java program is a short program, but it just uses a few modules from the module:

https://github.com/NASAWorldWind/WebWorldWind/releases

It is just geometry and world stuff. It is a short program, but I can not share it with you.

But even if one java file barfs out of 9000 plus, we still should get a report. So what is the story with the errors after the scan?

It looks like the scan completed, but not uploaded.

Timothy

4

FYI,

I looked at the file I uploaded, it does show ThreatTube in the first few lines of the error before it goes into the stack trace.

Timothy

5

Hi Timothy,

I was looking for ThreatTube in GH. Can you point me to the file there? I suspect we’ll need it to get to the bottom of this.

Is upgrading mandatory? … It would be easier. I have to at least have tried. :smiley:

I would expect so, yes. Can you provide a full, sonar.verbose=true (ref) analysis log, redacted as necessary?

I understand that your logs are lengthy already, and this will be large. So at a minimum, give me… 50? lines before each error (but ideally the whole darn thing).

 
Thx,
Ann

6

Ann,

Andy Keen (andrew.w.keen@lmco.com) is the SME on this build he will be working with your questions.

Please respond to him with any of his answers and if you can CC me on this that would be helpful.

He is currently doing some debugging you requested on this and will get back to you once we get it redacted and paired down.

Timothy