SonarQube 7.8 Enterprise Edition, uninstalling SonarPHP causes failure on restart

SonarQube 7.8 Enterprise Edition

Steps to Reproduce

  • Clean install of 7.8 Enterprise Edition
  • Uninstall SonarPHP
  • restart server

Plugins

The plugin list below is from the web.log file, after uninstalling SonarPHP. Note I could not uninstall the Vulnerability Rules for PHP.
On server restart, the exception is thrown

 java.lang.IllegalStateException: Fail to load plugin Vulnerability Rules for PHP [securityphpfrontend]

Web.log

Deploy plugin Ansible Lint / 2.1.0
Deploy plugin Findbugs / 3.11.0 /
Deploy plugin Git / 1.8.0.1574 / aec3dc8f5228aabd218e1cd31ac6e6515a43715d
Deploy plugin JaCoCo / 1.0.2.475 / b79a4724f3a9af1051266b4f8ca0460977295ead
Deploy plugin LDAP / 2.2.0.608 / 79dc3fa4393a29667673c70182f3016288b548b7
Deploy plugin PMD / 3.2.0 / fc4a4da85e5dd88dc0d60b16c687eea1e36072a8
Deploy plugin SAML 2.0 Authentication for SonarQube / 1.1.0.181 / 16fcb5be2d3bcfee8920b29cd758d8b957a18acb
Deploy plugin SonarABAP / 3.8.0.2034 / 2904652c6ef4863eaace62c40fec0512724430e4
Deploy plugin SonarApex / 1.5.0.315 / 4ff3a145a58f3f84f1b39846a205a129d742e993
Deploy plugin SonarC# / 7.15.0.8572 / e0ad49e38a28a8fc333ba746fc998e48678f6a8b
Deploy plugin SonarCFamily / 6.3.0.11371 / 87798a096368f2cee97709b9d41b9c135ac2600c
Deploy plugin SonarCOBOL / 4.4.0.3403 / 87052f378052eedd582643a831d334123cf39965
Deploy plugin SonarCSS / 1.1.1.1010 / 365e21fd0cb9035669fc59f6fec7c8fd28a7303b
Deploy plugin SonarHTML / 3.1.0.1615 / 4181edb5eff5605bec82dc0aa15ecd70eaa5857f
Deploy plugin SonarJS / 5.2.1.7778 / 49f34eaeaad59868d4353d89b1fc5c02bbe51976
Deploy plugin SonarJava / 5.13.1.18282 / 568f8ed2349f48e250a9329895b9a870100dfbeb
Deploy plugin SonarPLI / 1.10.0.1880 / 1f78eb283a8d0c3e7f911f3259094c5696adad64
Deploy plugin SonarPLSQL / 3.4.1.2576 / a27e6384088454d7160dd39ea5ba54a9929c15f4
Deploy plugin SonarRPG / 2.3.0.1187 / e0c75c815c1ae3955d823f1abcc8c1718b2d69f7
Deploy plugin SonarSwift / 4.1.0.3087 / e71ead60ade025c4f22a8c29fc32ab7c90606ec9
Deploy plugin SonarTS / 1.9.0.3766 / 4a4080b78001a78d758d1d0fa0190fb9496b6f57
Deploy plugin SonarTSQL / 1.4.0.3334 / 7b4dc9eeb6301765e09583a3d570b5941223e0b4
Deploy plugin SonarVB / 7.15.0.8572 / e0ad49e38a28a8fc333ba746fc998e48678f6a8b
Deploy plugin SonarVB6 / 2.6.0.1875 / cfa6ee80615b98744158f3981fb29497101a03f5
Deploy plugin SonarXML / 2.0.1.2020 / c5b84004face582d56f110e24c29bf9c6a679e69
Deploy plugin Svn / 1.9.0.1295 / 942e075773975354e32691a60bfd968065703e04
Deploy plugin Vulnerability Analysis / 7.8.0.4451 / 456b543ec1a227a2b68c8b1cea28fd76feefdd88
Deploy plugin Vulnerability Rules for C# / 7.8.0.4451 / 456b543ec1a227a2b68c8b1cea28fd76feefdd88
Deploy plugin Vulnerability Rules for Java / 7.8.0.4451 / 456b543ec1a227a2b68c8b1cea28fd76feefdd88
Deploy plugin Vulnerability Rules for PHP / 7.8.0.4451 / 456b543ec1a227a2b68c8b1cea28fd76feefdd88
Deploy plugin YAML Analyzer / 1.4.3

further output from web.log shows the exception

019.06.28 20:13:47 INFO  web[][o.s.s.p.w.MasterServletFilter] Initializing servlet filter org.sonar.server.ws.WebServiceFilter@a4c1a01 [pattern=UrlPattern{inclusions=[/api/system/migrate_db.*, ...], exclusions=[/api/properties*, ...]}]
2019.06.28 20:13:48 INFO  web[][o.s.s.a.EmbeddedTomcat] HTTP connector enabled on port 9000
2019.06.28 20:13:49 ERROR web[][o.s.s.p.Platform] Background initialization failed. Stopping SonarQube
java.lang.IllegalStateException: Fail to load plugin Vulnerability Rules for PHP [securityphpfrontend]
        at org.sonar.server.plugins.ServerExtensionInstaller.installExtensions(ServerExtensionInstaller.java:82)
        at org.sonar.server.platform.platformlevel.PlatformLevel4.start(PlatformLevel4.java:559)
        at org.sonar.server.platform.Platform.start(Platform.java:211)
        at org.sonar.server.platform.Platform.startLevel34Containers(Platform.java:185)
        at org.sonar.server.platform.Platform.access$500(Platform.java:46)
        at org.sonar.server.platform.Platform$1.lambda$doRun$0(Platform.java:119)
        at org.sonar.server.platform.Platform$AutoStarterRunnable.runIfNotAborted(Platform.java:371)
        at org.sonar.server.platform.Platform$1.doRun(Platform.java:119)
        at org.sonar.server.platform.Platform$AutoStarterRunnable.run(Platform.java:355)
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.NoClassDefFoundError: org/sonar/plugins/php/api/visitors/PHPCustomRuleRepository
        at java.lang.ClassLoader.defineClass1(Native Method)
        at java.lang.ClassLoader.defineClass(ClassLoader.java:763)
        at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
        at java.net.URLClassLoader.defineClass(URLClassLoader.java:468)
        at java.net.URLClassLoader.access$100(URLClassLoader.java:74)
        at java.net.URLClassLoader$1.run(URLClassLoader.java:369)
        at java.net.URLClassLoader$1.run(URLClassLoader.java:363)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(URLClassLoader.java:362)
        at org.sonar.classloader.ClassRealm.loadClassFromSelf(ClassRealm.java:125)
        at org.sonar.classloader.ParentFirstStrategy.loadClass(ParentFirstStrategy.java:37)
        at org.sonar.classloader.ClassRealm.loadClass(ClassRealm.java:87)
        at org.sonar.classloader.ClassRealm.loadClass(ClassRealm.java:76)
        at com.sonar.security.frontend.php.A.define(Unknown Source)
        at org.sonar.server.plugins.ServerExtensionInstaller.installExtensions(ServerExtensionInstaller.java:72)
        ... 9 common frames omitted
Caused by: java.lang.ClassNotFoundException: org.sonar.plugins.php.api.visitors.PHPCustomRuleRepository
        at org.sonar.classloader.ParentFirstStrategy.loadClass(ParentFirstStrategy.java:39)
        at org.sonar.classloader.ClassRealm.loadClass(ClassRealm.java:87)
        at org.sonar.classloader.ClassRealm.loadClass(ClassRealm.java:76)
        ... 24 common frames omitted
2019.06.28 20:13:50 INFO  web[][o.s.p.ProcessEntryPoint] Hard stopping process
2019.06.28 20:13:51 WARN  web[][o.s.p.ProcessEntryPoint$HardStopperThread] Can not stop in 1000ms
2019.06.28 20:13:51 WARN  web[][o.s.s.a.EmbeddedTomcat] Failed to stop web server
org.apache.catalina.LifecycleException: Failed to stop component [StandardServer[-1]]

The Vulnerability Rules for PHP plugin appears to have a dependency on the SonarPHP plugin in Enterprise Edition.

Note

I now cannot start SonarQube to re-install the SonarPHP plugin. A workaround is needed

Hi.

You need to remove the sonar-security-php-frontend-plugin too. It depends on the SonarPHP plugin.

2 Likes

Thank you @felipebz. Note that the application cannot start because the exception is thrown during startup. I will need to remove the sonar-security-php-frontend-plugin without access to the user interface. Can the plugin simply be removed from the filesystem, or do you have have a recommendation on how to remove the plugin without starting the application?

You can remove it from the filesystem. :slight_smile:

1 Like

Hi,

Out of curiosity, why do you want to uninstall SonarPHP (&etc)?

 
Thx,
Ann

Hi Ann - we aren’t needing to scan PHP source and I was wanting to keep the administration as clean as possible. There were a few other languages in addition to PHP that were in this category.
-brad

Hi,

Thanks for sharing.

 
Ann

I faced the same issue today with version 7.9.1 LTS. Uninstalled PHP plugin and server failed to restart. Isn’t this a bug that should be fixed ? I have uninstalled several plugins across several SQ versions but never faced such an issue. When a plugin is removed from UI, it should remove all dependent plugins too or at least give a warning to remove those plugins manually first.

I have the same problem. I have CPP projects and it is specified i .properties file but sometimes i get errors about node.js not present. So i removed all plugins other than C and Java and removing PHP plugin gave me an error. I removed sonar-security-php-frontend-plugin too, but it gave different error.

    Caused by: java.lang.ClassNotFoundException: org.sonar.plugins.php.api.visitors.PHPCustomRuleRepository
    	at org.sonar.classloader.ParentFirstStrategy.loadClass(ParentFirstStrategy.java:39)
    	at org.sonar.classloader.ClassRealm.loadClass(ClassRealm.java:87)
    	at org.sonar.classloader.ClassRealm.loadClass(ClassRealm.java:76)
    	... 23 common frames omitted

So yea, it seems that PHP plugins are very poorly written.

Hi @Dominik_Panas,

Let’s say instead that it wasn’t intended to work that way.

If you want to limit the languages you analyze, rather than gutting your instance, you should take a look at exclusions.

 
Ann

Thank you!

@ganncamp
I thought that sonar.language=cpp is enough to avoid triggering plugins for any other languages. I use exclusions as a second filter.

I take back what i said about “poorly written”. Im sorry, i shouldnt say that.

@Dominik_Panas sonar.language had been deprecated literally for years. Since 2014. It was dropped in 7.7.

 
Ann