Sonarqube-findbugs-sonarjava compatibility

SonarQube
1

We use SonarQube 6.7.2, FindBugs Plugin 3.6, SonarJava Plugin 5.4, Java 8

We need to support scanning Java 11 code. We initiate scan via Jenkins. To support Java 11 scan we upgraded SonarJava from 5.4 to 5.9.2 or 5.10.2. Without FindBugs it works fine but with it we get repeated java.lang.IllegalArgumentException similar to https://github.com/spotbugs/spotbugs-maven-plugin/issues/47

I know ideally we must upgrade Sonarqube itself, but we are a conservative risk-averse highly regulated place so it takes time. Is there a combination of Findbugs (which we seem to need for security rules it now offers) and SonarJava to support Java 11 that would run on our current Sonarqube 6.7.2?

Is there a compatibility metrics between the three? Are there other dependencies that must be upgraded as well?

ERROR:
Skipping 139 KB.. Full Log
  Error scanning com/fhlbny/ahp/contact/mgmt/model/AhpCmEntityStatus for referenced classes
    java.lang.IllegalArgumentException
      At org.objectweb.asm.ClassReader.<init>(ClassReader.java:160)
      At org.objectweb.asm.ClassReader.<init>(ClassReader.java:143)
      At edu.umd.cs.findbugs.asm.FBClassReader.<init>(FBClassReader.java:35)
      At edu.umd.cs.findbugs.classfile.engine.asm.ClassReaderAnalysisEngine.analyze(ClassReaderAnalysisEngine.java:48)
      At edu.umd.cs.findbugs.classfile.engine.asm.ClassReaderAnalysisEngine.analyze(ClassReaderAnalysisEngine.java:34)
      At edu.umd.cs.findbugs.classfile.impl.AnalysisCache.getClassAnalysis(AnalysisCache.java:262)
      At edu.umd.cs.findbugs.classfile.engine.ClassInfoAnalysisEngine.analyze(ClassInfoAnalysisEngine.java:75)
      At edu.umd.cs.findbugs.classfile.engine.ClassInfoAnalysisEngine.analyze(ClassInfoAnalysisEngine.java:38)
      At edu.umd.cs.findbugs.classfile.impl.AnalysisCache.getClassAnalysis(AnalysisCache.java:262)
      At edu.umd.cs.findbugs.FindBugs2.buildReferencedClassSet(FindBugs2.java:773)
      At edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:219)
      At org.sonar.plugins.findbugs.FindbugsExecutor$FindbugsTask.call(FindbugsExecutor.java:226)
      At java.util.concurrent.FutureTask.run(FutureTask.java:266)
      At java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      At java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      At java.lang.Thread.run(Thread.java:745)
  Error scanning com/fhlbny/ahp/contact/mgmt/model/AhpCmState for referenced classes
    java.lang.IllegalArgumentException
      At org.objectweb.asm.ClassReader.<init>(ClassReader.java:160)…
  Error scanning com/fhlbny/ahp/contact/mgmt/model/Phone for referenced classes
    java.lang.IllegalArgumentException
     …

Thank you!
Dan

2

Hi Dan,

Welcome to the community!

You should try raising an issue on the FindBugs/SpotBugs plugin. Maybe you’ll get an answer there.

 
Ann

1 Like
3

Looks similar to:

:wink:

2 Likes
4

Thanks for all responses. Which is the “official” site for Findbugs community support (I am getting confused between findbugs/findsecbugs/spotbugs project sites, etc) where I should repost my question? What is the best source for compatibility matrix between SQ core and plugin versions as well as plugin-to-plugin compatibility?

5

Here:

FindBugs is unmaintained. SpotBugs is a new tool which has replaced it. They didn’t change the id, because all people would be forced to uninstall the old plugin and install a new one manually (update center won’t help). It is just easier, to still use the old id :wink:

Before you create a new issue, try to use at least version 3.10.0 (you have 3.6):

First version of the Findbugs plugin which promise to support JDK 11 is 3.10.0 (depends on SonarJava 5.10.1, where JDK 11 is supported since SonarJava 5.8 (SONARJAVA-2862), see code).

2 Likes
6

Thanks again! Yes, I tried findbugs 3.11.1 and it requires SQ 7.6 or higher, which is higher than our 6.7.2. Will try 3.10 next.

7

Yes, same for findbugs 3.10.0 - needs Sonarqube 7.6 at the minimum…