SonarQube - java.lang.ArrayIndexOutOfBoundsException: Index 0 out of bounds for length 0

imohammed · January 20, 2020, 10:31am

Template for a good bug report, formatted with Markdown:

versions used: SonarQube * Developer Edition Version 7.9 (build 26994)
error observed: java.lang.ArrayIndexOutOfBoundsException: Index 0 out of bounds for length 0

I am trying to run sonarqube on a PHP project using the sonarqube jenkins plugin, the project is built successfully but sonarqube fails to execute with the above mentioned error.

Screenshot: http://prntscr.com/qq6amj

Error:

INFO: ------------------------------------------------------------------------
INFO: Total time: 15:22.132s
INFO: Final Memory: 68M/294M
INFO: ------------------------------------------------------------------------
ERROR: Error during SonarQube Scanner execution
java.lang.ArrayIndexOutOfBoundsException: Index 0 out of bounds for length 0
	at java.base/java.util.Arrays$ArrayList.get(Unknown Source)
	at com.sonar.security.analysis.taint.A.E.B(na:810)
	at com.sonar.security.analysis.taint.A.E.B(na:3134)
	at com.sonar.security.analysis.taint.A.E.A(na:498)
	at com.sonar.security.analysis.H.A(na:3399)
	at com.sonar.security.analysis.D.A(na:188)
	at com.sonar.security.analysis.D.A(na:514)
	at com.sonar.security.rules.E.A(na:1904)
	at com.sonar.security.H.A(na:478)
	at java.base/java.util.ArrayList.forEach(Unknown Source)
	at com.sonar.security.H.executeChecks(na:1225)
	at com.sonar.security.H.execute(na:1063)
	at org.sonar.scanner.sensor.AbstractSensorWrapper.analyse(AbstractSensorWrapper.java:48)
	at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:85)
	at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:62)
	at org.sonar.scanner.scan.ModuleScanContainer.doAfterStart(ModuleScanContainer.java:82)
	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:136)
	at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:122)
	at org.sonar.scanner.scan.ProjectScanContainer.scan(ProjectScanContainer.java:400)
	at org.sonar.scanner.scan.ProjectScanContainer.scanRecursively(ProjectScanContainer.java:395)
	at org.sonar.scanner.scan.ProjectScanContainer.doAfterStart(ProjectScanContainer.java:358)
	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:136)
	at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:122)
	at org.sonar.scanner.bootstrap.GlobalContainer.doAfterStart(GlobalContainer.java:141)
	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:136)
	at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:122)
	at org.sonar.batch.bootstrapper.Batch.doExecute(Batch.java:73)
	at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:67)
	at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60)
	at com.sun.proxy.$Proxy0.execute(Unknown Source)
	at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:189)
	at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:138)
	at org.sonarsource.scanner.cli.Main.execute(Main.java:112)
	at org.sonarsource.scanner.cli.Main.execute(Main.java:75)
	at org.sonarsource.scanner.cli.Main.main(Main.java:61)
ERROR: 
ERROR: Re-run SonarQube Scanner using the -X switch to enable full debug logging.
WARN: Unable to locate 'report-task.txt' in the workspace. Did the SonarScanner succedeed?
ERROR: SonarQube scanner exited with non-zero code: 1
[Office365connector] No webhooks to notify
Finished: FAILURE ```

pynicolas · January 20, 2020, 1:26pm

I was able to reproduce the same stacktrace with an empty heredoc.

<?php
$x = <<<EOT
EOT;

Do you have something like that in your project?
We’re going to fix this case in the next version.
Thanks for your feedback!

imohammed · January 21, 2020, 3:43am

Hi @pynicolas,
Thanks for the quick response, i will look for these files and update you on this.

imohammed · January 21, 2020, 4:00am

Hi @pynicolas,
I am new to heredoc so here is a quick question,
would you consider this code snippet to be an empty heredoc:

$help_details = <<<EOT
Some Text here
EOT;

pynicolas · January 21, 2020, 7:10am

No, it’s not empty, it contains one line: “Some Text here”.

imohammed · January 21, 2020, 7:17am

In that case, i don’t have an empty heredoc in my code. All the heredoc has either some text or some code in it and in some cases it is simply like this

       $js .= <<<EOT
    
    });

EOT;

Lena · January 31, 2020, 10:13am

The fix should be available as part of SonarQube 8.2. Hope it will fix your failure.

As a temporally workaround you can disable PHP security injection rules (in Rules page facet “Security Category” -> “Owasp Top 10” -> “A1”), or try to find the file causing the failure by excluding some dirs.