We are analysing a Xamarin project using SonarScanner for MSBuild with mono. Everything worked fine with the free version of Sonarqube, but since when we have switched to the Developer Edition, the scanner crashes with a StackOverflow exception.
We think that the problem arises from the additional checks that are performed by the scanner when targeting the Developer edition. I have attached the stacktrace, editing the name of the project for privacy reasons.
- Versions used: Sonarqube 8.2, SonarScanner for MSBuild 4.8
- Scanner command used:
mono /Applications/SonarScanner/SonarScanner.MSBuild.exe begin /k:**** /d:sonar.login=$SONAR_TOKEN /d:sonar.links.scm="$CI_PROJECT_URL" /d:sonar.coverge.exclusions=$SONAR_COVERAGE_EXCLUSION
- CI system used: Gitlab CI (self hosted)
sonarqube-stacktrace.zip (36.6 KB)
Thanks @kalpa this indeed is part of the work done for the detection of injection vulnerabilities which is only present in the Developer edition.
A work-around, until we fix this, is to disable the Injection Vulnerability rules for your build (because from what I understand, this is breaking the build). The rule ids for these vulnerability detection are:
We’d also need a reproducer to detect why this is happening… We’ll try to look at the logs, if we cannot find the problem there, we’ll come back to you.
From a quick look at the stack trace, we can identify that the problem is related to
.Peek() operation (that might be somehow related to class field). Can you please share with us lines of code that contains this invocation in your project?
I can confirm that the analysis can be completed after disabling those rules.
@Pavel_Mikula There is one file that uses the
Peek() method in our codebase, the method is used in several parts of the file, maybe it is more convenient if I send you the entire file. Can I send it privately to you?
Sure, no problem. Just send a PM to me.
I think I am not allowed to send you a PM, I don’t find any way to do it. Is there another way to send you the file?
Thank you for reporting this issue and providing the sample. We’re now able to reproduce the issue on method like this:
public class NestedConditionalAccessQueue
private Queue<Item> queue;
public void Main()
var length = queue?.Peek().Value?.Length;
private class Item
public string Value;
cc @Andrei_Epure Exception is visible during test debugging.
We’ve identified and fixed the problem. It will be released with plugin version 8.4-M1 for SonarCloud and shipped with next release of SonarQube 8.4
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.