Stackoverflow exception during MSBuild Analysis on Sonarqube developer

kalpa · May 4, 2020, 4:04pm

We are analysing a Xamarin project using SonarScanner for MSBuild with mono. Everything worked fine with the free version of Sonarqube, but since when we have switched to the Developer Edition, the scanner crashes with a StackOverflow exception.

We think that the problem arises from the additional checks that are performed by the scanner when targeting the Developer edition. I have attached the stacktrace, editing the name of the project for privacy reasons.

Versions used: Sonarqube 8.2, SonarScanner for MSBuild 4.8
Scanner command used: mono /Applications/SonarScanner/SonarScanner.MSBuild.exe begin /k:**** /d:sonar.login=$SONAR_TOKEN /d:sonar.links.scm="$CI_PROJECT_URL" /d:sonar.coverge.exclusions=$SONAR_COVERAGE_EXCLUSION
CI system used: Gitlab CI (self hosted)
sonarqube-stacktrace.zip (36.6 KB)

Andrei_Epure · May 6, 2020, 10:15am

Thanks @kalpa this indeed is part of the work done for the detection of injection vulnerabilities which is only present in the Developer edition.

A work-around, until we fix this, is to disable the Injection Vulnerability rules for your build (because from what I understand, this is breaking the build). The rule ids for these vulnerability detection are:

“S2076”
“S2078”
“S2083”
“S2091”
“S2631”
“S3649”
“S5131”
“S5144”
“S5145”
“S5146”
“S5167”

We’d also need a reproducer to detect why this is happening… We’ll try to look at the logs, if we cannot find the problem there, we’ll come back to you.

Pavel_Mikula · May 6, 2020, 10:55am

Hi @kalpa,

From a quick look at the stack trace, we can identify that the problem is related to .Peek() operation (that might be somehow related to class field). Can you please share with us lines of code that contains this invocation in your project?

kalpa · May 6, 2020, 2:17pm

Hi,
I can confirm that the analysis can be completed after disabling those rules.

@Pavel_Mikula There is one file that uses the Peek() method in our codebase, the method is used in several parts of the file, maybe it is more convenient if I send you the entire file. Can I send it privately to you?

Pavel_Mikula · May 7, 2020, 7:03am

Hi @kalpa,

Sure, no problem. Just send a PM to me.

kalpa · May 7, 2020, 10:17am

I think I am not allowed to send you a PM, I don’t find any way to do it. Is there another way to send you the file?

Pavel_Mikula · May 8, 2020, 4:45pm

Hi @kalpa,

Thank you for reporting this issue and providing the sample. We’re now able to reproduce the issue on method like this:

using System.Collections.Generic;

public class NestedConditionalAccessQueue
{
    private Queue<Item> queue;

    public void Main()
    {
        var length = queue?.Peek().Value?.Length;
    }

    private class Item
    {
        public string Value;
    }
}

cc @Andrei_Epure Exception is visible during test debugging.

Pavel_Mikula · May 14, 2020, 2:04pm

Hi @kalpa,

We’ve identified and fixed the problem. It will be released with plugin version 8.4-M1 for SonarCloud and shipped with next release of SonarQube 8.4

system · May 21, 2020, 2:04pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.