StackOverFlow Exception during Sonar Analysis

SoanrQube Developer Edition version 10.3.0.82913 Deployed using HELM
SonarScanner 4.8.1.3023
Java 11.0.14.1 Eclipse Adoptium (64-bit)

Sonar Error.zip (9.0 KB)

SonarScanner for MSBuild 5.14

For several weeks now, we’ve been encountering this problem when analyzing a dotnet application

Hi,

Welcome to the community!

You’ve listed both SonarScanner, and SonarScanner for MSBuild (.NET). Both versions you’ve cited are out of date, the SonarScanner version by quite a bit. You should upgrade both at your earliest convenience. However, I don’t think that has a bearing on what you’re seeing.

Can you please provide the full debug analysis log?

The analysis / scanner log is what’s output from the analysis command. Hopefully, the log you provide - redacted as necessary - will include that command as well.

This guide will help you generate it.

 
Thx,
Ann

Hello.
We don’t have the possibility to change versions.
We use SonarQube extension for Azure DevOps.

image
with
image

The pipeline use the last version of Sonar Extension 5.18.4 but with scanner version 4.8.1.3023

How can we fix this ?
Thx

Hi,

Okay, let’s set the scanner version aside for now.

Your original post provides your analysis log starting from the failure. Can we have the whole thing?

 
Thx,
Ann

Full Sonar Logs.zip (55.8 KB)

Dear Ann
You will find the complete logs file in the attachments.
Yours faithfully,
Yves

Hi Yves,

Thanks for the log. I’ve flagged this for more expert eyes.

 
Ann

Hello Yves,

Thanks for the logs you provided: they help a lot!
Still, it is hard to imagine the code structure that causes the issue.

Is the project you are analysing an open-source one, by any chance? If not, would you be willing to share the content of the .sonarqube\out\ucfg2\cs folder with me, privately? (you can send me a direct message - if the zip is not too big)
This folder’s content will allow us to reproduce the analysis part of the security scan on our end and better understand the issue.

Many thanks in advance,

Renaud

Hello,
Have you some news about this ?

For your information, I was able to perform the analysis locally with scanner version 5 ?
In Azure Devops pipelines, is it possible to specify a version when using the “integrate with MSBuild” option ?

Kind regards

Hello Yves,

thanks for getting back to us.

The current status of your topic is the following:

Thanks to the UCFGs we are able to reproduce the issue. We still need to work to isolate the root cause and fix it.
You should be able to run the analysis by creating a specific profile with the following rules disabled :

  • S5146 - HTTP_REDIRECT
  • S3649 - SQL_INJECTION
  • S6287 - SESSION_FIXATION
  • S6350 - ARGUMENT_CONSTRUCTION
  • S5145 - LOG_INJECTION

It is not the perfect solution, but it is a workaround you can apply during the time we provide a fix, to let you check for the other rules.

Regarding the version of the scanner and your successful scan with version 5, can you please share the logs with us?

A ticket with Critical level has been created and we will continue our investigation.

Regarding your last question, when using the Azure DevOps extension, the scanner used is the one embedded, it is not possible to change it.

Kind regards,

Renaud

1 Like

Hello Renaud,

Thanks for your answer.
I disabled the rules and it works well now.

Kind regards,
Yves

1 Like