We are using sonarcloud since more than one year and we never face this issue before.

We use the sonar maven plugin

Since a few build we face a new error when analyzing a java project containing thymeleag html templates:

[INFO] Sensor ThymeLeaf template sensor [securityjavafrontend]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  02:42 min
[INFO] Finished at: 2020-02-24T20:59:30Z
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.6.0.1398:sonar (default-cli) on project api: An error happened during template parsing (template: "<!DOCTYPE html>
[ERROR] <html xmlns:th="http://www.thymeleaf.org">
[ERROR]     <head>
[ERROR]         <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
[ERROR]         <title th:utext="#{email.inspection.updated.title(${oldInspection.product.identifierValue}, ${oldInspection.factory.name}, ${oldInspection.inspectionDate})}"></title>
[ERROR]     </head>
[ERROR]     <body>
[ERROR]         <p th:utext="#{email.inspection.common.greeting(${contact.firstName})}"></p>
[ERROR]     </body>
[ERROR] </html>
[ERROR] "): Cannot evaluate expression "#{email.inspection.updated.title(${oldInspection.product.identifierValue},${oldInspection.factory.name},${oldInspection.inspectionDate})}". Message externalization expressions can only be evaluated in a template-processing environment (as a part of an in-template expression) where processing context is an implementation of class java.lang.Class, which it isn't (A.A.A.A.A.A.A$_B)

We have no idea where this is coming from, we didn’t change those files or the project config, sonar version since several months.

Do you have a clue ?

Hi @clakech,

This is linked to latest deployment of our taint analysis engine which is trying to analyze thymeleaf templates to detect XSS vulnerabilities. Would you be able to share with me (privately eventually) your thymeleaf file so we can properly investigate the issue.

As a workaround, waiting for a proper solution, you can deactivate rule S5131 which should prevent the execution of this faulty sensor.

My bad, I got everything I need in your post, I managed to reproduce the issue.

Hi,

Thank for answering

Did you tried on your side that disabling this rule would be enough as a workaround ?

Because I just add this to my config and still fail:
sonar.issue.ignore.multicriteria=S5131
sonar.issue.ignore.multicriteria.S5131.resourceKey=src/main/resources/templates/**/*
sonar.issue.ignore.multicriteria.S5131.ruleKey=squid:S5131

Hi,

Sorry, I meant deactivating it from your quality profile. Ignoring the issue will filter after execution so won’t help in that case.
We are working on a bug fix so things should (hopefully) get back to normal by tomorrow.

Perfect thanks

Hi @Nicolas_Peru and rest of Sonar developers.

Are there any updates on progress of this. Our build pipeline fails since yesterday because of this issue and we are currently blocked making builds for our coming release.

Maybe you can share some insights on how far you are.
And whenever the fix will be done on SonarCloud as well?

Hi @clakech and @theishinz-onegini,

We just deployed the fix for Thymeleaf on SonarCloud!

Have a great day,

Thanks. I have just done a re-run and everything seems good. Thumbs up for taking quick action on the issue.

Yes it works fine now, we have a warning instead of an error. Thanks

[INFO] Sensor ThymeLeaf template sensor [securityjavafrontend]
[WARNING] Failed to process thymeleaf template src/main/resources/templates/ics/test.html. It will be ignored. Cause is logged in DEBUG level.
[INFO] Sensor ThymeLeaf template sensor [securityjavafrontend] (done) | time=143ms