Exception with SonarQube 8.9.2 #387
Comments
|
is there any other logs that describe why findsecbugs:XSS_JSP_PRINT cannot be activated on jsp profile? |
|
Hello, the error message says that findsecbugs:XSS_JSP_PRINT is a java rule while it should be a JSP rule and part of the "findsecbugs-jsp" profile, not "findsecbugs". I tried looking into the SonarQube code and this seems to be happening when the server reconciles the built-in profiles (from the core SQ and the plugins) against the profiles saved in the database. So while it's processing the "FindBugs Security JSP" profile, it's running into the XSS_JSP_PRINT which does not point to the right profile (Java/findsecbugs instead of the correct JSP/findsecbugs-jsp). @gerrieg, the way the plugin loads initializes its built-in profiles was changed in the 4.0.4 version of the plugin to make it compatible with SonarQube 9. Normally it should still be compatible with SQ 7 and 8 but it would be great if you could try with version 4.0.3 of the plugin. |
|
@gtoison thank you for the hint, 4.0.3 works! |
|
@gerrieg thanks for reporting back! That's the answer I did not want to hear because it means there's a regression in version 4.0.4 @KengoTODA I think we might want to hold on adding version 4.0.4 to the SQ marketplace until this is sorted out |
|
Got it. And thank you for your reminding SQ member at the official forum! |
|
If you want, I can easily try new versions on our test system. |
|
@gerrieg yes it might be worth trying to upgrade to 4.0.3 and then to 4.0.4, I still have no idea what might be the problem here. I've been using the new version on SonarQube 9 and did not see that error. I noticed that in your first message you wrote: findbugs-plugin-3.11.1.jar |
|
yes, it's sonar-findbugs-plugin-3.11.1.jar, i have updated the post. Update from 4.0.3 -> 4.0.4: same exception |
|
Thanks for confirming, in the meantime I've posted a question on the Sonar forum: |
|
Hello @gerrieg, I looked a bit more into the error you have reported and I'm starting to suspect that this is related to #382 , not to the way we load profiles/rules. Basically rule XSS_JSP_PRINT was not loaded in the version of the plugin you had previously and I attempted to fix that, but that might have caused the problem. Would you know if the SonarQube installation you have was already upgraded from an older version (possibly multiple upgrades)? Could you please share the part of the server startup logs corresponding to the plugins (so I can see what's happening before the error)? It should look like this: |
|
@gtoison , is this what you are looking for? I removed some parts to shorten the log. Happened during update of SQ 8.9.1 with plugin version 4.0.3 to SQ 8.9.2 and plugin version 4.0.4. |
|
Thank you @sephiroth-j, that helps a lot. Thanks to these logs I realized that SonarQube handles these rules differently whether the html plugin is installed or not. |
|
We have the same issue. Our instance is quite "old" - we started with 3.x |
|
We started with 3.5.1 and updated several times. |
|
After a lot of head scratching I now think that this is due to SONAR-15240 - Startup fails if rule is moved to a different language @KengoTODA here are a few proposals:
|
4.0.4 is already published in the marketplace, it would be better to change compatibility from 4.0.5. I cannot judge the correctness of other ideas due to the lack of SQ usage in my development, so I'll ask new maintainers to handle it after I welcome them to the team. |
Tentative fix for issue spotbugs#387 apparently caused by SONAR-15240
|
Hello @gerrieg, could you (or someone affected by this issue) try the tentative fix I've made on my forked repo? I am unable to replicate the problem so it would be very help to confirm whether reverting to the old SonarQube API works. Important disclaimer that this pre-release is not validated by the spotbugs team, please do not use on a production environment |
|
@gerrieg I have just tried the 4.0.4.1 and can confirm the fix works for our setup (we had the same issue). I have also tried it with Java 17 - the reason why we need the new sonar-findbugs. |
|
Thank you very much @gerrieg, that's great news!
I suppose we still want to use the new SonarQube API (because the old one is deprecated and was entirely removed in SQ 9), so I propose that we revert the changes on a maintenance branch. @KengoTODA I do not have write access on the repo so, if you agree, could you please create that branch so I can submit a Pull Request? I'll keep trying to reproduce |
|
I am currently on vacation, I can try it next Monday. |
|
Hello, could anyone affected by this issue please have a look at how rule
I suspect that for you it will be for the Java language and the |
|
In our installation (with the issue) it is also under
|
same here |
|
4.0.4.1 works for me and |
|
Hello, I'm still unable to reproduce the issue but I've found something buried deep in the SonarQube API and hopefully that might help: https://javadocs.sonarsource.org/7.1/apidocs/org/sonar/api/server/rule/RulesDefinition.Rule.html#deprecatedRuleKeys-- The changes are on this branch of my forked repo: https://github.com/gtoison/sonar-findbugs/tree/add-deprecated-jsp-rule-key Contrary to version 4.0.4.1 this uses the new SQ API, so it is compatible with SQ 9. According to the documentation, this will allow SonarQube to support "issue re-keying" for this rule. Finger crossed this might get rid of As last time this prerelease was not validated by the SpotBugs team, please do not use on a production environment If someone tries this out and it fails, could you please share you logs? |
|
@gtoison, we tried 4.0.4 with SQ 9.1. similar problem. We then tried 4.0.4.2. same problem, different rule. |
|
Maybe another approach is more effective. For example, uninstall the plugin, then delete references to the rules via SQL script and then reinstall the plugin in the current version. |
|
Thank you for testing with SQ 9.1 @sephiroth-j Since it now considers that the rules are removed I've made a new pre-release on my forked repo where the plugin does not try to activate a rule if it is marked as disabled. It is available here: https://github.com/gtoison/sonar-findbugs/releases/tag/4.0.4.3 Sorry for the time this is taking, I'm not able to reproduce the issue and that makes things harder. |
|
Hey @gtoison I just tried your patch on SQ 9.1 on a test server, got around the issue with booting. The error I had previously was: |
|
Hello @dm-ion thanks a lot for testing and reporting back, it's great news that the patch fixes the issue for SQ 9.1 ! If someone affected by the issue and using SQ 8.9 could also test https://github.com/gtoison/sonar-findbugs/releases/tag/4.0.4.3 that would be great |
|
Hello @gtoison , the plugin from https://github.com/gtoison/sonar-findbugs/releases/tag/4.0.4.3 works with SQ 8.9 - no startup errors! :) Just a side note: the displayed version of the plugin is "4.0.4.2" instead of "4.0.4.3". Rules XSS_JSP_PRINT and XSS_REQUEST_PARAMETER_TO_JSP_WRITER are now located in the findsecbugs-jsp repository. |
|
Hello @sephiroth-j |
Issue #387 Add deprecated jsp rule key
|
Reopening the issue until there's a proper release of the fix |
|
We have released version 4.0.5 with a fix for this bug: https://github.com/spotbugs/sonar-findbugs/releases/tag/4.0.5 |
I'm updating our SonarQube installation from 7.9.5 (sonar-findbugs-plugin-3.11.1.jar) -> 8.9.2 (sonar-findbugs-plugin-4.0.4.jar)
When i add the sonar-findbugs-plugin-4.0.4.jar, i get an exception on startup and SonarQube stops. When i remove the plugin, SonarQube works as expected.
The text was updated successfully, but these errors were encountered: