Generating too much logs for findsec bug rules

[abhimankhutia]

I am getting huge DEBUG messages in log console when any find-sec-bug rule is enabled.
Am using SonarQube 5.6.1 with sonar-findbugs-plugin-3.4.3. Scans are triggered using sonarqube-scanner [without -e or -X] option. Our project is huge and scans are generating nearly 6 gb of logs.

Find-Sec rule enabled - Security - TrustManager that accept any certificates

Looks like debug option passed to sonarqube-scanner cli are not mapped to define findbug or find-sec-bug logging and default flag for DEBUG is considered true -

Eg. Log entries -

com.h3xstream.findsecbugs.taintanalysis.TaintDataflow
----------------------------------------------------------------------
com.h3xstream.findsecbugs.taintanalysis.TaintDataflow iteration: 98, timestamp: 1464
XXX
----------------------------------------------------------------------
com.h3xstream.findsecbugs.taintanalysis.TaintDataflow analysis for XXX

Before: [U0[1]U1[0]U2U3U4]
Location:   -1: nop[0](1) in basic block 0
After: [U0[1]U1[0]U2U3U4]

Before: [U0[1]U1[0]U2U3U4]
Location:    0: aload_0[42](1) in basic block 2
After: [U0[1]U1[0]U2U3U4|U0[1]]

Before: [U0[1]U1[0]U2U3U4|U0[1]]
Location:    1: getfield[180](3) 8 in basic block 2
After: [U0[1]U1[0]U2U3U4|U]

I am getting Dataflow dump for almost every class getting scanned.
Can you please let me know how to disable these logging through sonarqube-scanner cli ?

[h3xstream]

@abhimankhutia This is a FindBugs bug that is probably a race condition in the engine itself. I remember seeing it once.
The difficult part will be to make reproducable and itentify poteniolly the class that makes FB freaks out.

If you are able to reproduce with FindBugs CLI, this will confirm that the problem is in the core of FB.

[h3xstream]

No response. Unable to reproduce.

[Piloon]

Hello,
We have the same problem. Should I create a new bug ?

In our logs we have the following lines (filtered on the keyword iteration) :
too many iterations TaintAnalysis on XXXXX com.h3xstream.findsecbugs.taintanalysis.TaintDataflow iteration: 98, timestamp: 3573 com.h3xstream.findsecbugs.taintanalysis.TaintDataflow iteration: 99, timestamp: 3606 com.h3xstream.findsecbugs.taintanalysis.TaintDataflow iteration: 100, timestamp: 3639 com.h3xstream.findsecbugs.taintanalysis.TaintDataflow iteration: 101, timestamp: 3672 com.h3xstream.findsecbugs.taintanalysis.TaintDataflow iteration: 102, timestamp: 3705 com.h3xstream.findsecbugs.taintanalysis.TaintDataflow iteration: 103, timestamp: 3738 com.h3xstream.findsecbugs.taintanalysis.TaintDataflow iteration: 104, timestamp: 3771 com.h3xstream.findsecbugs.taintanalysis.TaintDataflow iteration: 105, timestamp: 3804 com.h3xstream.findsecbugs.taintanalysis.TaintDataflow iteration: 106, timestamp: 3837 com.h3xstream.findsecbugs.taintanalysis.TaintDataflow iteration: 1, timestamp: 0 com.h3xstream.findsecbugs.taintanalysis.TaintDataflow iteration: 1, timestamp: 0 com.h3xstream.findsecbugs.taintanalysis.TaintDataflow iteration: 1, timestamp: 0 com.h3xstream.findsecbugs.taintanalysis.TaintDataflow iteration: 1, timestamp: 0

After reading the code in https://github.com/spotbugs/spotbugs/blob/release-3.1/spotbugs/src/main/java/edu/umd/cs/findbugs/ba/Dataflow.java
I think the log problem is due to the throw on line 188, the debugWas is not reset to previous value (false) before throwing the exception. As a result, in every following calls, DEBUG is set to true and we have more than 350Mo of output logs.

There may be another bug concerning the 'too many iterations', but I cannot give the code.

Is it possible to fix at least the log problem ?

Thanks in advance

[h3xstream]

@Piloon Please report your bug as is on https://github.com/spotbugs/spotbugs/