Usage of Coverity Scan and/or SonarQube for code analysis

[popcornenthusiast]

Coverity Scan, which is used by LibreOffice: https://scan.coverity.com/

There is also SonarQube, which is already being used by arvidn for libtorrent: https://sonarcloud.io/

About Coverity:

What is Coverity Scan?

Coverity Scan is a service by which Coverity provides the results of analysis on open source coding projects to open source code developers that have registered their products with Coverity Scan.

Coverity, the development testing leader, is the trusted standard for companies that need to protect their brands and bottom lines from software failures. Coverity Scan is powered by Coverity® Quality Advisor. Coverity Quality Advisor surfaces defects identified by the Coverity Static Analysis Verification Engine (Coverity SAVE®) for fast and easy remediation.

Coverity offers the results of the analysis completed by Coverity Quality Advisor on registered projects at no charge to registered open source developers.

What is static analysis?

Static analysis is a set of processes for finding source code defects and vulnerabilities.

In static analysis, the code under examination is not executed. As a result, test cases and specially designed input datasets are not required. Examination for defects and vulnerabilities is not limited to the lines of code that are run during some number of executions of the code, but can include all lines of code in the codebase.

Additionally, Coverity's implementation of static analysis can follow all the possible paths of execution through source code (including interprocedurally) and find defects and vulnerabilities caused by the conjunction of statements that are not errors independent of each other.

Source: https://scan.coverity.com/faq

LibreOffice's case of success after using Coverity:

https://webcache.googleusercontent.com/search?q=cache:WD0hZEtvR2gJ:www.coverity.com/press-releases/libreoffice-improves-software-quality-coverity-scan/+&cd=2&hl=pt-BR&ct=clnk&gl=br&client=firefox-b

http://www.infoworld.com/article/2687117/open-source-software/libreoffice-code-ten-times-better-than-proprietary.html

http://www.ocsmag.com/2014/11/30/libreoffices-coverity-defect-density-is-0-00/

[parg]

Thanks for the suggestion. We used Coverity on Vuze (from whence BBT came) a while back - https://scan.coverity.com/projects/vuze-bittorrent-client

While it did throw up a few legitimate issues it also involved a lot of leg work to wade through the false positives - most of the issues marked as 'fixed' were actually marked as 'false positive's

If you have the time please feel free to run an analysis and report on the results.

[popcornenthusiast]

Hi.

Did you guys try SonarQube? It seems to work quite differently from Coverity.

[parg]

Just spent some time trying it:

[INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 02:25 min [INFO] Finished at: 2018-02-06T17:37:20Z [INFO] Final Memory: 89M/2495M [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.4.0.905:sonar (default-cli) on project biglybt-core: SonarQube is unable to analyze file : 'C:\Users\Paul\git\BiglyBT\core\src\com\biglybt\core\disk\impl\Disk ManagerFileInfoSetImpl.java': Index: 1, Size: 0 -> [Help 1] org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.sonarsource.scanner.maven:sonar-maven -plugin:3.4.0.905:sonar (default-cli) on project biglybt-core: SonarQube is unable to analyze file : 'C:\Users\Paul\git\ BiglyBT\core\src\com\biglybt\core\disk\impl\DiskManagerFileInfoSetImpl.java' at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:213) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:154) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:146) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.jav a:51) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:309) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:194) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:107) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:955) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:290) at org.apache.maven.cli.MavenCli.main (MavenCli.java:194) at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:498) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:289) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:229) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:415) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:356) Caused by: org.apache.maven.plugin.MojoExecutionException: SonarQube is unable to analyze file : 'C:\Users\Paul\git\Bigl yBT\core\src\com\biglybt\core\disk\impl\DiskManagerFileInfoSetImpl.java' at org.sonarsource.scanner.maven.bootstrap.ScannerBootstrapper.execute (ScannerBootstrapper.java:65) at org.sonarsource.scanner.maven.SonarQubeMojo.execute (SonarQubeMojo.java:108) at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:134) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:208) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:154) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:146) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.jav a:51) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:309) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:194) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:107) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:955) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:290) at org.apache.maven.cli.MavenCli.main (MavenCli.java:194) at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:498) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:289) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:229) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:415) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:356) Caused by: org.sonar.squidbridge.api.AnalysisException: SonarQube is unable to analyze file : 'C:\Users\Paul\git\BiglyBT \core\src\com\biglybt\core\disk\impl\DiskManagerFileInfoSetImpl.java' at org.sonar.java.ast.JavaAstScanner.simpleScan (JavaAstScanner.java:105) at org.sonar.java.ast.JavaAstScanner.scan (JavaAstScanner.java:68) at org.sonar.java.JavaSquid.scanSources (JavaSquid.java:120) at org.sonar.java.JavaSquid.scan (JavaSquid.java:114) at org.sonar.plugins.java.JavaSquidSensor.execute (JavaSquidSensor.java:91) at org.sonar.scanner.sensor.SensorWrapper.analyse (SensorWrapper.java:53) at org.sonar.scanner.phases.SensorsExecutor.executeSensor (SensorsExecutor.java:88) at org.sonar.scanner.phases.SensorsExecutor.execute (SensorsExecutor.java:82) at org.sonar.scanner.phases.SensorsExecutor.execute (SensorsExecutor.java:68) at org.sonar.scanner.phases.AbstractPhaseExecutor.execute (AbstractPhaseExecutor.java:88) at org.sonar.scanner.scan.ModuleScanContainer.doAfterStart (ModuleScanContainer.java:180) at org.sonar.core.platform.ComponentContainer.startComponents (ComponentContainer.java:135) at org.sonar.core.platform.ComponentContainer.execute (ComponentContainer.java:121) at org.sonar.scanner.scan.ProjectScanContainer.scan (ProjectScanContainer.java:288) at org.sonar.scanner.scan.ProjectScanContainer.scanRecursively (ProjectScanContainer.java:283) at org.sonar.scanner.scan.ProjectScanContainer.doAfterStart (ProjectScanContainer.java:261) at org.sonar.core.platform.ComponentContainer.startComponents (ComponentContainer.java:135) at org.sonar.core.platform.ComponentContainer.execute (ComponentContainer.java:121) at org.sonar.scanner.task.ScanTask.execute (ScanTask.java:48) at org.sonar.scanner.task.TaskContainer.doAfterStart (TaskContainer.java:84) at org.sonar.core.platform.ComponentContainer.startComponents (ComponentContainer.java:135) at org.sonar.core.platform.ComponentContainer.execute (ComponentContainer.java:121) at org.sonar.scanner.bootstrap.GlobalContainer.executeTask (GlobalContainer.java:121) at org.sonar.batch.bootstrapper.Batch.doExecuteTask (Batch.java:116) at org.sonar.batch.bootstrapper.Batch.execute (Batch.java:71) at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute (BatchIsolatedLauncher.java:46) at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:498) at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke (IsolatedLauncherProxy.java:60) at com.sun.proxy.$Proxy26.execute (Unknown Source) at org.sonarsource.scanner.api.EmbeddedScanner.doExecute (EmbeddedScanner.java:171) at org.sonarsource.scanner.api.EmbeddedScanner.execute (EmbeddedScanner.java:128) at org.sonarsource.scanner.maven.bootstrap.ScannerBootstrapper.execute (ScannerBootstrapper.java:63) at org.sonarsource.scanner.maven.SonarQubeMojo.execute (SonarQubeMojo.java:108) at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:134) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:208) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:154) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:146) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.jav a:51) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:309) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:194) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:107) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:955) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:290) at org.apache.maven.cli.MavenCli.main (MavenCli.java:194) at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:498) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:289) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:229) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:415) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:356) Caused by: java.lang.IndexOutOfBoundsException: Index: 1, Size: 0 at java.util.ArrayList.rangeCheck (ArrayList.java:653) at java.util.ArrayList.get (ArrayList.java:429) at org.sonar.java.se.checks.DivisionByZeroCheck$PreStatementVisitor.visitAssignmentExpression (DivisionByZeroCheck.j ava:150) at org.sonar.java.model.expression.AssignmentExpressionTreeImpl.accept (AssignmentExpressionTreeImpl.java:71) at org.sonar.java.se.checks.DivisionByZeroCheck.checkPreStatement (DivisionByZeroCheck.java:125) at org.sonar.java.se.CheckerDispatcher.executeCheckPreStatement (CheckerDispatcher.java:57) at org.sonar.java.se.ExplodedGraphWalker.visit (ExplodedGraphWalker.java:517) at org.sonar.java.se.ExplodedGraphWalker.execute (ExplodedGraphWalker.java:246) at org.sonar.java.se.ExplodedGraphWalker.visitMethod (ExplodedGraphWalker.java:206) at org.sonar.java.se.ExplodedGraphWalker.visitMethod (ExplodedGraphWalker.java:198) at org.sonar.java.se.SymbolicExecutionVisitor.execute (SymbolicExecutionVisitor.java:78) at org.sonar.java.se.SymbolicExecutionVisitor.visitNode (SymbolicExecutionVisitor.java:64) at org.sonar.java.ast.visitors.SubscriptionVisitor.visit (SubscriptionVisitor.java:95) at org.sonar.java.ast.visitors.SubscriptionVisitor.visitChildren (SubscriptionVisitor.java:120) at org.sonar.java.ast.visitors.SubscriptionVisitor.visit (SubscriptionVisitor.java:97) at org.sonar.java.ast.visitors.SubscriptionVisitor.visitChildren (SubscriptionVisitor.java:120) at org.sonar.java.ast.visitors.SubscriptionVisitor.visit (SubscriptionVisitor.java:97) at org.sonar.java.ast.visitors.SubscriptionVisitor.scanTree (SubscriptionVisitor.java:78) at org.sonar.java.ast.visitors.SubscriptionVisitor.scanFile (SubscriptionVisitor.java:64) at org.sonar.java.se.SymbolicExecutionVisitor.scanFile (SymbolicExecutionVisitor.java:54) at org.sonar.java.model.VisitorsBridge.visitFile (VisitorsBridge.java:118) at org.sonar.java.ast.JavaAstScanner.simpleScan (JavaAstScanner.java:96) at org.sonar.java.ast.JavaAstScanner.scan (JavaAstScanner.java:68) at org.sonar.java.JavaSquid.scanSources (JavaSquid.java:120) at org.sonar.java.JavaSquid.scan (JavaSquid.java:114) at org.sonar.plugins.java.JavaSquidSensor.execute (JavaSquidSensor.java:91) at org.sonar.scanner.sensor.SensorWrapper.analyse (SensorWrapper.java:53) at org.sonar.scanner.phases.SensorsExecutor.executeSensor (SensorsExecutor.java:88) at org.sonar.scanner.phases.SensorsExecutor.execute (SensorsExecutor.java:82) at org.sonar.scanner.phases.SensorsExecutor.execute (SensorsExecutor.java:68) at org.sonar.scanner.phases.AbstractPhaseExecutor.execute (AbstractPhaseExecutor.java:88) at org.sonar.scanner.scan.ModuleScanContainer.doAfterStart (ModuleScanContainer.java:180) at org.sonar.core.platform.ComponentContainer.startComponents (ComponentContainer.java:135) at org.sonar.core.platform.ComponentContainer.execute (ComponentContainer.java:121) at org.sonar.scanner.scan.ProjectScanContainer.scan (ProjectScanContainer.java:288) at org.sonar.scanner.scan.ProjectScanContainer.scanRecursively (ProjectScanContainer.java:283) at org.sonar.scanner.scan.ProjectScanContainer.doAfterStart (ProjectScanContainer.java:261) at org.sonar.core.platform.ComponentContainer.startComponents (ComponentContainer.java:135) at org.sonar.core.platform.ComponentContainer.execute (ComponentContainer.java:121) at org.sonar.scanner.task.ScanTask.execute (ScanTask.java:48) at org.sonar.scanner.task.TaskContainer.doAfterStart (TaskContainer.java:84) at org.sonar.core.platform.ComponentContainer.startComponents (ComponentContainer.java:135) at org.sonar.core.platform.ComponentContainer.execute (ComponentContainer.java:121) at org.sonar.scanner.bootstrap.GlobalContainer.executeTask (GlobalContainer.java:121) at org.sonar.batch.bootstrapper.Batch.doExecuteTask (Batch.java:116) at org.sonar.batch.bootstrapper.Batch.execute (Batch.java:71) at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute (BatchIsolatedLauncher.java:46) at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:498) at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke (IsolatedLauncherProxy.java:60) at com.sun.proxy.$Proxy26.execute (Unknown Source) at org.sonarsource.scanner.api.EmbeddedScanner.doExecute (EmbeddedScanner.java:171) at org.sonarsource.scanner.api.EmbeddedScanner.execute (EmbeddedScanner.java:128) at org.sonarsource.scanner.maven.bootstrap.ScannerBootstrapper.execute (ScannerBootstrapper.java:63) at org.sonarsource.scanner.maven.SonarQubeMojo.execute (SonarQubeMojo.java:108) at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:134) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:208) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:154) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:146) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.jav a:51) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:309) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:194) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:107) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:955) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:290) at org.apache.maven.cli.MavenCli.main (MavenCli.java:194) at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:498) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:289) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:229) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:415) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:356) [ERROR] [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

[parg]

Think it is the same as

https://groups.google.com/forum/#!topic/sonarqube/7exWWYfRI4A

which leads to

https://jira.sonarsource.com/browse/SONARJAVA-2515

[benzonico]

Hi @parg, I am a developer on https://github.com/SonarSource/sonar-java thanks for getting back to our jira. After a first quicklook it seems you are right regarding the issue you linked, I am going to investigate this further.

In the meantime, last version of SonarJava (5.1) won't fail the whole analysis because of that file (skipping it because of failure on that file and carry on), I just tested this locally. I don't know which versions you used to run the analysis (if it is on sonarcloud, then 5.1 is scheduled to be updated next monday so you would have to wait until there).

I'll keep you posted about my investigations on this.

[parg]

Hi Nicolas, Thanks for the update - I'll wait until next Monday and retry - good luck with the bug :)

cheers Paul

[parg]

https://sonarcloud.io/dashboard?id=com.biglybt%3Abiglybt-core

have fun with the false positives :)

[popcornenthusiast]

Sorry, I'm not a developer, so I can't really help with the coding and identifying the problems with SonarQube.

Despite that, when you consider only the (supposedly) most critical problems, there aren't that many in SonarQube's analysis:

https://sonarcloud.io/project/issues?id=com.biglybt%3Abiglybt-core&resolved=false&severities=BLOCKER%2CCRITICAL&types=BUG

https://sonarcloud.io/project/issues?id=com.biglybt%3Abiglybt-core&resolved=false&severities=BLOCKER&types=VULNERABILITY

https://sonarcloud.io/project/issues?id=com.biglybt%3Abiglybt-core&resolved=false&severities=BLOCKER&types=CODE_SMELL

Only looking after these problems (and not the minor ones) seems like enough compromise on bug hunting/dealing with false positives and SonarQube usage. Or doesn't it?

[parg]

pick one that you think isn't a false-positive and I'll take a look!

[popcornenthusiast]

I was not being confrontational. If I sounded like that I'm sorry.

[parg]

me neither :) The main issue is that it takes a fair amount of time to go through the identified issues and when many of them are not significant. The problem is that static analysis doesn't generally understand the semantics of the code construct. For example:

https://sonarcloud.io/project/issues?id=com.biglybt%3Abiglybt-core&open=AWGtXl_igtr7QB4TjlXI&resolved=false&severities=BLOCKER%2CCRITICAL&types=BUG

deliberately doesn't release the file lock as it is there to prevent another instance of BiglyBT starting.

https://sonarcloud.io/project/issues?id=com.biglybt%3Abiglybt-core&open=AWGtXl-cgtr7QB4TjlTP&resolved=false&severities=BLOCKER%2CCRITICAL&types=BUG

doesn't need to terminate the loop as it is a daemon thread and is therefore automatically terminated on JVM shutdown

https://sonarcloud.io/project/issues?id=com.biglybt%3Abiglybt-core&open=AWGtXl_igtr7QB4TjlXD&resolved=false&severities=BLOCKER%2CCRITICAL&types=BUG

The intent behind this sleep call is to suspend the thread - there are no other locking implications here for which a call to Object::wait should be used instead.

I don't mean to say the analysis is useless, there are definitely things that it picks up that should be looked into. For example, the first one:

https://sonarcloud.io/project/issues?id=com.biglybt%3Abiglybt-core&open=AWGtXlhGgtr7QB4Tjjgj&resolved=false&severities=BLOCKER%2CCRITICAL&types=BUG

should probably be fixed although the resource leak would only occur if the method setReuseAddress can generate an exception on a freshly created ServerSocket - not something I have ever seen.