KengoTODA
commented
2 years ago is there any other logs that describe why findsecbugs:XSS_JSP_PRINT cannot be activated on jsp profile?
Closed gerrieg closed 2 years ago
KengoTODA
commented
2 years ago is there any other logs that describe why findsecbugs:XSS_JSP_PRINT cannot be activated on jsp profile?
gtoison
commented
2 years ago Hello, the error message says that findsecbugs:XSS_JSP_PRINT is a java rule while it should be a JSP rule and part of the "findsecbugs-jsp" profile, not "findsecbugs".
I tried looking into the SonarQube code and this seems to be happening when the server reconciles the built-in profiles (from the core SQ and the plugins) against the profiles saved in the database. So while it's processing the "FindBugs Security JSP" profile, it's running into the XSS_JSP_PRINT which does not point to the right profile (Java/findsecbugs instead of the correct JSP/findsecbugs-jsp). The mysterious part is why that JSP rule loaded from the database would be in the findsecbugs profile.
@gerrieg, the way the plugin loads initializes its built-in profiles was changed in the 4.0.4 version of the plugin to make it compatible with SonarQube 9. Normally it should still be compatible with SQ 7 and 8 but it would be great if you could try with version 4.0.3 of the plugin.
gerrieg
commented
2 years ago @gtoison thank you for the hint, 4.0.3 works!
gtoison
commented
2 years ago @gerrieg thanks for reporting back! That's the answer I did not want to hear because it means there's a regression in version 4.0.4
@KengoTODA I think we might want to hold on adding version 4.0.4 to the SQ marketplace until this is sorted out
KengoTODA
commented
2 years ago Got it. And thank you for your reminding SQ member at the official forum!
gerrieg
commented
2 years ago If you want, I can easily try new versions on our test system.
gtoison
commented
2 years ago @gerrieg yes it might be worth trying to upgrade to 4.0.3 and then to 4.0.4, I still have no idea what might be the problem here. I've been using the new version on SonarQube 9 and did not see that error.
I noticed that in your first message you wrote: findbugs-plugin-3.11.1.jar You meant to write sonar-findbugs-plugin-3.11.1.jar, right ?
gerrieg
commented
2 years ago yes, it's sonar-findbugs-plugin-3.11.1.jar, i have updated the post.
Update from 4.0.3 -> 4.0.4: same exception
gtoison
commented
2 years ago Thanks for confirming, in the meantime I've posted a question on the Sonar forum: https://community.sonarsource.com/t/rule-in-wrong-profile-language-after-sq-7-9-to-8-9-and-plugin-upgrade/49645
gtoison
commented
2 years ago Hello @gerrieg, I looked a bit more into the error you have reported and I'm starting to suspect that this is related to https://github.com/spotbugs/sonar-findbugs/pull/382 , not to the way we load profiles/rules. Basically rule XSS_JSP_PRINT was not loaded in the version of the plugin you had previously and I attempted to fix that, but that might have caused the problem.
Would you know if the SonarQube installation you have was already upgraded from an older version (possibly multiple upgrades)?
Could you please share the part of the server startup logs corresponding to the plugins (so I can see what's happening before the error)? It should look like this:
> 2021.09.14 21:28:16 INFO web[][o.s.s.s.GeneratePluginIndex] Generate scanner plugin index
> 2021.09.14 21:28:16 INFO web[][o.s.s.s.RegisterPlugins] Register plugins
> 2021.09.14 21:28:16 INFO web[][o.s.s.s.RegisterMetrics] Register metrics
> 2021.09.14 21:28:17 INFO web[][o.s.s.q.RegisterQualityGates] Built-in quality gate's conditions of [Sonar way] has been updated
> 2021.09.14 21:28:17 INFO web[][o.s.s.r.RegisterRules] Register rules
> 2021.09.14 21:28:22 INFO web[][o.s.s.q.BuiltInQProfileRepositoryImpl] Load quality profiles
> 2021.09.14 21:28:22 WARN web[][o.s.p.f.FindbugsProfileImporter] Unable to activate unknown rule : 'JSP_SPRING_EVAL'
> 2021.09.14 21:28:22 WARN web[][o.s.p.f.FindbugsProfileImporter] Unable to activate unknown rule : 'XSS_REQUEST_PARAMETER_TO_JSP_WRITER'
> 2021.09.14 21:28:22 WARN web[][o.s.p.f.FindbugsProfileImporter] Unable to activate unknown rule : 'JSP_INCLUDE'
> 2021.09.14 21:28:22 WARN web[][o.s.p.f.FindbugsProfileImporter] Unable to activate unknown rule : 'JSP_XSLT'
> 2021.09.14 21:28:22 WARN web[][o.s.p.f.FindbugsProfileImporter] Unable to activate unknown rule : 'XSS_JSP_PRINT'
> 2021.09.14 21:28:22 WARN web[][o.s.p.f.FindbugsProfileImporter] Unable to activate unknown rule : 'JSP_JSTL_OUT'
> 2021.09.14 21:28:22 INFO web[][o.s.s.q.BuiltInQProfileRepositoryImpl] Language jsp is not installed, related quality profiles are ignored
> 2021.09.14 21:28:22 INFO web[][o.s.s.q.RegisterQualityProfiles] Register quality profiles
> 2021.09.14 21:28:22 INFO web[][o.s.s.q.RegisterQualityProfiles] Register profile java/FindBugs
> 2021.09.14 21:28:23 INFO web[][o.s.s.q.RegisterQualityProfiles] Register profile java/FindBugs + FB-Contrib
> 2021.09.14 21:28:23 INFO web[][o.s.s.q.RegisterQualityProfiles] Register profile java/FindBugs Security Audit
> 2021.09.14 21:28:24 INFO web[][o.s.s.q.RegisterQualityProfiles] Register profile java/FindBugs Security Minimal
> 2021.09.14 21:28:24 INFO web[][o.s.s.q.RegisterQualityProfiles] Register profile java/Sonar way
> 2021.09.14 21:28:24 INFO web[][o.s.s.s.RegisterPermissionTemplates] Register permission templates
> 2021.09.14 21:28:24 INFO web[][o.s.s.s.RenameDeprecatedPropertyKeys] Rename deprecated property keys
sephiroth-j
commented
2 years ago @gtoison , is this what you are looking for? I removed some parts to shorten the log.
2021.09.16 10:36:33 INFO web[][o.s.s.r.RegisterRules] Register rules
...
2021.09.16 10:36:37 INFO web[][o.s.s.r.RegisterRules] Disable rule findsecbugs-jsp:XSS_JSP_PRINT
...
2021.09.16 10:37:51 INFO web[][org.sonar.INFO] Security realm started
...
2021.09.16 10:37:52 INFO web[][o.s.s.t.TelemetryDaemon] Sharing of SonarQube statistics is enabled.
2021.09.16 10:37:52 INFO web[][o.s.s.n.NotificationDaemon] Notification service started (delay 60 sec.)
2021.09.16 10:37:52 INFO web[][o.s.s.s.GeneratePluginIndex] Generate scanner plugin index
2021.09.16 10:37:52 INFO web[][o.s.s.s.RegisterPlugins] Register plugins
2021.09.16 10:37:52 INFO web[][o.s.s.s.RegisterMetrics] Register metrics
2021.09.16 10:37:52 INFO web[][o.s.s.r.RegisterRules] Register rules
2021.09.16 10:37:54 INFO web[][o.r.Reflections] Reflections took 12 ms to scan 1 urls, producing 193 keys and 193 values
2021.09.16 10:38:07 INFO web[][o.s.s.q.BuiltInQProfileRepositoryImpl] Load quality profiles
2021.09.16 10:38:07 INFO web[][o.s.s.q.RegisterQualityProfiles] Register quality profiles
2021.09.16 10:38:07 INFO web[][o.s.s.q.RegisterQualityProfiles] Update profile css/Sonar way
2021.09.16 10:38:07 INFO web[][o.s.s.q.RegisterQualityProfiles] Update profile scala/Sonar way
2021.09.16 10:38:07 INFO web[][o.s.s.q.RegisterQualityProfiles] Update profile jsp/FindBugs Security JSP
2021.09.16 10:38:07 ERROR web[][o.s.s.p.Platform] Background initialization failed. Stopping SonarQube
org.sonar.server.exceptions.BadRequestException: java rule findsecbugs:XSS_JSP_PRINT cannot be activated on jsp profile FindBugs Security JSP
at org.sonar.server.exceptions.BadRequestException.create(BadRequestException.java:57)
at org.sonar.server.exceptions.BadRequestException.create(BadRequestException.java:61)
at org.sonar.server.exceptions.BadRequestException.checkRequest(BadRequestException.java:44)
at org.sonar.server.qualityprofile.RuleActivationContext.doSwitch(RuleActivationContext.java:227)
at org.sonar.server.qualityprofile.RuleActivationContext.reset(RuleActivationContext.java:208)
at org.sonar.server.qualityprofile.RuleActivator.activate(RuleActivator.java:76)
at org.sonar.server.qualityprofile.BuiltInQProfileUpdateImpl.update(BuiltInQProfileUpdateImpl.java:73)
at org.sonar.server.qualityprofile.RegisterQualityProfiles.update(RegisterQualityProfiles.java:132)
at org.sonar.server.qualityprofile.RegisterQualityProfiles.lambda$start$1(RegisterQualityProfiles.java:93)
at com.google.common.collect.ImmutableList.forEach(ImmutableList.java:405)
at org.sonar.server.qualityprofile.RegisterQualityProfiles.start(RegisterQualityProfiles.java:88)
at org.sonar.core.platform.StartableCloseableSafeLifecyleStrategy.start(StartableCloseableSafeLifecyleStrategy.java:40)
at org.picocontainer.injectors.AbstractInjectionFactory$LifecycleAdapter.start(AbstractInjectionFactory.java:84)
at org.picocontainer.behaviors.AbstractBehavior.start(AbstractBehavior.java:169)
at org.picocontainer.behaviors.Stored$RealComponentLifecycle.start(Stored.java:132)
at org.picocontainer.behaviors.Stored.start(Stored.java:110)
at org.picocontainer.DefaultPicoContainer.potentiallyStartAdapter(DefaultPicoContainer.java:1016)
at org.picocontainer.DefaultPicoContainer.startAdapters(DefaultPicoContainer.java:1009)
at org.picocontainer.DefaultPicoContainer.start(DefaultPicoContainer.java:767)
at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:136)
at org.sonar.server.platform.platformlevel.PlatformLevel.start(PlatformLevel.java:90)
at org.sonar.server.platform.platformlevel.PlatformLevelStartup.access$001(PlatformLevelStartup.java:49)
at org.sonar.server.platform.platformlevel.PlatformLevelStartup$1.doPrivileged(PlatformLevelStartup.java:87)
at org.sonar.server.user.DoPrivileged.execute(DoPrivileged.java:45)
at org.sonar.server.platform.platformlevel.PlatformLevelStartup.start(PlatformLevelStartup.java:84)
at org.sonar.server.platform.PlatformImpl.executeStartupTasks(PlatformImpl.java:198)
at org.sonar.server.platform.PlatformImpl.access$400(PlatformImpl.java:46)
at org.sonar.server.platform.PlatformImpl$1.lambda$doRun$1(PlatformImpl.java:122)
at org.sonar.server.platform.PlatformImpl$AutoStarterRunnable.runIfNotAborted(PlatformImpl.java:370)
at org.sonar.server.platform.PlatformImpl$1.doRun(PlatformImpl.java:122)
at org.sonar.server.platform.PlatformImpl$AutoStarterRunnable.run(PlatformImpl.java:354)
at java.base/java.lang.Thread.run(Thread.java:829)
2021.09.16 10:38:08 INFO web[][o.s.p.ProcessEntryPoint] Hard stopping process
2021.09.16 10:38:08 INFO web[][o.s.s.n.NotificationDaemon] Notification service stoppedHappened during update of SQ 8.9.1 with plugin version 4.0.3 to SQ 8.9.2 and plugin version 4.0.4.
gtoison
commented
2 years ago Thank you @sephiroth-j, that helps a lot. Thanks to these logs I realized that SonarQube handles these rules differently whether the html plugin is installed or not. I'm still trying to figure this out but hopefully I'll get there
derkoe
commented
2 years ago We have the same issue. Our instance is quite "old" - we started with 3.x
gerrieg
commented
2 years ago We started with 3.5.1 and updated several times.
2021.09.13 10:48:00 INFO web[][o.s.s.s.GeneratePluginIndex] Generate scanner plugin index
2021.09.13 10:48:00 INFO web[][o.s.s.s.RegisterPlugins] Register plugins
2021.09.13 10:48:00 INFO web[][c.h.s.i.s.SonargraphMetrics] Sonargraph Integration: Created 55 predefined and 0 custom metric(s)
2021.09.13 10:48:00 INFO web[][o.s.s.s.RegisterMetrics] Register metrics
2021.09.13 10:48:00 INFO web[][o.s.s.r.RegisterRules] Register rules
2021.09.13 10:48:01 INFO web[][c.h.s.i.s.SonargraphRulesProvider] Sonargraph Integration: Loaded standard rules file '/com/hello2morrow/sonargraph/integration/sonarqube/SonargraphRules.properties'
2021.09.13 10:48:01 INFO web[][c.h.s.i.s.SonargraphRulesProvider] Sonargraph Integration: No custom rules file found at '/home/sonar/.sonargraphintegration/SonargraphRules.properties'
2021.09.13 10:48:01 INFO web[][c.h.s.i.s.SonargraphRules] Sonargraph Integration: Created 18 predefined and 0 custom rule(s)
2021.09.13 10:48:01 INFO web[][c.h.s.i.s.SonargraphRulesProvider] Sonargraph Integration: Loaded standard rules file '/com/hello2morrow/sonargraph/integration/sonarqube/SonargraphRules.properties'
2021.09.13 10:48:01 INFO web[][c.h.s.i.s.SonargraphRulesProvider] Sonargraph Integration: No custom rules file found at '/home/sonar/.sonargraphintegration/SonargraphRules.properties'
2021.09.13 10:48:01 INFO web[][c.h.s.i.s.SonargraphRules] Sonargraph Integration: Created 18 predefined and 0 custom rule(s)
2021.09.13 10:48:10 INFO web[][o.s.s.q.BuiltInQProfileRepositoryImpl] Load quality profiles
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule ARCHITECTURE_VIOLATION in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule CRITICAL_MODULE_CYCLE_GROUP in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule CRITICAL_NAMESPACE_CYCLE_GROUP in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule CRITICAL_COMPONENT_CYCLE_GROUP in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule THRESHOLD_VIOLATION_ERROR in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule TODO in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule DELETE_REFACTORING in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule MOVE_REFACTORING in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule MOVE_RENAME_REFACTORING in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule RENAME_REFACTORING in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule DUPLICATE_CODE_BLOCK in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule QUALITY_GATE_ISSUE in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] Sonargraph Integration: Profile created
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule ARCHITECTURE_VIOLATION in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule CRITICAL_MODULE_CYCLE_GROUP in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule CRITICAL_NAMESPACE_CYCLE_GROUP in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule CRITICAL_COMPONENT_CYCLE_GROUP in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule THRESHOLD_VIOLATION_ERROR in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule TODO in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule DELETE_REFACTORING in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule MOVE_REFACTORING in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule MOVE_RENAME_REFACTORING in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule RENAME_REFACTORING in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule DUPLICATE_CODE_BLOCK in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule QUALITY_GATE_ISSUE in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule MODULE_CYCLE_GROUP in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule NAMESPACE_CYCLE_GROUP in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule COMPONENT_CYCLE_GROUP in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule THRESHOLD_VIOLATION in repo sonargraphintegration
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] Sonargraph Integration (Strict): Profile created
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule ARCHITECTURE_VIOLATION in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule CRITICAL_MODULE_CYCLE_GROUP in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule CRITICAL_NAMESPACE_CYCLE_GROUP in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule CRITICAL_COMPONENT_CYCLE_GROUP in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule THRESHOLD_VIOLATION_ERROR in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule TODO in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule DELETE_REFACTORING in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule MOVE_REFACTORING in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule MOVE_RENAME_REFACTORING in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule RENAME_REFACTORING in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule DUPLICATE_CODE_BLOCK in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule QUALITY_GATE_ISSUE in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] Sonargraph Integration C#: Profile created
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule ARCHITECTURE_VIOLATION in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule CRITICAL_MODULE_CYCLE_GROUP in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule CRITICAL_NAMESPACE_CYCLE_GROUP in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule CRITICAL_COMPONENT_CYCLE_GROUP in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule THRESHOLD_VIOLATION_ERROR in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule TODO in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule DELETE_REFACTORING in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule MOVE_REFACTORING in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule MOVE_RENAME_REFACTORING in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule RENAME_REFACTORING in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule DUPLICATE_CODE_BLOCK in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule QUALITY_GATE_ISSUE in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule MODULE_CYCLE_GROUP in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule NAMESPACE_CYCLE_GROUP in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule COMPONENT_CYCLE_GROUP in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] activating rule THRESHOLD_VIOLATION in repo sonargraphintegration_cs
2021.09.13 10:48:10 INFO web[][c.h.s.i.s.AbstractSonargraphProfile] Sonargraph Integration C# (Strict): Profile created
2021.09.13 10:48:11 INFO web[][o.s.s.q.RegisterQualityProfiles] Register quality profiles
2021.09.13 10:48:11 INFO web[][o.s.s.q.RegisterQualityProfiles] Update profile css/Sonar way
2021.09.13 10:48:11 INFO web[][o.s.s.q.RegisterQualityProfiles] Update profile scala/Sonar way
2021.09.13 10:48:11 INFO web[][o.s.s.q.RegisterQualityProfiles] Update profile jsp/Sonar way
2021.09.13 10:48:11 INFO web[][o.s.s.q.RegisterQualityProfiles] Update profile jsp/FindBugs Security JSP
2021.09.13 10:48:11 ERROR web[][o.s.s.p.Platform] Background initialization failed. Stopping SonarQube
org.sonar.server.exceptions.BadRequestException: java rule findsecbugs:XSS_JSP_PRINT cannot be activated on jsp profile FindBugs Security JSP
at org.sonar.server.exceptions.BadRequestException.create(BadRequestException.java:57)
at org.sonar.server.exceptions.BadRequestException.create(BadRequestException.java:61)
at org.sonar.server.exceptions.BadRequestException.checkRequest(BadRequestException.java:44)
at org.sonar.server.qualityprofile.RuleActivationContext.doSwitch(RuleActivationContext.java:227)
at org.sonar.server.qualityprofile.RuleActivationContext.reset(RuleActivationContext.java:208)
at org.sonar.server.qualityprofile.RuleActivator.activate(RuleActivator.java:76)
at org.sonar.server.qualityprofile.BuiltInQProfileUpdateImpl.update(BuiltInQProfileUpdateImpl.java:73)
at org.sonar.server.qualityprofile.RegisterQualityProfiles.update(RegisterQualityProfiles.java:132)
at org.sonar.server.qualityprofile.RegisterQualityProfiles.lambda$start$1(RegisterQualityProfiles.java:93)
at com.google.common.collect.ImmutableList.forEach(ImmutableList.java:405)
at org.sonar.server.qualityprofile.RegisterQualityProfiles.start(RegisterQualityProfiles.java:88)
at org.sonar.core.platform.StartableCloseableSafeLifecyleStrategy.start(StartableCloseableSafeLifecyleStrategy.java:40)
at org.picocontainer.injectors.AbstractInjectionFactory$LifecycleAdapter.start(AbstractInjectionFactory.java:84)
at org.picocontainer.behaviors.AbstractBehavior.start(AbstractBehavior.java:169)
at org.picocontainer.behaviors.Stored$RealComponentLifecycle.start(Stored.java:132)
at org.picocontainer.behaviors.Stored.start(Stored.java:110)
at org.picocontainer.DefaultPicoContainer.potentiallyStartAdapter(DefaultPicoContainer.java:1016)
at org.picocontainer.DefaultPicoContainer.startAdapters(DefaultPicoContainer.java:1009)
at org.picocontainer.DefaultPicoContainer.start(DefaultPicoContainer.java:767)
at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:136)
at org.sonar.server.platform.platformlevel.PlatformLevel.start(PlatformLevel.java:90)
at org.sonar.server.platform.platformlevel.PlatformLevelStartup.access$001(PlatformLevelStartup.java:49)
at org.sonar.server.platform.platformlevel.PlatformLevelStartup$1.doPrivileged(PlatformLevelStartup.java:87)
at org.sonar.server.user.DoPrivileged.execute(DoPrivileged.java:45)
at org.sonar.server.platform.platformlevel.PlatformLevelStartup.start(PlatformLevelStartup.java:84)
at org.sonar.server.platform.PlatformImpl.executeStartupTasks(PlatformImpl.java:198)
at org.sonar.server.platform.PlatformImpl.access$400(PlatformImpl.java:46)
at org.sonar.server.platform.PlatformImpl$1.lambda$doRun$1(PlatformImpl.java:122)
at org.sonar.server.platform.PlatformImpl$AutoStarterRunnable.runIfNotAborted(PlatformImpl.java:370)
at org.sonar.server.platform.PlatformImpl$1.doRun(PlatformImpl.java:122)
at org.sonar.server.platform.PlatformImpl$AutoStarterRunnable.run(PlatformImpl.java:354)
at java.base/java.lang.Thread.run(Thread.java:834)
2021.09.13 10:48:11 INFO web[][o.s.p.ProcessEntryPoint] Hard stopping processAfter a lot of head scratching I now think that this is due to SONAR-15240 - Startup fails if rule is moved to a different language That bug was fixed in SonarQube 9.1 and (as I understand it) probably affects older SonarQube installations progressively upgraded to 8.9. Unfortunately I'm still unable to reproduce it.
@KengoTODA here are a few proposals:
KengoTODA
commented
2 years ago Mark version 4.0.4 as only compatible with SQ 9.1+ on the marketplace
4.0.4 is already published in the marketplace, it would be better to change compatibility from 4.0.5.
I cannot judge the correctness of other ideas due to the lack of SQ usage in my development, so I'll ask new maintainers to handle it after I welcome them to the team.
gtoison
commented
2 years ago Hello @gerrieg, could you (or someone affected by this issue) try the tentative fix I've made on my forked repo? I am unable to replicate the problem so it would be very help to confirm whether reverting to the old SonarQube API works. The plugin is available here: https://github.com/gtoison/sonar-findbugs/releases/tag/4.0.4.1 Or you can build it from that branch https://github.com/gtoison/sonar-findbugs/tree/sq-8-9-lts-maintenance
Important disclaimer that this pre-release is not validated by the spotbugs team, please do not use on a production environment
derkoe
commented
2 years ago @gerrieg I have just tried the 4.0.4.1 and can confirm the fix works for our setup (we had the same issue).
I have also tried it with Java 17 - the reason why we need the new sonar-findbugs.
gtoison
commented
2 years ago Thank you very much @gerrieg, that's great news! So the summary of this issue is:
I suppose we still want to use the new SonarQube API (because the old one is deprecated and was entirely removed in SQ 9), so I propose that we revert the changes on a maintenance branch.
@KengoTODA I do not have write access on the repo so, if you agree, could you please create that branch so I can submit a Pull Request? Then we could release it as version 4.0.5 (not compatible with SQ 9) and continue the development on the main branch and call it version 4.1.x
I'll keep trying to reproduce
gerrieg
commented
2 years ago I am currently on vacation, I can try it next Monday.
gtoison
commented
2 years ago Hello, could anyone affected by this issue please have a look at how rule XSS_JSP_PRINTis reflected in your installation?
In my case it is for the JSP language and the findsecbugs-jsp repository:
I suspect that for you it will be for the Java language and the findsecbugs repository.
Looking into the Git history of the plugin I've found that rule XSS_JSP_PRINT was for Java up until version 3.3 of the plugin, and then in version 3.4 it was moved to JSP.
Could you please check for rule XSS_REQUEST_PARAMETER_TO_JSP_WRITER? I think it should be affected by the same problem and would be in a Java rule in installations that started with version 3.3 (or older) of the plugin
derkoe
commented
2 years ago In our installation (with the issue) it is also under findsecbugs-jsp:
XSS_REQUEST_PARAMETER_TO_JSP_WRITER is also in findsecbugs-jsp
sephiroth-j
commented
2 years ago In our installation (with the issue) it is also under
findsecbugs-jsp:
XSS_REQUEST_PARAMETER_TO_JSP_WRITERis also infindsecbugs-jsp
same here
gerrieg
commented
2 years ago 4.0.4.1 works for me and XSS_JSP_PRINT is also in the findsecbugs-jsp
gtoison
commented
2 years ago Hello, I'm still unable to reproduce the issue but I've found something buried deep in the SonarQube API and hopefully that might help: https://javadocs.sonarsource.org/7.1/apidocs/org/sonar/api/server/rule/RulesDefinition.Rule.html#deprecatedRuleKeys--
The changes are on this branch of my forked repo: https://github.com/gtoison/sonar-findbugs/tree/add-deprecated-jsp-rule-key And the pre-release is here: https://github.com/gtoison/sonar-findbugs/releases/tag/4.0.4.2
Contrary to version 4.0.4.1 this uses the new SQ API, so it is compatible with SQ 9. According to the documentation, this will allow SonarQube to support "issue re-keying" for this rule. Finger crossed this might get rid of findsecbugs:XSS_JSP_PRINT and findsecbugs:XSS_REQUEST_PARAMETER_TO_JSP_WRITER
As last time this prerelease was not validated by the SpotBugs team, please do not use on a production environment
If someone tries this out and it fails, could you please share you logs?
sephiroth-j
commented
2 years ago @gtoison, we tried 4.0.4 with SQ 9.1. similar problem.
2021.10.06 14:22:37 INFO web[][o.s.s.r.RegisterRules] Disable rule findsecbugs-jsp:XSS_JSP_PRINT
...
2021.10.06 14:26:43 INFO web[][o.s.s.p.PluginJarLoader] Plugin Findbugs [findbugs] updated to version 4.0.4
...
2021.10.06 14:26:56 INFO web[][o.s.s.q.RegisterQualityProfiles] Register quality profiles
2021.10.06 14:26:56 INFO web[][o.s.s.q.RegisterQualityProfiles] Update profile css/Sonar way
2021.10.06 14:26:56 INFO web[][o.s.s.q.RegisterQualityProfiles] Update profile scala/Sonar way
2021.10.06 14:26:56 INFO web[][o.s.s.q.RegisterQualityProfiles] Update profile jsp/FindBugs Security JSP
2021.10.06 14:26:56 ERROR web[][o.s.s.p.Platform] Background initialization failed. Stopping SonarQube
org.sonar.server.exceptions.BadRequestException: Rule was removed: findsecbugs:XSS_JSP_PRINT
at org.sonar.server.exceptions.BadRequestException.create(BadRequestException.java:57)
at org.sonar.server.exceptions.BadRequestException.create(BadRequestException.java:61)
at org.sonar.server.exceptions.BadRequestException.checkRequest(BadRequestException.java:44)
at org.sonar.server.qualityprofile.RuleActivator.doActivate(RuleActivator.java:82)
at org.sonar.server.qualityprofile.RuleActivator.activate(RuleActivator.java:77)
at org.sonar.server.qualityprofile.BuiltInQProfileUpdateImpl.update(BuiltInQProfileUpdateImpl.java:73)
at org.sonar.server.qualityprofile.RegisterQualityProfiles.update(RegisterQualityProfiles.java:132)
at org.sonar.server.qualityprofile.RegisterQualityProfiles.lambda$start$1(RegisterQualityProfiles.java:93)
at com.google.common.collect.ImmutableList.forEach(ImmutableList.java:405)
at org.sonar.server.qualityprofile.RegisterQualityProfiles.start(RegisterQualityProfiles.java:88)
at org.sonar.core.platform.StartableCloseableSafeLifecyleStrategy.start(StartableCloseableSafeLifecyleStrategy.java:40)
at org.picocontainer.injectors.AbstractInjectionFactory$LifecycleAdapter.start(AbstractInjectionFactory.java:84)
at org.picocontainer.behaviors.AbstractBehavior.start(AbstractBehavior.java:169)
at org.picocontainer.behaviors.Stored$RealComponentLifecycle.start(Stored.java:132)
at org.picocontainer.behaviors.Stored.start(Stored.java:110)
at org.picocontainer.DefaultPicoContainer.potentiallyStartAdapter(DefaultPicoContainer.java:1016)
at org.picocontainer.DefaultPicoContainer.startAdapters(DefaultPicoContainer.java:1009)
at org.picocontainer.DefaultPicoContainer.start(DefaultPicoContainer.java:767)
at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:136)
at org.sonar.server.platform.platformlevel.PlatformLevel.start(PlatformLevel.java:90)
at org.sonar.server.platform.platformlevel.PlatformLevelStartup.access$001(PlatformLevelStartup.java:51)
at org.sonar.server.platform.platformlevel.PlatformLevelStartup$1.doPrivileged(PlatformLevelStartup.java:119)
at org.sonar.server.user.DoPrivileged.execute(DoPrivileged.java:45)
at org.sonar.server.platform.platformlevel.PlatformLevelStartup.start(PlatformLevelStartup.java:116)
at org.sonar.server.platform.PlatformImpl.executeStartupTasks(PlatformImpl.java:198)
at org.sonar.server.platform.PlatformImpl$1.lambda$doRun$1(PlatformImpl.java:122)
at org.sonar.server.platform.PlatformImpl$AutoStarterRunnable.runIfNotAborted(PlatformImpl.java:370)
at org.sonar.server.platform.PlatformImpl$1.doRun(PlatformImpl.java:122)
at org.sonar.server.platform.PlatformImpl$AutoStarterRunnable.run(PlatformImpl.java:354)
at java.base/java.lang.Thread.run(Thread.java:829)We then tried 4.0.4.2. same problem, different rule.
2021.10.06 14:30:53 INFO web[][o.s.s.r.RegisterRules] Disable rule findsecbugs-jsp:XSS_REQUEST_PARAMETER_TO_JSP_WRITER
...
2021.10.06 14:32:42 INFO web[][o.s.s.p.ServerPluginManager] Deploy plugin Findbugs / 4.0.4.2 /
...
2021.10.06 14:32:54 INFO web[][o.s.s.q.RegisterQualityProfiles] Register quality profiles
2021.10.06 14:32:54 INFO web[][o.s.s.q.RegisterQualityProfiles] Update profile css/Sonar way
2021.10.06 14:32:55 INFO web[][o.s.s.q.RegisterQualityProfiles] Update profile scala/Sonar way
2021.10.06 14:32:55 INFO web[][o.s.s.q.RegisterQualityProfiles] Update profile jsp/FindBugs Security JSP
2021.10.06 14:32:55 ERROR web[][o.s.s.p.Platform] Background initialization failed. Stopping SonarQube
org.sonar.server.exceptions.BadRequestException: Rule was removed: findbugs:XSS_REQUEST_PARAMETER_TO_JSP_WRITER
at org.sonar.server.exceptions.BadRequestException.create(BadRequestException.java:57)
at org.sonar.server.exceptions.BadRequestException.create(BadRequestException.java:61)
at org.sonar.server.exceptions.BadRequestException.checkRequest(BadRequestException.java:44)
at org.sonar.server.qualityprofile.RuleActivator.doActivate(RuleActivator.java:82)
at org.sonar.server.qualityprofile.RuleActivator.activate(RuleActivator.java:77)
at org.sonar.server.qualityprofile.BuiltInQProfileUpdateImpl.update(BuiltInQProfileUpdateImpl.java:73)
at org.sonar.server.qualityprofile.RegisterQualityProfiles.update(RegisterQualityProfiles.java:132)
at org.sonar.server.qualityprofile.RegisterQualityProfiles.lambda$start$1(RegisterQualityProfiles.java:93)
at com.google.common.collect.ImmutableList.forEach(ImmutableList.java:405)
at org.sonar.server.qualityprofile.RegisterQualityProfiles.start(RegisterQualityProfiles.java:88)
at org.sonar.core.platform.StartableCloseableSafeLifecyleStrategy.start(StartableCloseableSafeLifecyleStrategy.java:40)
at org.picocontainer.injectors.AbstractInjectionFactory$LifecycleAdapter.start(AbstractInjectionFactory.java:84)
at org.picocontainer.behaviors.AbstractBehavior.start(AbstractBehavior.java:169)
at org.picocontainer.behaviors.Stored$RealComponentLifecycle.start(Stored.java:132)
at org.picocontainer.behaviors.Stored.start(Stored.java:110)
at org.picocontainer.DefaultPicoContainer.potentiallyStartAdapter(DefaultPicoContainer.java:1016)
at org.picocontainer.DefaultPicoContainer.startAdapters(DefaultPicoContainer.java:1009)
at org.picocontainer.DefaultPicoContainer.start(DefaultPicoContainer.java:767)
at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:136)
at org.sonar.server.platform.platformlevel.PlatformLevel.start(PlatformLevel.java:90)
at org.sonar.server.platform.platformlevel.PlatformLevelStartup.access$001(PlatformLevelStartup.java:51)
at org.sonar.server.platform.platformlevel.PlatformLevelStartup$1.doPrivileged(PlatformLevelStartup.java:119)
at org.sonar.server.user.DoPrivileged.execute(DoPrivileged.java:45)
at org.sonar.server.platform.platformlevel.PlatformLevelStartup.start(PlatformLevelStartup.java:116)
at org.sonar.server.platform.PlatformImpl.executeStartupTasks(PlatformImpl.java:198)
at org.sonar.server.platform.PlatformImpl$1.lambda$doRun$1(PlatformImpl.java:122)
at org.sonar.server.platform.PlatformImpl$AutoStarterRunnable.runIfNotAborted(PlatformImpl.java:370)
at org.sonar.server.platform.PlatformImpl$1.doRun(PlatformImpl.java:122)
at org.sonar.server.platform.PlatformImpl$AutoStarterRunnable.run(PlatformImpl.java:354)
at java.base/java.lang.Thread.run(Thread.java:829)
2021.10.06 14:32:55 INFO web[][o.s.p.ProcessEntryPoint] Hard stopping process
2021.10.06 14:32:55 INFO web[][o.s.s.n.NotificationDaemon] Notification service stoppedMaybe another approach is more effective. For example, uninstall the plugin, then delete references to the rules via SQL script and then reinstall the plugin in the current version.
gtoison
commented
2 years ago Thank you for testing with SQ 9.1 @sephiroth-j It looks like the inconsistent state of these rules is handled differently with the new version of the server, possibly as a result of the fix for SONAR-15240
Since it now considers that the rules are removed I've made a new pre-release on my forked repo where the plugin does not try to activate a rule if it is marked as disabled. It is available here: https://github.com/gtoison/sonar-findbugs/releases/tag/4.0.4.3 Hopefully the server should start, albeit without these JSP rules.
Sorry for the time this is taking, I'm not able to reproduce the issue and that makes things harder. I'm not sure if these rules can be deleted directly in the database, there are probably a lot of foreign keys preventing this
dm-ion
commented
2 years ago Hey @gtoison I just tried your patch on SQ 9.1 on a test server, got around the issue with booting.
The error I had previously was: org.sonar.server.exceptions.BadRequestException: Rule was removed: findsecbugs:XSS_JSP_PRINT
gtoison
commented
2 years ago Hello @dm-ion thanks a lot for testing and reporting back, it's great news that the patch fixes the issue for SQ 9.1 !
If someone affected by the issue and using SQ 8.9 could also test https://github.com/gtoison/sonar-findbugs/releases/tag/4.0.4.3 that would be great
sephiroth-j
commented
2 years ago Hello @gtoison , the plugin from https://github.com/gtoison/sonar-findbugs/releases/tag/4.0.4.3 works with SQ 8.9 - no startup errors! :) Just a side note: the displayed version of the plugin is "4.0.4.2" instead of "4.0.4.3".
Rules XSS_JSP_PRINT and XSS_REQUEST_PARAMETER_TO_JSP_WRITER are now located in the findsecbugs-jsp repository.
gtoison
commented
2 years ago Hello @sephiroth-j Thank you for testing and confirming that the patch solves the issue for SQ 8.9 too. I will work with the SpotBugs team to make a proper release. This might take some time though because the current maintainer is very busy.
gtoison
commented
2 years ago Reopening the issue until there's a proper release of the fix
gtoison
commented
2 years ago We have released version 4.0.5 with a fix for this bug: https://github.com/spotbugs/sonar-findbugs/releases/tag/4.0.5 It was submitted to the marketplace but not accepted yet (there seem to be a backlog for accepting new releases of plugins).
I'm updating our SonarQube installation from 7.9.5 (sonar-findbugs-plugin-3.11.1.jar) -> 8.9.2 (sonar-findbugs-plugin-4.0.4.jar) When i add the sonar-findbugs-plugin-4.0.4.jar, i get an exception on startup and SonarQube stops. When i remove the plugin, SonarQube works as expected.