ERROR - No Xanitizer rule is set active in the used quality profile. Skipping analysis.It should be a WARN rather than an ERROR, and it should appear IFF a xanitizer report is provided.
14:32:30.465 INFO - Xanitizer: Skipping finding 10: SpecialMethodCall:JavaServletFindAndInclude
14:32:30.465 INFO - Xanitizer: Skipping finding 11: SpecialMethodCall:JavaServletFindAndInclude
14:32:30.465 INFO - Xanitizer: Skipping finding 12: SpecialMethodCall:JavaServletFindAndInclude
14:32:30.465 INFO - Xanitizer: Skipping finding 13: SpecialMethodCall:JavaServletFindAndInclude
14:32:30.466 INFO - Xanitizer: Skipping finding 14: SpecialMethodCall:JavaServletFindAndInclude
14:32:30.466 INFO - Xanitizer: Skipping finding 15: SpecialMethodCall:JavaServletFindAndInclude
14:38:26.403 INFO - Processing Xanitizer analysis results of 2016-07-01 10:42:25; findings: 912
INFO: ------------------------------------------------------------------------
INFO: EXECUTION FAILURE
INFO: ------------------------------------------------------------------------
Total time: 11.796s
Final Memory: 20M/634M
INFO: ------------------------------------------------------------------------
ERROR: Error during Sonar runner execution
org.sonar.runner.impl.RunnerException: Unable to execute Sonar
at org.sonar.runner.impl.BatchLauncher$1.delegateExecution(BatchLauncher.java:91)
at org.sonar.runner.impl.BatchLauncher$1.run(BatchLauncher.java:75)
...
Caused by: java.lang.NoSuchMethodError: org.sonar.plugins.java.api.JavaResourceLocator.findResourceByClassName(Ljava/lang/String;)Lorg/sonar/api/resources/Resource;
at com.rigsit.xanitizer.sqplugin.XanitizerSensor.mkInputFileOrNull(XanitizerSensor.java:417)
at com.rigsit.xanitizer.sqplugin.XanitizerSensor.generateTaintPathIssue(XanitizerSensor.java:302)
at com.rigsit.xanitizer.sqplugin.XanitizerSensor.generateIssuesForFinding(XanitizerSensor.java:190)
at com.rigsit.xanitizer.sqplugin.XanitizerSensor.createMeasures(XanitizerSensor.java:161)
at com.rigsit.xanitizer.sqplugin.XanitizerSensor.analyse(XanitizerSensor.java:144)
In looking more closely at your rules, I see that one of them is "Xanitizer Findbugs Finding". There is already a FindBugs plugin that will report issues raised by FindBugs far more granularly than this. It is a disservice to users to report in one conglomerate category the results of the nearly 450 FindBugs rules which are available granularly.In fact, based on this rule and the "Xanitizer OWASP Dependency Check Findings" rule, it looks like Xanitizer is some sort of aggregation platform, and you're trying to further aggregate its combined findings into SonarQube? SonarQube is not (any longer) an aggregation platform.
Based on this and how highly generic your other four rules appear to be, it seems to me right now that this plugin is simply not compatible with the SonarQube ethos.
* You've named your "JAVA Xanitizer", but profiles are automatically displayed with the relevant language, e.g.
RulesProfile.create("Xanitizer", Java.KEY);
* Your docs say to configure the report location via the UI. My first assumption was that this was simply a crossed wire, so I configured it in the sonar-project.properties instead. And the report was not picked up.
ERROR: Error during Sonar runner execution
org.sonar.runner.impl.RunnerException: Unable to execute Sonar
at org.sonar.runner.impl.BatchLauncher$1.delegateExecution(BatchLauncher.java:91)
at org.sonar.runner.impl.BatchLauncher$1.run(BatchLauncher.java:75)
...
Caused by: java.lang.NoSuchMethodError: org.sonar.plugins.java.api.JavaResourceLocator.findResourceByClassName(Ljava/lang/String;)Lorg/sonar/api/resources/Resource;
at com.rigsit.xanitizer.sqplugin.XanitizerSensor.mkInputFileOrNull(XanitizerSensor.java:417)
at com.rigsit.xanitizer.sqplugin.XanitizerSensor.generateTaintPathIssue(XanitizerSensor.java:302)
at com.rigsit.xanitizer.sqplugin.XanitizerSensor.generateIssuesForFinding(XanitizerSensor.java:190)
at com.rigsit.xanitizer.sqplugin.XanitizerSensor.createMeasures(XanitizerSensor.java:161)
at com.rigsit.xanitizer.sqplugin.XanitizerSensor.analyse(XanitizerSensor.java:144)
--
You received this message because you are subscribed to a topic in the Google Groups "SonarQube" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sonarqube/mXYKHLh1Luk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/b11880ac-dee4-4d19-aa30-2394998c0a62%40googlegroups.com.
Fabrice BELLINGARD | SonarSource SonarQube & SonarLint Product Manager http://sonarsource.com |
--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/208f620d-99f3-4724-ad05-700868cf33e9%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/75514c30-4786-4eda-aebe-d389d706c827%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/59e1eeba-b66c-4e8b-9ec6-0a49b97936c1%40googlegroups.com.
Dear Fabrice,as I mentioned above, it could be a litte bit confusing if you have reviewed findings in Xanitizer and they will vanish in SonarQube. But if you think that the potential redundancies are more confusing, then of course this is acceptable for us.
A little off topic:Do you have any clou how to handle the NoSuchMethodError reported by Ann? Since it results from changes in the Java Plugin and not is independent of the SonarQube version, what is a good strategy for a bugfix release? Or should we use java.lang.Object in this case and check it with instanceof?
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/75514c30-4786-4eda-aebe-d389d706c827%40googlegroups.com.
out.print(getContent());
But I'm still seeing:* A log warning when no Xanitizer rules are enabled: 14:56:14.649 WARN - Xanitizer XML report file '/path/to/project/Xanitizer-Findings-List.xml' not found. Skipping analysis.
New stuff:* The vast, vast majority of issues raised in the sample project (Webgoat) you provided were raised at project level. This is not acceptable, and what makes it doubly frustrating is that you appear in the messages to cite the files the issues should be attached to. SonarQube is about code quality. I.e. you must attach issues to the code.
I suspect this is because you associated all the rules with Java (pretty smart choice, since that plugin is included by default in a new install) and many of the files you're raising issues on are not .java files. The SonarQube Analyzer for Java team faced this same problem with some rules they added last year for certain xml files. You might want to take a closer look at how they tackled the issue.
* Issue messages should be imperative messages telling users how to fix the issue. What I'm looking at starts with a restatement of the rule title ("Log Injection") followed by what appears to be diagnostic information and the path to the relevant file. You should never need to include a file path in an issue message (see above) because the issue is attached to the file in question. In short, this is poor UX.
Further, the paths in these messages seem to have nothing to do with my project.
* I've finally found the file that corresponds toPassword in config file (Xanitizer finding ID 3634) - /${INSTALL_DIR}/examples/webgoat/lessons/CrossSiteScripting/Login.jsp:26And I see that line 26 of Login.jsp is this:<input name="password" type="password" size="10" maxlength="8" />And all I can say is... REALLY!?!
* So then I decided to take a look at where you actually raise issues in files. I ended up at Screen.java, which has 46 issues tagged "xanitizer". All 46 are raised on this line:out.print(getContent());That breaks down to 24 instances of "XSS Stored", 11 instances of "XSS Reflected", and 11 instances of "Privacy Leak".I'm going to just walk away with my professionalism at this point.
No, not still. The last time you complained, that the tool shows a warning when the rules are not active, even if no report file was provided. This time it is the other way around. ;)But since this could never happen again (because of the given default of the property), we could of course switch the logic of the check again.
The problem is, that many issues occur in code that is generated by Xanitizer itself (to simulate the behaviour of Web Frameworks) and that these files do not have a representation in the "real" code of the project. We thought it would be better to create this issues on project level together with their file path than to simply skip the issue, so that the user knows at least that there IS a problem, even if it could not be displayed in SonarQube.We could change this and only generate issues that could be matched to files this is important to you. But I hope you can see my point.For all other (non-Java) resources I will check the Java plugin.
Last but not least: your plugin must be aligned with the goal of the SonarQube platform: management of the technical debt and the quality of the code
- To be more precise: every feature of SonarQube is tied to the code, so if your plugin provides data that can't be attached to a source or a test file, then there are chances that your plugin won't be accepted in the Update Center
Writing imperative messages for a security vulnerability that do always match would be nearly impossible. Sure, some things are simple, but in general, it is not. And a message like "Check this variable for forbidden characters" is not helpful and aditionally, in most cases not done at the location of the issue. It is simply different to coding style rules and so on.
Further, the paths in these messages seem to have nothing to do with my project.Not a surprise, since they are parsed from the report, which was generated on MY machine. ;)
For Java classes, this is not a problem, because they are identified by their class name. But for other resources there is no chance.
* I've finally found the file that corresponds toPassword in config file (Xanitizer finding ID 3634) - /${INSTALL_DIR}/examples/webgoat/lessons/CrossSiteScripting/Login.jsp:26And I see that line 26 of Login.jsp is this:<input name="password" type="password" size="10" maxlength="8" />And all I can say is... REALLY!?!A false-positive that is matched by a reg-ex. Could happen, don't you think so?
Xanitizer is doing a taint path analysis and a security vulnerability is a path of the tainted through the system. But representing paths in SonarQube is not possible.
So we had to decide where to raise the issue. Should it be the starting point of the path (i.e. the taint source) or the ending point (i.e. the taint sink). We decided for the taint sink, because this is the location where the tainted data might cause harm.So of course there could be several issues at the same location - these are paths with the same end but different starting points. In the prior version, the message additionally contained the location of the starting point, so that the issues can be distinguished, but we have removed that (no file paths in the message...).
I already wondered, why I got a mail, but couldn't find anything in the thread ;)Thank you for your feedback! Even if we sometimes have different opinions, I appreciate it very much!
To make it short, I can see your points, even if some of them have nothing to do with the plugin itself, because they simply result from the output of the Xanitizer main tool.
<snip>
The last problem that I am facing now are the XML resources and rules. If the XML plugin is available, everything works fine. But if not, the XML files are not contained in the FileSystem and the XML rules can not be enabled. Is this the designed/desired behaviour or is there are way to check these files even if the language plugin is not contained?
I'm not sure I'm remembering correctly, but it seems that if I open a Closeable, your tool flags where it's opened and each spot in the code where control flow loses access to the resource to be able to close it.Assuming you can stitch together in the plugin that all of those issues go together, I'd raise the one on the open, and filter out the rest. Or even better, feed them into the primary issue (the one raised when the resource is opened) as secondary locations. THAT would be a great service to the user!
We had the same problem in the Java plugin when we wanted to check Java-related, non-.java files. Here's how we addressed it. It would seem perfectly reasonable to me to have similar advice in your docs. In fact, the first time I tested your plugin, I turned on "Import unknown files" to see if the results would get any better.
--
You received this message because you are subscribed to a topic in the Google Groups "SonarQube" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sonarqube/mXYKHLh1Luk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sonarqube+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/f113677b-1e78-4919-8f3f-55fd4af7be9a%40googlegroups.com.
This review iteration was definitely a much more pleasant experience! I've added the plugin to the update center. :-D
As a reminder, future plugin releases will need to go through a Request For Feedback (RFF) period.
* When I turned on unknown file import I got the same number of issues as without it. Was that expected?
Hm, did you have the XML plugin installed?
Alltogether, there should be 180 issues, with 5 of them in non-Java files (4 in WEB-INF/web.xml and 1 in WEB-INF/server-config.wsdd).Do you get only 175 issues or 180 issues, even without unknown files?
Could you please check the sonar-project.properties file of the sample project?In the uploaded version, sonar.sources is set to 'WEB-INF/classes'. To additionally collect the non-Java files it has to be set to '.' .
--
You received this message because you are subscribed to a topic in the Google Groups "SonarQube" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sonarqube/mXYKHLh1Luk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sonarqube+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/c2bc1a85-82bd-4b31-ac35-cc6136bc490c%40googlegroups.com.
--
You received this message because you are subscribed to a topic in the Google Groups "SonarQube" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sonarqube/mXYKHLh1Luk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sonarqube+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/df1d5a56-6460-4c23-8729-4482d8c42d2f%40googlegroups.com.
Hi Norman,Can I guess that you've reverted the jar by now? Anyway, download works for me.Strictly speaking, though, you shouldn't be making changes to a released version. Those changes should be in a new version. (A point release would be fine here.)Ann
On Tue, Sep 13, 2016 at 6:52 PM, Norman Wenzel <normanwe...@gmail.com> wrote:
Dear Ann,I think I have done something really stupid...I have updated the pom file to add the information in the manifest that are used in the update center and then rebuild the plugin.The idea was to simply replace the jar file of the release, but now I am getting "Error while downloading plugin 'xanitizer' with version '1.3.2'. No compatible plugin found." when I try to install the plugin. Same message occurs if I reuse the original jar file.What can be done? Please help!Norman
--
You received this message because you are subscribed to a topic in the Google Groups "SonarQube" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sonarqube/mXYKHLh1Luk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sonarqube+...@googlegroups.com.
To unsubscribe from this group and all its topics, send an email to sonarqube+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/4c40ec4a-1249-4c71-b2af-ee33da71c9c3%40googlegroups.com.