Black Duck Vulnerability Maven Integration - StackOverflowErrors

[Jonathan Graham]

Hi,

 

When I attempt to use the Black Duck Vulnerability Maven Integration in a test Jenkins job, I get StackOverflowErrors (see attached).

 

The job compiles the java code ok when I turn off the Black Duck integration. This is the first time I have attempted to use the plugin.

 

Dummy job’s config file attached

 

Software Used

 

Jenkins 1.611

JDK 1.8 u05

Maven 3.2.5

Subversion

 

The proxy has been configured in Jenkins and I have followed the configuration steps in https://wiki.jenkins-ci.org/display/JENKINS/Black+Duck+Open+Source+Vulnerability+Plugin

How do I perform a stack trace on this to provide you with more information?

Thanks

[Ken Smith]

You could try increasing the stack size as a first step.  Add -Xss=4m to the Jenkins Java Arguments to increase to 4 meg.  Default is 1 meg on linux 64bit.

[Kaj Kandler]

Thanks Jonathan,
for a detailed bug report. I suspect that there is a fatal interaction with the Subversion plugin.

Can you share which version of the Vulnerability Plugin you are using?

Thanks

Kaj

[Jonathan Graham]

Hi Ken

My Jenkins server is running as a Windows service on a Windows Server 2012 R2 box.

I updated the Jenkins.xml to use -Xss2048k and then -Xss4096k but neither had any impact on the stack overflow.

I restarted the Jenkins Windows service on both occasions.

[Jonathan Graham]

Hi Kaj

Yes, I am using 1.1.3

I am using version 2.4.5 of the Subversion Plug-in.

Thanks

[James Richard]

Hey Jonathan,

Seems that this loop was introduced in the Subversion plugin in version 1.52. Using 1.51 and older should resolve this issue.  We will look into finding a solution and we will raise the issue with the Subversion plugin developers  as well. Sorry for the inconvenience.

[James Richard]

We have adjusted our Plugin to deal with this issue.  It will be included in the next Release.

[Jonathan Graham]

Hi Richard

My Subversion plugin is sitting on 2.4.5 with the option to upgrade to 2.5.1 in the Jenkins update center. Would my issue still be related to a loop?

Thanks

[James Richard]

Yes, but like I said this will no longer be an issue in the next release. In the meantime, it seems you wont be able to run a Job that is configured with both the Subversion plugin and our Vulnerability plugin.

As a temporary work around, you can configure a job with the subversion plugin to pull the project into the workspace. Then you would have to remove the Subversion plugin configuration from that Job and configure it run the Maven build and the Black Duck Vulnerability Maven Integration.  

I apologize for the temporary inconvenience!

[James Richard]

We released a new version of the Black Duck Vulnerability Plugin today. It is verison 1.1.4. It should fix the the issue between our plugin and subversion. Thank you for your patience

[Jonathan Graham]

It did indeed Richard, thanks.

I am now getting the message below during my builds. Any thoughts on what I may be doing wrong? I am running a Maven compile goal and the black duck plugin is set to pick up compile goals.

ERROR: [ERROR] This Wrapper should only be run with a Maven Builder
ERROR: [ERROR] Will not run the Black Duck Vulnerability Report plugin

[Kaj Kandler]

Hi Jonathan,
how do you run your maven build? Do you run it as a "Invoke top level maven targets?" or a "maven job type?"

Kaj

[Jonathan Graham]

Hi Kaj

I am using an Artifactory server and need to use "Invoke Maven 3" to ensure Artifactory runs smoothly with my job.

I have just updated the job to use "Invoke top level maven targets" as per the Black Duck plugin instructions but I would be unsure of the negative impact this may have on a real Jenkins job which is already using "Invoke Maven 3".

Using "Invoke top level maven targets" on the test job allows it to build but with one error...

"ERROR: [ERROR] The build-info.json file does not exist at : xxxxxxxxxxxxxx\workspace\build-info.json"

I think that may be a problem with using the different build step but still attempting to use Artifactory for the library management.

Thanks

[Kaj Kandler]

Hi Jonathan,
there are two issues here. We are not supporting the interaction with the Artifactory plugin. We are wrapping the mvn run with some instrumentation to get the information that we need. And we have not yet found a way to do that with the Artifactory plugin. We might take another look.

That said, you should not see the error message that you are seeing. Would it be possible to post the console output for the plugin?

Kind regards,
--Kaj

[Jonathan Graham]

Here you go Kaj. Maybe it is related to "ERROR: [ERROR] Unsupported version of Maven. Maven version: unknown"

Started by user Jonathan Graham
[EnvInject] - Loading node environment variables.
Building in workspace E:\Jenkins\jobs\BlackDuckTest\workspace

Deleting project workspace... done

Cleaning local Directory .
Checking out http://xxxxxxxxx/javalibraries/trunk/LDAPAccess at revision '2015-09-10T08:37:32.443 +0100'
A         Src
A         Src\LDAPAccess
A         Src\LDAPAccess\test
A         Src\LDAPAccess\test\com
A         Src\LDAPAccess\test\com\almac
A         Src\LDAPAccess\test\com\almac\ldapaccess
A         Src\LDAPAccess\test\com\almac\ldapaccess\TestLDAPAuthenticationHelper.java
A         Src\LDAPAccess\test\com\almac\ldapaccess\TestLDAPUtilityCreateADAMContainers.java
A         Src\LDAPAccess\test\com\almac\ldapaccess\TestAdamUtility.java
A         Src\LDAPAccess\test\com\almac\ldapaccess\TestLDAPUlity.java
A         Src\LDAPAccess\test\com\almac\ldapaccess\TestADAMUtilsCreateContainers.java
A         Src\LDAPAccess\test\com\almac\ldapaccess\TestUser.java
A         Src\LDAPAccess\lib
AU        Src\LDAPAccess\lib\junit.jar
AU        Src\LDAPAccess\lib\log4j-1.2.15.jar
A         Src\LDAPAccess\src
A         Src\LDAPAccess\src\com
A         Src\LDAPAccess\src\com\almac
A         Src\LDAPAccess\src\com\almac\ldapaccess
A         Src\LDAPAccess\src\com\almac\ldapaccess\LDAPAuthenticationHelper.java
A         Src\LDAPAccess\src\com\almac\ldapaccess\ADAMUser.java
A         Src\LDAPAccess\src\com\almac\ldapaccess\LDAPAccessException.java
A         Src\LDAPAccess\src\com\almac\ldapaccess\ADAMUtililty.java
A         Src\LDAPAccess\src\com\almac\ldapaccess\LDAPUtility.java
A         Src\LDAPAccess\src\com\almac\ldapaccess\ILDAPUser.java
A         Src\LDAPAccess\src\com\almac\ldapaccess\BaseUser.java
A         Src\LDAPAccess\src\com\almac\ldapaccess\TestUser.java
A         Src\LDAPAccess\LDAPAccessJar.deploy
A         Src\LDAPAccess\LDAPAccess.jpr
A         Src\LDAPAccess\deploy
AU        Src\LDAPAccess\deploy\LDAPAccess.jar
A         Docs
A         Docs\readme.txt
A         pom.xml
 U        .
At revision 178
no change for http://xxxxxxxxx/javalibraries/trunk/LDAPAccess since the previous build
[INFO] Build Recorder enabled
[INFO] Black Duck Vulnerability Report plugin version : 1.1.4
ERROR: [ERROR] Unsupported version of Maven. Maven version: unknown
[workspace] $ cmd.exe /C '"mvn.bat -f pom.xml compile clean install -V && exit %%ERRORLEVEL%%"'
Apache Maven 3.2.5 (12a6b3acb947671f09b81f49094c53f426d8cea1; 2014-12-14T17:29:23+00:00)
Maven home: E:\Maven
Java version: 1.6.0_45, vendor: Sun Microsystems Inc.
Java home: E:\Program Files (x86)\Java\jdk1.6.0_45\jre
Default locale: en_GB, platform encoding: Cp1252
OS name: "windows server 2012", version: "6.2", arch: "amd64", family: "windows"
[INFO] Scanning for projects...
[INFO]                                                                         
[INFO] ------------------------------------------------------------------------
[INFO] Building LDAPAccess 1.2.0
[INFO] ------------------------------------------------------------------------
[INFO] 
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ LDAPAccess ---
[WARNING] Using platform encoding (Cp1252 actually) to copy filtered resources, i.e. build is platform dependent!
[INFO] skip non existing resourceDirectory E:\Jenkins\jobs\BlackDuckTest\workspace\src\main\resources
[INFO] 
[INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ LDAPAccess ---
[INFO] Changes detected - recompiling the module!
[WARNING] File encoding has not been set, using platform encoding Cp1252, i.e. build is platform dependent!
[INFO] Compiling 8 source files to E:\Jenkins\jobs\BlackDuckTest\workspace\target\classes
[WARNING] Note: Some input files use unchecked or unsafe operations.
[WARNING] Note: Recompile with -Xlint:unchecked for details.
[INFO] 
[INFO] --- maven-clean-plugin:2.5:clean (default-clean) @ LDAPAccess ---
[INFO] Deleting E:\Jenkins\jobs\BlackDuckTest\workspace\target
[INFO] 
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ LDAPAccess ---
[WARNING] Using platform encoding (Cp1252 actually) to copy filtered resources, i.e. build is platform dependent!
[INFO] skip non existing resourceDirectory E:\Jenkins\jobs\BlackDuckTest\workspace\src\main\resources
[INFO] 
[INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ LDAPAccess ---
[INFO] Changes detected - recompiling the module!
[WARNING] File encoding has not been set, using platform encoding Cp1252, i.e. build is platform dependent!
[INFO] Compiling 8 source files to E:\Jenkins\jobs\BlackDuckTest\workspace\target\classes
[WARNING] Note: Some input files use unchecked or unsafe operations.
[WARNING] Note: Recompile with -Xlint:unchecked for details.
[INFO] 
[INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ LDAPAccess ---
[WARNING] Using platform encoding (Cp1252 actually) to copy filtered resources, i.e. build is platform dependent!
[INFO] skip non existing resourceDirectory E:\Jenkins\jobs\BlackDuckTest\workspace\src\test\resources
[INFO] 
[INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @ LDAPAccess ---
[INFO] No sources to compile
[INFO] 
[INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ LDAPAccess ---
[INFO] No tests to run.
[INFO] 
[INFO] --- maven-jar-plugin:2.4:jar (default-jar) @ LDAPAccess ---
[INFO] Building jar: E:\Jenkins\jobs\BlackDuckTest\workspace\target\LDAPAccess-1.2.0.jar
[INFO] 
[INFO] --- maven-install-plugin:2.4:install (default-install) @ LDAPAccess ---
[INFO] Installing E:\Jenkins\jobs\BlackDuckTest\workspace\target\LDAPAccess-1.2.0.jar to C:\Users\build\.m2\repository\almac\javalibraries\LDAPAccess\1.2.0\LDAPAccess-1.2.0.jar
[INFO] Installing E:\Jenkins\jobs\BlackDuckTest\workspace\pom.xml to C:\Users\build\.m2\repository\almac\javalibraries\LDAPAccess\1.2.0\LDAPAccess-1.2.0.pom
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 17.610 s
[INFO] Finished at: 2015-09-10T08:38:01+01:00
[INFO] Final Memory: 11M/247M
[INFO] ------------------------------------------------------------------------
ERROR: [ERROR] The build-info.json file does not exist at : E:\Jenkins\jobs\BlackDuckTest\workspace\build-info.json
Finished: UNSTABLE

[Kaj Kandler]

Hi Jonathan,
there are two issues. Version 1.1.4 is fatally flawed, so upgrade to 1.1.5 please.

The second is the unknown maven version. Are you specifying your maven version for the job? You should always do so, as a matter of best practice. You have to specify the version of mavenfor this plugin to work. Unfortunately maven choose to make package changes that are incompatible and we need to know which version of maven runs and Jenkins can't tell us if it does not control the maven program (version).

Kaj
P.S.: Thanks for being so diligent

[James Richard]

Hey Jonathan,
 You are seeing this error because you are using the Artifactory "Invoke Maven 3". Like previously stated we do not support interaction with the Artifactory plugin.  The Vulnerability Maven integration is designed to work with the "Invoke top-level maven targets" step in a Free-Style job and with Maven Project jobs.

Since you are using the Artifactory "Invoke Maven 3", we cannot wrap the Maven process in order to build the list of dependencies/transitive dependencies. 

That is why you are seeing the errors :

ERROR: [ERROR] Unsupported version of Maven. Maven version: unknown