Scan failures (java)

I have a large java based project which supports build in maven & gradle (we are moving from one to the other).

I noticed scans are failing. The first issue was due to java11, to I have set that in the .lift.toml. Still remaining I have these observations:

A) ErrorProne

This is failing with entries like:

Running V2 API tools

Running Error Prone

Capture:

Failed when invoking process

Error Prone complete in 15.526095292s

ErrorProne_JDK11 tool error: Capture:

Execution Failed: Script "javac -J-classpath -J/opt/errorprone-jars/error_prone_core-2.3.3-with-dependencies.jar:/opt/errorprone-jars/dataflow-2.5.7.jar:/opt/errorprone-jars/javacutil-2.5.7.jar:/opt/errorprone-jars/jFormatString-3.0.0.jar:/opt/errorprone-jars/guava.jar -XDcompilePolicy=simple -processorpath /opt/errorprone-jars/error_prone_core-2.3.3-with-dependencies.jar:/opt/errorprone-jars/dataflow-2.5.7.jar:/opt/errorprone-jars/javacutil-2.5.7.jar:/opt/errorprone-jars/jFormatString-3.0.0.jar -Xplugin:ErrorProne -XepAllErrorsAsWarnings -XepDisableAllChecks-Xep:AndroidInjectionBeforeSuper:WARN-Xep:ArrayEquals:WARN-Xep:ArrayFillIncompatibleType:WARN-Xep:ArrayHashCode:WARN-Xep:ArrayToString:WARN-Xep:ArraysAsListPrimitiveArray:WARN-Xep:AsyncCallableReturnsNull:WARN-Xep:AsyncFunctionReturnsNull:WARN-Xep:AutoValueConstructorOrderChecker:WARN-Xep:BadShiftAmount:WARN-Xep:BundleDeserializationCast:WARN-Xep:ChainingConstructorIgnoresParameter:WARN-Xep:CheckReturnValue:WARN-Xep:CollectionIncompatibleType:WARN-Xep:CollectionToArraySafeParameter:WARN-Xep:ComparableType:WARN-Xep:ComparingThisWithNull:WARN-Xep:ComparisonOutOfRange:WARN-Xep:CompatibleWithAnnotationMisuse:WARN-Xep:ConditionalExpressionNumericPromotion:WARN-Xep:ConstantOverflow:WARN-Xep:DaggerProvidesNull:WARN-Xep:DeadException:WARN-Xep:DeadThread:WARN-Xep:DiscardedPostfixExpression:WARN-Xep:DoNotCall:WARN-Xep:DuplicateMapKeys:WARN-Xep:DurationFrom:WARN-Xep:DurationGetTemporalUnit:WARN-Xep:DurationToLongTimeUnit:WARN-Xep:EqualsHashCode:WARN-Xep:EqualsNaN:WARN-Xep:EqualsReference:WARN-Xep:EqualsWrongThing:WARN-Xep:ForOverride:WARN-Xep:FormatString:WARN-Xep:FormatStringAnnotation:WARN-Xep:FunctionalInterfaceMethodChanged:WARN-Xep:FuturesGetCheckedIllegalExceptionType:WARN-Xep:GetClassOnAnnotation:WARN-Xep:GetClassOnClass:WARN-Xep:GuardedBy:WARN-Xep:GuiceAssistedInjectScoping:WARN-Xep:GuiceAssistedParameters:WARN-Xep:GuiceInjectOnFinalField:WARN-Xep:HashtableContains:WARN-Xep:IdentityBinaryExpression:WARN-Xep:Immutable:WARN-Xep:ImmutableModification:WARN-Xep:IncompatibleArgumentType:WARN-Xep:IndexOfChar:WARN-Xep:InexactVarargsConditional:WARN-Xep:InfiniteRecursion:WARN-Xep:InjectMoreThanOneScopeAnnotationOnClass:WARN-Xep:InjectOnMemberAndConstructor:WARN-Xep:InvalidPatternSyntax:WARN-Xep:InvalidTimeZoneID:WARN-Xep:InvalidZoneId:WARN-Xep:IsInstanceOfClass:WARN-Xep:IsLoggableTagLength:WARN-Xep:JUnit3TestNotRun:WARN-Xep:JUnit4ClassAnnotationNonStatic:WARN-Xep:JUnit4SetUpNotRun:WARN-Xep:JUnit4TearDownNotRun:WARN-Xep:JUnit4TestNotRun:WARN-Xep:JUnitAssertSameCheck:WARN-Xep:JavaxInjectOnAbstractMethod:WARN-Xep:JodaToSelf:WARN-Xep:LiteByteStringUtf8:WARN-Xep:LoopConditionChecker:WARN-Xep:MathRoundIntLong:WARN-Xep:MislabeledAndroidString:WARN-Xep:MissingSuperCall:WARN-Xep:MissingTestCall:WARN-Xep:MisusedWeekYear:WARN-Xep:MockitoCast:WARN-Xep:MockitoUsage:WARN-Xep:ModifyingCollectionWithItself:WARN-Xep:MoreThanOneInjectableConstructor:WARN-Xep:MustBeClosedChecker:WARN-Xep:NCopiesOfChar:WARN-Xep:NonCanonicalStaticImport:WARN-Xep:NonFinalCompileTimeConstant:WARN-Xep:NonRuntimeAnnotation:WARN-Xep:NullTernary:WARN-Xep:OptionalEquality:WARN-Xep:OverlappingQualifierAndScopeAnnotation:WARN-Xep:OverridesJavaxInjectableMethod:WARN-Xep:PackageInfo:WARN-Xep:ParcelableCreator:WARN-Xep:PeriodFrom:WARN-Xep:PeriodGetTemporalUnit:WARN-Xep:PeriodTimeMath:WARN-Xep:PreconditionsCheckNotNull:WARN-Xep:PreconditionsCheckNotNullPrimitive:WARN-Xep:PredicateIncompatibleType:WARN-Xep:PrivateSecurityContractProtoAccess:WARN-Xep:ProtoFieldNullComparison:WARN-Xep:ProtoStringFieldReferenceEquality:WARN-Xep:ProtoTruthMixedDescriptors:WARN-Xep:ProtocolBufferOrdinal:WARN-Xep:ProvidesMethodOutsideOfModule:WARN-Xep:RandomCast:WARN-Xep:RandomModInteger:WARN-Xep:RectIntersectReturnValueIgnored:WARN-Xep:RefersToDaggerCodegen:WARN-Xep:ReturnValueIgnored:WARN-Xep:SelfAssignment:WARN-Xep:SelfComparison:WARN-Xep:SelfEquals:WARN-Xep:ShouldHaveEvenArgs:WARN-Xep:SizeGreaterThanOrEqualsZero:WARN-Xep:StreamToString:WARN-Xep:StringBuilderInitWithChar:WARN-Xep:SubstringOfZero:WARN-Xep:SuppressWarningsDeprecated:WARN-Xep:TemporalAccessorGetChronoField:WARN-Xep:ThrowIfUncheckedKnownChecked:WARN-Xep:ThrowNull:WARN-Xep:TruthSelfEquals:WARN-Xep:TryFailThrowable:WARN-Xep:TypeParameterQualifier:WARN-Xep:UnnecessaryTypeArgument:WARN-Xep:UnusedAnonymousClass:WARN-Xep:UnusedCollectionModifiedInPlace:WARN-Xep:VarTypeName:WARN -cp /tmp/analyzing-504ed5fdc12649a8/open-metadata-test/open-metadata-ut/target/classes:/root/.m2/repository/com/fasterxml/jackson/core/jackson-annotations/2.13.0/jackson-annotations-2.13.0.jar:/tmp/analyzing-504ed5fdc12649a8/open-metadata-implementation/frameworks/audit-log-framework/target/audit-log-framework-3.3-SNAPSHOT.jar:/root/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.13.0/jackson-core-2.13.0.jar:/root/.m2/repository/org/slf4j/slf4j-api/1.7.32/slf4j-api-1.7.32.jar:/tmp/analyzing-504ed5fdc12649a8/open-metadata-implementation/frameworks/open-connector-framework/target/open-connector-framework-3.3-SNAPSHOT.jar:/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.13.0/jackson-databind-2.13.0.jar:/root/.m2/repository/com/beust/jcommander/1.78/jcommander-1.78.jar:/root/.m2/repository/org/testng/testng/7.4.0/testng-7.4.0.jar:/root/.m2/repository/org/webjars/jquery/3.5.1/jquery-3.5.1.jar:/root/.m2/repository/org/slf4j/slf4j-simple/1.7.32/slf4j-simple-1.7.32.jar -d /tmp/analyzing-504ed5fdc12649a8/open-metadata-test/open-metadata-ut/target/classes --release 11 /tmp/analyzing-504ed5fdc12649a8/open-metadata-test/open-metadata-ut/src/main/java/org/odpi/openmetadata/test/unittest/utilities/BeanTestBase.java /tmp/analyzing-504ed5fdc12649a8/open-metadata-test/open-metadata-ut/src/main/java/org/odpi/openmetadata/test/unittest/utilities/ExceptionMessageSetTest.java /tmp/analyzing-504ed5fdc12649a8/open-metadata-test/open-metadata-ut/src/main/java/org/odpi/openmetadata/test/unittest/utilities/MessageSetTest.java /tmp/analyzing-504ed5fdc12649a8/open-metadata-test/open-metadata-ut/src/main/java/org/odpi/openmetadata/test/unittest/utilities/OCFCheckedExceptionBasedTest.java /tmp/analyzing-504ed5fdc12649a8/open-metadata-test/open-metadata-ut/src/main/java/org/odpi/openmetadata/test/unittest/utilities/AuditLogMessageSetTest.java" exited with code 4.

This is a rather cumbersome command line. I’ve not used error-prone much manually - we could add a profile to maven, but haven’t so far. Also worth noting we do use lombok in a few areas -

B) findsecbugs

I’ve run this tool before, but when lift invokes it I see lots of entries like


Running V3 API (build-based) tools
Running FindSecBugs
Standard error: 
Called: ['/opt/findsecbugs/findsecbugs.sh', '-low', '-xml:withMessages', '-output', './findsecbugs-out/report.xml', '/tmp/analyzing-504ed5fdc12649a8/open-metadata-implementation/frameworks/audit-log-framework/target/classes']
SLF4J: No SLF4J providers were found.
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#noProviders for further details.

Now I am very aware of the requirement for SLF4J bindings - ie one and only one. I am unsure though if this will affect the scan or not, and if it does how to fix

C) OSS Vulnarabilities

We get the output of this scan when our artifacts are released via oss.sonatype.org (for maven central publishing), but within our triggered builds I just see

Running V1 API (bulk) tools

Running Open Source Vulnerabilities

Sanitizing repository

Analysis failed in 2m49s

it’s not clear WHY this failed…

Any tips?

@nigel.l.jones Thank you for filing, I’ve asked the engineering teams to take a look. We have different teams looking into these for you so responses to each point may come through at different times.

To confirm, the project you’re analyzing is https://lift.sonatype.com/odpi/egeria?