Fortify plugin doesn't work with SonarQube V8.2
gosi-devops opened this issue · 5 comments
Fortify pluin doesn't work with SonarQube V8.2
2020.04.30 00:35:45 WARN ce[][o.s.c.p.PluginLoader] Plugin Fortify [fortify] uses a child first classloader which is deprecated
2020.04.30 00:35:47 ERROR ce[][o.s.ce.app.CeServer] Compute Engine startup failed
java.lang.IllegalStateException: Fail to load plugin Fortify [fortify]
at org.sonar.server.plugins.ServerExtensionInstaller.installExtensions(ServerExtensionInstaller.java:88)
at org.sonar.ce.container.ComputeEngineContainerImpl.startLevel4(ComputeEngineContainerImpl.java:229)
at org.sonar.ce.container.ComputeEngineContainerImpl.start(ComputeEngineContainerImpl.java:195)
at org.sonar.ce.ComputeEngineImpl.startup(ComputeEngineImpl.java:45)
at org.sonar.ce.app.CeServer$CeMainThread.attemptStartup(CeServer.java:163)
at org.sonar.ce.app.CeServer$CeMainThread.run(CeServer.java:141)
Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getClassLoader")
at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.base/java.security.AccessController.checkPermission(AccessController.java:897)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
at java.base/java.lang.ClassLoader.checkClassLoaderPermission(ClassLoader.java:2048)
at java.base/java.lang.Thread.getContextClassLoader(Thread.java:1491)
at com.fortify.integration.sonarqube.common.ContextClassLoaderAspect.wrapWithContextClassLoader(ContextClassLoaderAspect.java:94)
at com.fortify.integration.sonarqube.common.ContextClassLoaderAspect.ajc$inlineAccessMethod$com_fortify_integration_sonarqube_common_ContextClassLoaderAspect$com_fortify_integration_sonarqube_common_ContextClassLoaderAspect$wrapWithContextClassLoader(ContextClassLoaderAspect.java:1)
at com.fortify.integration.sonarqube.common.ContextClassLoaderAspect.wrapMethodWithContextClassLoader(ContextClassLoaderAspect.java:81)
at com.fortify.integration.sonarqube.common.FortifyPlugin.define(FortifyPlugin.java:80)
at org.sonar.server.plugins.ServerExtensionInstaller.installExtensions(ServerExtensionInstaller.java:78)
... 5 common frames omitted
2020.04.30 00:35:47 INFO ce[][o.s.p.ProcessEntryPoint] Hard stopping process
According to this thread, SonarQube has added some security restrictions in SonarQube 8.0. It looks like this error is caused by these updated security restrictions.
The functionality that is now being restricted by SonarQube is used by the Fortify plugin to work around a class loader conflict that was previously reported in #4. Removing this functionality would most likely bring back that original issue.
Probably a significant redesign would be needed to make the Fortify plugin compatible with SonarQube 8.0+ while at the same time maintaining compatibility with older SonarQube versions.
If you would like to expedite development of a new plugin version that works with SonarQube 8.0+, please consider purchasing Fortify Professional Services by contacting your Fortify sales representative. Otherwise, I will try to provide an updated plugin once I have some spare time available.
For the reasons listed in the Deprecation Notice, this issue will not be fixed unless a customer is willing to invest in a full rewrite of this plugin.
Is there an alternative to this?
Meaning, if Fortify provides an alternative mechanism to be used as a Quality Gate.
Is there an alternative to this?
Meaning, if Fortify provides an alternative mechanism to be used as a Quality Gate.
I have updated the README file with a link to an alternative option for importing fortify results into SonarQube: https://github.com/fortify/FortifyVulnerabilityExporter. Please check the README file for an overview of limitations of this alternative integration compared to the plugin-based approach.
Thank you. Indeed it seems it is very limited for what we would like to have.