plugin hangs when scanning scripts that contain a specific source expression

Question

plugin hangs when scanning scripts that contain a specific source expression

Closed this issue 3 years ago · 6 comments

Summary

Shellcheck plugin 2.4.0 hangs when scanning files that contain:

  source /dev/stdin <<<"$(curl -s <apiBasePath>/this/is/a/shell/script)"

this alternative works:

  source <(curl -s "<apiBasePath>/this/is/a/shell/script")

Reproduce

Tested

SonarQube: 9.0.1.46107 (via Docker image, instructions below)
SonarQube: 8.9.2 (build 46101) Enterprise.
Sonar scanner: 4.6.2.2472 (via Docker image, instructions below)
Docker: 3.5.2 (66501) on MacOS 11.5.2
Docker: 18.06.1-ce on Ubuntu 18.04.4 LTS (TravisCI worker)

Steps

  echo 'source /dev/stdin <<<"$(curl -s <apiBasePath>/this/does/not/exist)"' > test.sh
  curl --create-dirs -sLo extensions/plugins/sonar-shellcheck-plugin-2.4.0.jar https://github.com/sbaudoin/sonar-shellcheck/releases/download/v2.4.0/sonar-shellcheck-plugin-2.4.0.jar
  docker run -d -v "$(pwd)/extensions:/opt/sonarqube/extensions" --rm --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest -Dsonar.forceAuthentication=false
  sleep 120
  docker run --network host --rm -v "$(pwd):/usr/src" sonarsource/sonar-scanner-cli -Dsonar.projectKey=test-shell-project -Dsonar.sourceEncoding="UTF-8" -X
  # Ctrl-c will stop the scan and proceed to the next line
  docker stop sonarqube

Logs

scan.log.gz

Answer 1 · 2021-08-24T20:34:18.000Z

Hello,

Thanks for reporting this issue. Can you specify the version of ShellCheck you use, please? From the log you uploaded it seems that the issue relates to ShellCheck, not the plugin, so have you considered raising the issue on ShellCheck instead?

Answer 2 · 2021-08-24T20:37:40.000Z

Hi, thank you! It's the plugin, version 2.4.0. My apologies, I'll update the description.

Answer 3 · 2021-08-24T21:15:04.000Z

Why not but the last entry in the log file is:

17:29:25.125 DEBUG: Executing command: [shellcheck, -x, -f, json, /usr/src/test.sh]

If the command had completed there should be another log entry Output from shellcheck: followed by the output from the command. As this is not the case, my guess is that the shellcheck command does not terminate. So my suspect is ShellCheck (thus my suggestion to raise the issue on ShellCheck side instead), possibly having difficulties handling your script /usr/src/test.sh.

Answer 4 · 2021-08-24T21:32:28.000Z

sure, that's reasonable. Thank you.

Answer 5 · 2021-08-25T09:36:14.000Z

Before going to ShellCheck, you should execute shellcheck -x -f json /usr/src/test.sh manually and see what happens: if ti hangs you may raise the issue on ShellCheck side, but if it does not, the issue is mine but I'll ask for some more information.

Answer 6 · 2021-08-25T12:48:03.000Z

Yep, I ran it locally before closing. It appears that shellcheck is attempting to source /dev/stdin and hanging (-x allows non-FILE sources).

This passes, confirming the suspicion:

  echo . | shellcheck -x test.sh

Thanks again.