[spotbugs] asdf_asdf: unknown shim java_version - exit status 126

DevSecOps
1

Hello all.

I am having the following problem when running Spotbugs using pre-compilation:

$ /analyzer run
[INFO] [Spotbugs] [2022-08-04T13:03:48Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command@v1.8.0/command.go:76] ▶ GitLab Spotbugs analyzer v3.2.1
[INFO] [Spotbugs] [2022-08-04T13:03:48Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command@v1.8.0/run.go:125] ▶ Detecting project
[INFO] [Spotbugs] [2022-08-04T13:03:48Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command@v1.8.0/run.go:147] ▶ Found relevant files in project, analyzing entire repository
[INFO] [Spotbugs] [2022-08-04T13:03:48Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command@v1.8.0/run.go:159] ▶ Running analyzer
[DEBU] [Spotbugs] [2022-08-04T13:03:48Z] [/go/src/app/utils/utils.go:45] ▶ /bin/bash -c source /root/.bashrc && switch_to java 17
/opt/asdf/lib/utils.bash: line 234: ASDF_ASDF: UNKNOWN SHIM JAVA_VERSION: invalid variable name
/opt/asdf/lib/utils.bash: line 234: ASDF_ASDF:_VERSION: invalid variable name
/opt/asdf/lib/utils.bash: line 234: ASDF_ASDF: UNKNOWN SHIM JAVA_VERSION: invalid variable name
No version set for command java
Consider adding one of the following versions in your config file at 
asdf: unknown shim java
[INFO] [Spotbugs] [2022-08-04T13:03:49Z] [/go/src/app/project/project.go:73] ▶ Found Gradlew project in /builds/*/backend directory
[INFO] [Spotbugs] [2022-08-04T13:03:49Z] [/go/src/app/project/project.go:73] ▶ Found Gradle project in /builds/*/*/api directory
[INFO] [Spotbugs] [2022-08-04T13:03:49Z] [/go/src/app/analyze.go:128] ▶ Found 2 analyzable projects.
[DEBU] [Spotbugs] [2022-08-04T13:03:49Z] [/go/src/app/analyze.go:185] ▶ /opt/asdf/shims/java -cp /spotbugs/dist/lib/* -Xmx1900M -Dlog4j2.formatMsgNoLookups=true -jar /spotbugs/dist/lib/spotbugs.jar -pluginList /fsb/lib/findsecbugs-plugin.jar -exclude /spotbugs/exclude.xml -include /spotbugs/include.xml -onlyAnalyze ****
/opt/asdf/lib/utils.bash: line 234: ASDF_ASDF: UNKNOWN SHIM JAVA_VERSION: invalid variable name
/opt/asdf/lib/utils.bash: line 234: ASDF_ASDF:_VERSION: invalid variable name
/opt/asdf/lib/utils.bash: line 234: ASDF_ASDF: UNKNOWN SHIM JAVA_VERSION: invalid variable name
No version set for command java
Consider adding one of the following versions in your config file at 
asdf: unknown shim java
[ERRO] [Spotbugs] [2022-08-04T13:03:49Z] [/go/src/app/analyze.go:187] ▶ Error: SpotBugs analysis failed for /builds/*/backend: exit status 126
[FATA] [Spotbugs] [2022-08-04T13:03:49Z] [/go/src/app/main.go:35] ▶ exit status 126
Uploading artifacts for failed job
00:00
Uploading artifacts...
WARNING: gl-sast-report.json: no matching files. Ensure that the artifact path is relative to the working directory 
ERROR: No files to upload                          
Cleaning up project directory and file based variables
00:01
ERROR: Job failed: exit code 1

This is my CI Job:

variables:
  SAST_JAVA_VERSION: 17
  SECURE_LOG_LEVEL: "debug"

include:
  - template: Security/SAST.gitlab-ci.yml

.backend_job:
  image: registry.gitlab.com/*/amazoncorretto17
  before_script:
    - export GRADLE_USER_HOME=`pwd`/.gradle
    - export GRADLE_OPTS="-Dorg.gradle.daemon=false -Dorg.gradle.caching=true"
    - cd backend
  cache:
    key: "backend"
    paths:
      - .gradle/wrapper
    policy: pull

Build Backend For Spotbugs:
  extends: .backend_job
  stage: .pre
  script:
    - ./gradlew compileKotlin
  artifacts:
    paths:
      - "backend/**/build/"
      - "backend/build/"
      - "backend/.gradle/caches/modules-2"
  rules:
    - if: *in_merge_request
      when: always

spotbugs-sast:
  dependencies:
    - Build Backend For Spotbugs
  variables:
    GRADLE_USER_HOME: $CI_PROJECT_DIR/backend/.gradle/
    COMPILE: "false"
  artifacts:
    reports:
      sast: gl-sast-report.json
  rules:
    - if: *in_merge_request
      when: always

Here are some information about my environment:

My Gradle Version:  7.4.2
Language: Kotlin
Java Version: 17

I have the same behaviour if I use Spotbugs offline in my local machine.
Also, I tried to use the following versions of Spotbugs and they have the same problem: v3.2.1, v2.30.1, v2.30.3 and v2.28.12.

Does someone has any idea about how to fix this problem?

2

Hi @s2b1n0 , welcome to the GitLab community forum!

I believe the reason your spotbugs-sast job is failing is because of the override to GRADLE_USER_HOME. Spotbugs uses ASDF for managing java and gradle dependencies, so by default this container and CI job will use /opt/asdf/shims/java as the path for Java and /opt/asdf/shims/gradle as the default path for Gradle. Inside the container, the path is set to $PATH=PATH=/opt/asdf/shims:/opt/asdf/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin.

Can you remove this from your spotbugs-sast job

  variables:
    GRADLE_USER_HOME: $CI_PROJECT_DIR/backend/.gradle/

and verify if the problem persists?

3

Hey @gitlab-greg thanks for your reply.

I’ve removed the variable GRADLE_USER_HOME, however the same error persists. :frowning:

4

Hey @gitlab-greg,

Actually, doing some more research, it looks like the tool has the same behaviour while using its docker image.

In the example below, I’ve used the java-gradle project as a test to run spotbugs.

This is the docker command:

docker run -e "SAST_JAVA_VERSION=17" -e "SECURE_LOG_LEVEL=debug" -v $(pwd)/java-gradle/:/root/java_gradle/ registry.gitlab.com/security-products/spotbugs:3

Screenshot 2022-08-16 at 22.08.20
Screenshot 2022-08-16 at 22.08.202772×1038 349 KB