Today (2015-02-26) in the Developers Forum, @skoussa led a discussion about utilizing FindBugs to evaluate vulnerabilities in the OpenMRS code base. Our plan is to evaluate this tool in comparison to a commercial tool to which Sherif has access.
If anyone is interested in joining the efforts on evaluating these tools (and learning more about them) please reply to this topic and add your voice here.
Thanks for joining our work team to address these important issues!
Am interested in being part of the learning and investigation or evaluation team, just to be sure how i need to join, “we shall be joining efforts”, does that mean we shall work together or do personal testing work? i hope to hear more details about how i can be of help in this.
Might be useful to get a test instance to test out the new version 4.5.2 LTS or 5.X and see if they offer any advantages. Also for plugin support it would be useful to get on an LTS release as some of the newer plugin versions don’t support our current release of 4.3.2.
I had just started downloading 5.1, when i read here of the one you guys had pefereffed, nevertheless i will finish and load my installation which is as of now the latest release. I understand that for now our task is evaluating the tool. Are we going to be reporting any vulnerabilities to JIRA that sonar may have traced down that are of value to look into?
I will be evaluating both the plugin and the standard release!
@k_joseph, yes, we are going to report vulnerabilities in JIRA, but first we have to have the plugin running on https://ci.openmrs.org/sonar. Once you get the plugin running on your local instance, please report back examples of issues that it finds for openmrs-core so we can see if they are of any value for us.
I restarted and it crashed on startup, with this error. Looks like we need to get the correct versions of the plugins synced together.
2015.04.03 13:28:47 ERROR web[o.a.c.c.C.[.[.[/sonar]] Exception sending context initialized event to listener instance of class org.sonar.server.platform.PlatformServletContextListener
org.sonar.updatecenter.common.exception.IncompatiblePluginVersionException: The plugins 'findbugs' and 'java' must have exactly the same version as they belong to the same group.
at org.sonar.updatecenter.common.PluginReferential.getParentRelease(PluginReferential.java:136) ~[sonar-update-center-common-1.11.jar:na]
at org.sonar.updatecenter.common.PluginReferential.setParent(PluginReferential.java:124) ~[sonar-update-center-common-1.11.jar:na]
at org.sonar.updatecenter.common.PluginReferentialManifestConverter.fromPluginManifests(PluginReferentialManifestConverter.java:54) ~[sonar-update-center-common-1.11.jar:na]
at org.sonar.server.plugins.PluginReferentialMetadataConverter.getInstalledPluginReferential(PluginReferentialMetadataConverter.java:40) ~[sonar-server-4.5.4.jar:na]
at org.sonar.server.plugins.InstalledPluginReferentialFactory.init(InstalledPluginReferentialFactory.java:54) ~[sonar-server-4.5.4.jar:na]
at org.sonar.server.plugins.InstalledPluginReferentialFactory.start(InstalledPluginReferentialFactory.java:38) ~[sonar-server-4.5.4.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.7.0_75]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[na:1.7.0_75]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_75]
at java.lang.reflect.Method.invoke(Method.java:606) ~[na:1.7.0_75]
at org.picocontainer.lifecycle.ReflectionLifecycleStrategy.invokeMethod(ReflectionLifecycleStrategy.java:110) ~[picocontainer-2.14.3.jar:na]
at org.picocontainer.lifecycle.ReflectionLifecycleStrategy.start(ReflectionLifecycleStrategy.java:89) ~[picocontainer-2.14.3.jar:na]
at org.picocontainer.injectors.AbstractInjectionFactory$LifecycleAdapter.start(AbstractInjectionFactory.java:84) ~[picocontainer-2.14.3.jar:na]
at org.picocontainer.behaviors.AbstractBehavior.start(AbstractBehavior.java:169) ~[picocontainer-2.14.3.jar:na]
at org.picocontainer.behaviors.Stored$RealComponentLifecycle.start(Stored.java:132) ~[picocontainer-2.14.3.jar:na]
at org.picocontainer.behaviors.Stored.start(Stored.java:110) ~[picocontainer-2.14.3.jar:na]
at org.picocontainer.DefaultPicoContainer.potentiallyStartAdapter(DefaultPicoContainer.java:1015) ~[picocontainer-2.14.3.jar:na]
at org.picocontainer.DefaultPicoContainer.startAdapters(DefaultPicoContainer.java:1008) ~[picocontainer-2.14.3.jar:na]
at org.picocontainer.DefaultPicoContainer.start(DefaultPicoContainer.java:766) ~[picocontainer-2.14.3.jar:na]
at org.sonar.api.platform.ComponentContainer.startComponents(ComponentContainer.java:92) ~[sonar-plugin-api-4.5.4.jar:na]
at org.sonar.server.platform.Platform.startLevel2Container(Platform.java:106) ~[sonar-server-4.5.4.jar:na]
at org.sonar.server.platform.Platform.init(Platform.java:73) ~[sonar-server-4.5.4.jar:na]
at org.sonar.server.platform.PlatformServletContextListener.contextInitialized(PlatformServletContextListener.java:42) ~[sonar-server-4.5.4.jar:na]
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4973) [tomcat-embed-core-7.0.54.jar:7.0.54]
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5467) [tomcat-embed-core-7.0.54.jar:7.0.54]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) [tomcat-embed-core-7.0.54.jar:7.0.54]
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1559) [tomcat-embed-core-7.0.54.jar:7.0.54]
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1549) [tomcat-embed-core-7.0.54.jar:7.0.54]
at java.util.concurrent.FutureTask.run(FutureTask.java:262) [na:1.7.0_75]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [na:1.7.0_75]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [na:1.7.0_75]
at java.lang.Thread.run(Thread.java:745) [na:1.7.0_75]
Caused by: java.util.NoSuchElementException: Unable to find a release of plugin java with version 2.3
at org.sonar.updatecenter.common.Artifact.getRelease(Artifact.java:86) ~[sonar-update-center-common-1.11.jar:na]
at org.sonar.updatecenter.common.PluginReferential.getParentRelease(PluginReferential.java:134) ~[sonar-update-center-common-1.11.jar:na]
... 31 common frames omitted
I believe so, It looks like when updating to 3.1 it is not updating the included plugins, such as jacoco, findbugs, surefire, squid. Are those included now or do we need to update those separately(Looks like they need to be the exact same version as well)?
Version 2.4 moves Java from being an “ecosystem” of multiple plugins to a single, stand-along plugin that encompasses most of the functionality formerly contained in the ecosystem. Unfortunately, SonarQube’s update center cannot handle the switch gracefully. You may use the update center to download the new version of the plugin. However, you must manually remove the Surefire, JaCoCo, and Squid for Java plugins from $SONARQUBE_HOME/extensions/plugins.