Giters

find-sec-bugs / find-sec-bugs

The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)

Home Page:https://find-sec-bugs.github.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Erroneous "`java.lang.ClassNotFoundException`: Exception while looking for class" errors

basil opened this issue · comments

commented

Environment

Component Version
Maven 3.8.6
Java 11.0.16
SpotBugs 4.7.2
FindSecBugs 1.12.0

Steps to reproduce

  1. Ensure Java 11 and Maven 3.8.6 are installed.
  2. Run git clone https://github.com/jenkins/jenkins.git && cd jenkins
  3. Run mvn clean verify -DskipTests -Dspotbugs.debug -Dspotbugs.trace '-Dspotbugs.jvmArgs=-Dorg.slf4j.simpleLogger.defaultLogLevel=debug'

Expected results

Note: These are the actual results when running SpotBugs core without Find Security Bugs.

No "Missing class" errors should appear in the output, and no "The following classes needed for analysis were missing" message should be printed after running SpotBugs.

Actual results

Lots of "Missing class" exceptions are logged, for example:

     [java] [main] DEBUG edu.umd.cs.findbugs.AbstractBugReporter - Missing class
     [java] java.lang.ClassNotFoundException: Exception while looking for class makeConcatWithConstants
     [java]     at edu.umd.cs.findbugs.AnalysisCacheToRepositoryAdapter.loadClass(AnalysisCacheToRepositoryAdapter.java:94)
     [java]     at org.apache.bcel.Repository.lookupClass(Repository.java:65)
     [java]     at com.h3xstream.findsecbugs.injection.BasicInjectionDetector.getInjectionPoint(BasicInjectionDetector.java:79)
     [java]     at com.h3xstream.findsecbugs.injection.AbstractInjectionDetector.analyzeLocation(AbstractInjectionDetector.java:82)
     [java]     at com.h3xstream.findsecbugs.injection.AbstractTaintDetector.analyzeMethod(AbstractTaintDetector.java:126)
     [java]     at com.h3xstream.findsecbugs.injection.AbstractTaintDetector.visitClassContext(AbstractTaintDetector.java:79)
     [java]     at edu.umd.cs.findbugs.DetectorToDetector2Adapter.visitClass(DetectorToDetector2Adapter.java:76)
     [java]     at edu.umd.cs.findbugs.FindBugs2.lambda$analyzeApplication$1(FindBugs2.java:1108)
     [java]     at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
     [java]     at edu.umd.cs.findbugs.CurrentThreadExecutorService.execute(CurrentThreadExecutorService.java:86)
     [java]     at java.base/java.util.concurrent.AbstractExecutorService.invokeAll(AbstractExecutorService.java:242)
     [java]     at edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1118)
     [java]     at edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:309)
     [java]     at edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:395)
     [java]     at edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1231)
     [java] Caused by: edu.umd.cs.findbugs.classfile.MissingClassException: Resource not found: makeConcatWithConstants.class
     [java]     at edu.umd.cs.findbugs.classfile.engine.ClassDataAnalysisEngine.analyze(ClassDataAnalysisEngine.java:60)
     [java]     at edu.umd.cs.findbugs.classfile.engine.ClassDataAnalysisEngine.analyze(ClassDataAnalysisEngine.java:42)
     [java]     at edu.umd.cs.findbugs.classfile.impl.AnalysisCache.getClassAnalysis(AnalysisCache.java:261)
     [java]     at edu.umd.cs.findbugs.classfile.engine.ClassInfoAnalysisEngine.analyze(ClassInfoAnalysisEngine.java:61)
     [java]     at edu.umd.cs.findbugs.classfile.engine.ClassInfoAnalysisEngine.analyze(ClassInfoAnalysisEngine.java:38)
     [java]     at edu.umd.cs.findbugs.classfile.impl.AnalysisCache.getClassAnalysis(AnalysisCache.java:261)
     [java]     at edu.umd.cs.findbugs.ba.Hierarchy2.getXClass(Hierarchy2.java:282)
     [java]     at edu.umd.cs.findbugs.ba.Hierarchy2.getXClassFromDottedClassName(Hierarchy2.java:278)
     [java]     at edu.umd.cs.findbugs.ba.Hierarchy2.findInvocationLeastUpperBound(Hierarchy2.java:146)
     [java]     at edu.umd.cs.findbugs.ba.Hierarchy2.findDeclaredExceptions(Hierarchy2.java:490)
     [java]     at edu.umd.cs.findbugs.ba.type.TypeAnalysis.computeThrownExceptionTypes(TypeAnalysis.java:910)
     [java]     at edu.umd.cs.findbugs.ba.type.TypeAnalysis.computeBlockExceptionSet(TypeAnalysis.java:731)
     [java]     at edu.umd.cs.findbugs.ba.type.TypeAnalysis.computeThrownExceptionTypes(TypeAnalysis.java:474)
     [java]     at edu.umd.cs.findbugs.ba.type.TypeAnalysis.transfer(TypeAnalysis.java:417)
     [java]     at edu.umd.cs.findbugs.ba.type.TypeAnalysis.transfer(TypeAnalysis.java:86)
     [java]     at edu.umd.cs.findbugs.ba.Dataflow.execute(Dataflow.java:378)
     [java]     at edu.umd.cs.findbugs.classfile.engine.bcel.TypeDataflowFactory.analyze(TypeDataflowFactory.java:83)
     [java]     at edu.umd.cs.findbugs.classfile.engine.bcel.TypeDataflowFactory.analyze(TypeDataflowFactory.java:43)
     [java]     at edu.umd.cs.findbugs.classfile.impl.AnalysisCache.analyzeMethod(AnalysisCache.java:368)
     [java]     at edu.umd.cs.findbugs.classfile.impl.AnalysisCache.getMethodAnalysis(AnalysisCache.java:321)
     [java]     at edu.umd.cs.findbugs.classfile.engine.bcel.CFGFactory.analyze(CFGFactory.java:160)
     [java]     at edu.umd.cs.findbugs.classfile.engine.bcel.CFGFactory.analyze(CFGFactory.java:65)
     [java]     at edu.umd.cs.findbugs.classfile.impl.AnalysisCache.analyzeMethod(AnalysisCache.java:368)
     [java]     at edu.umd.cs.findbugs.classfile.impl.AnalysisCache.getMethodAnalysis(AnalysisCache.java:321)
     [java]     at edu.umd.cs.findbugs.ba.ClassContext.getMethodAnalysis(ClassContext.java:1010)
     [java]     at edu.umd.cs.findbugs.ba.ClassContext.getMethodAnalysisNoDataflowAnalysisException(ClassContext.java:995)
     [java]     at edu.umd.cs.findbugs.ba.ClassContext.getCFG(ClassContext.java:301)
     [java]     at edu.umd.cs.findbugs.detect.FindUseOfNonSerializableValue.analyzeMethod(FindUseOfNonSerializableValue.java:143)
     [java]     at edu.umd.cs.findbugs.detect.FindUseOfNonSerializableValue.visitClassContext(FindUseOfNonSerializableValue.java:95)
     [java]     ... 9 more
     [java] Caused by: edu.umd.cs.findbugs.classfile.ResourceNotFoundException: Resource not found: makeConcatWithConstants.class
     [java]     at edu.umd.cs.findbugs.classfile.impl.ClassPathImpl.lookupResource(ClassPathImpl.java:162)
     [java]     at edu.umd.cs.findbugs.classfile.engine.ClassDataAnalysisEngine.analyze(ClassDataAnalysisEngine.java:53)
     [java]     ... 37 more

At the end of the SpotBugs invocation the following is printed:

     [java] Pass 2: Analyzing classes (2397 / 2397) - 100% completeDone with analysis
     [java] Analysis completed
     [java] The following classes needed for analysis were missing:
     [java]   makeConcatWithConstants
     [java]   accept
     [java]   apply
     [java]   test
     [java]   reportException
     [java]   save
     [java]   get
     [java]   call
     [java]   getString
     [java]   resolve
     [java]   check
     [java]   shouldRetry
     [java]   hash
     [java]   iterator
     [java]   compare
     [java]   execute
     [java]   run
     [java]   generateResponse
     [java]   weight
     [java]   applyAsInt
     [java]   visit
     [java]   loadUserByUsername
     [java]   authenticate
     [java]   uncaughtException
     [java]   isAllowed
     [java]   applyAsLong

Note

These errors do not occur with SpotBugs core, only when running Find Security Bugs.

In all cases these look like method names, not class names, pointing to a bug in Find Security Bugs.