Solutions to Common Problems 6.4.0

Owned by Ray O'Meara (Unlicensed)
Aug 09, 2020
4 min read

This page lists and describes problems, possible causes, and solutions.

WARNING: An illegal reflective access operation has occurred

Symptom

A block of warnings may appear in Synopsys Detect's logs similar to the following:

WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by org.codehaus.groovy.reflection.CachedClass (file:/Users/myuser/.gradle/caches/modules-2/files-2.1/org.codehaus.groovy/groovy-all/2.4.12/760afc568cbd94c09d78f801ce51aed1326710af/groovy-all-2.4.12.jar) to method java.lang.Object.finalize() WARNING: Please consider reporting this to the maintainers of org.codehaus.groovy.reflection.CachedClass WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release

Possible cause

Running Synopsys Detect with Java 11 can cause these warnings.
This is a known issue with Apache since Groovy 2.4.11. See GROOVY-8339.
Synopsys Detect's use of Groovy 2 is the result of using Spring Boot 2.2.4.RELEASE which currently depends on Groovy 2.

Solution

Currently, we have observed no adverse effects on Synopsys Detect as a result of these warnings.
The issue is fixed in Groovy 3 as per GROOVY-8339.
Clients running Synopsys Detect with Java 11 will see these warnings until the Spring Boot project upgrades its Groovy dependencies to Groovy 3 and Synopsys Detect upgrades Spring Boot.

Source Code

The relevant source code within Synopsys Detect.
synopsys-detect/build.gradle#L15)

The relevant source code within Spring Boot.
spring-boot-dependencies/pom.xml#L69

DETECT_SOURCE was not set or computed correctly

Symptom

detect.sh fails with the following: DETECT_SOURCE was not set or computed correctly, please check your configuration and environment.

Possible cause

detect.sh is trying to execute this command:

curl --silent --header \"X-Result-Detail: info\" https://sig-repo.synopsys.com/api/storage/bds-integrations-release/com/synopsys/integration/synopsys-detect?properties=DETECT_LATEST

The response to this command should be similar to the following:

{ "properties" : { "DETECT_LATEST" : [ "https://sig-repo.synopsys.com/bds-integrations-release/com/synopsys/integration/synopsys-detect/5.6.1/synopsys-detect-5.6.1.jar" ] }, "uri" : "https://sig-repo.synopsys.com/api/storage/bds-integrations-release/com/synopsys/integration/synopsys-detect" }

When that command does not successfully return a value for property DETECT_LATEST, detect.sh reports:

Solution

If the curl command described above does not successfully return a value for property DETECT_LATEST, you must determine why, and make the changes necessary so that curl command works.

Synopsys Detect succeeds, but the results are incomplete because package managers or sub-projects were overlooked

Symptom

In this scenario, everything succeeds, but many or all components are missed. The log shows that package managers were not recognized and/or sub-projects were overlooked.

Possible cause

The detector search depth needs to be increased. The default value (0) limits the search for package manager files to the project directory. If project manager files are located in subdirectories and/or there are sub-projects, this depth should be increased to enable Synopsys Detect to find the relevant files, so it will run the appropriate detector(s).

Refer to detector search depth for more details.

Docker Inspector error fails after logging: "The Black Duck URL must be specified"

Symptom

When running a version of Synopsys Detect prior to Synopsys Detect version 5.6.0, the Synopsys Detect Status block reports DOCKER: FAILURE, and the following error appears in the Docker Inspector log: Docker Inspector error: Error inspecting image: The Black Duck url must be specified. Either an API token or a username/password must be specified.

Possible cause

Synopsys Detect 5.5.1 and earlier have a bug that prevents them from working with Docker Inspector 8.2.0 and newer. The fix is in Synopsys Detect 5.6.0.

Solution

There are two possible solutions:

  • Upgrade to Synopsys Detect 5.6.0 or newer,
    Or

  • Configure Synopsys Detect to use Docker Inspector 8.1.6 with the argument: --detect.docker.inspector.version=8.1.6

Synopsys Detect fails and a TRACE log shows an HTTP response from Black Duck of "402 Payment Required" or "502 Bad Gateway"

Symptom

Synopsys Detect fails, and a TRACE log contains "402 Payment Required" or "502 Bad Gateway".

Possible cause

Black Duck does not have a required feature (notifications, binary analysis, etc.) enabled.

Solution

Enable the required feature on the Black Duck server.

Unexpected behavior running Synopsys Detect on a project that uses Spring Boot

Symptom

Unexpected behavior, and/or unexpected property values are shown in the log.

Possible cause

If your source directory contains Spring Framework configuration files named application.properties, application.yml, or application.xml that are written for any application other than Synopsys Detect, you should not run Synopsys Detect from your source directory.

Solution

To prevent Synopsys Detect from reading those files, run Synopsys Detect from a different directory. Use the following property to point to your source directory.


PKIX error connecting to Black Duck

Symptom

Exception: Could not communicate with Black Duck: Could not perform the authorization request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Possible cause

The Black Duck server certificate is not in Java's keystore.

Solution

  1. Acquire the certificate file for your Black Duck server.

  2. Determine which java executable is being used to run Synopsys Detect. If you run detect.sh or detect.sh, that is either $JAVA_HOME/bin/java (the default) or the first java found on your $PATH.

  3. Determine the Java home directory for that java executable.

  4. Run keytool to install the Black Duck server certificate into the keystore in that Java home directory.

Although not recommended, it is possible to disable the certificate check with the trust cert property.

Not Extractable: NUGET - Solution INFO [main] -- Exception occurred: java.nio.file.InvalidPathException

Symptom

Running Synopsys Detect on a NuGet project on Windows, a message similar to the following appears in the Synopsys Detect log:

Possible cause

The value of $PATH contains a whitespace character after a semicolon and the path mentioned in the log message.

Solution

Remove spaces immediately following semicolons in the value of $PATH.

No project name/version provided or derived

Symptom

Upload to Black Duck fails with a message similar to the following in the log:

Possible cause

No project name and version were provided via properties and no Synopsys Detect tool capable of deriving a project name and version was included in the run. For example, you will get this (or a similar) error if you run with --detect.tools.BINARY_SCANNER and do not set --detect.project.name or --detect.project.version.name.

Solution

Set --detect.project.name and --detect.project.version.name.

©2018 Synopsys, Inc. All Rights Reserved