[BUG] Kantra fails to scan .NET application

[markuszm]

Is there an existing issue for this?

• I have searched the existing issues

Konveyor version

latest

Priority

Blocker

Current Behavior

I created a custom rule for a .NET application to detect deprecated APIs. I used the builtin provider and simple regex matching inside the rule. Using the builtin provider, a C# provider should not be needed to analyze .NET applications.
When I run Kantra against the .NET application, I get the following error during the Java dependency analysis:

INFO[0009] running dependency analysis                   args="--provider-settings=/opt/input/config/settings.json --output-file=/opt/output/output.yaml --context-lines=100 --rules=/opt/rulesets/ --dep-label-selector=(!konveyor.io/dep-source=open-source) --verbose=4 --label-selector=((konveyor.io/target=dotnet-core) && (konveyor.io/source=dotnet)) || (discovery)" input=/Users/m.zimmermann/ctf/example_apps/nerd-dinner/mvc4 log=/Users/m.zimmermann/ctf/example_apps/nerd-dinner/nerddinner-kantra/dependency.log output=/Users/m.zimmermann/ctf/example_apps/nerd-dinner/nerddinner-kantra
INFO[0009] generating dependency log in file             file=/Users/m.zimmermann/ctf/example_apps/nerd-dinner/nerddinner-kantra/dependency.log
ERRO[0015] container run error                           error="exit status 2"
ERRO[0015] failed to run analysis                        error="panic: runtime error: invalid memory address or nil pointer dereference\n[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x56cd50]\n\ngoroutine 1 [running]:\ngithub.jparrowsec.cn/konveyor/analyzer-lsp/provider/internal/java.(*javaServiceClient).GetDependenciesFallback(0x40001081c0, {0x83f8f8, 0x40003145c0}, {0x0, 0x0})\n\t/analyzer-lsp/provider/internal/java/dependency.go:128 +0x90\ngithub.jparrowsec.cn/konveyor/analyzer-lsp/provider/internal/java.(*javaServiceClient).GetDependencies(0x40001081c0, {0x83f8f8, 0x40003145c0})\n\t/analyzer-lsp/provider/internal/java/dependency.go:72 +0x2ac\ngithub.jparrowsec.cn/konveyor/analyzer-lsp/provider.FullDepsResponse({0x83f8f8, 0x40003145c0}, {0x400f08e7d0, 0x1, 0x4000f079a8?})\n\t/analyzer-lsp/provider/provider.go:279 +0x90\ngithub.jparrowsec.cn/konveyor/analyzer-lsp/provider/internal/java.(*javaProvider).GetDependencies(0x40000bf760?, {0x83f8f8?, 0x40003145c0?})\n\t/analyzer-lsp/provider/internal/java/provider.go:330 +0x3c\nmain.main()\n\t/analyzer-lsp/cmd/dep/main.go:119 +0x544\n"
Error: panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x56cd50]

goroutine 1 [running]:
github.com/konveyor/analyzer-lsp/provider/internal/java.(*javaServiceClient).GetDependenciesFallback(0x40001081c0, {0x83f8f8, 0x40003145c0}, {0x0, 0x0})
	/analyzer-lsp/provider/internal/java/dependency.go:128 +0x90
github.com/konveyor/analyzer-lsp/provider/internal/java.(*javaServiceClient).GetDependencies(0x40001081c0, {0x83f8f8, 0x40003145c0})
	/analyzer-lsp/provider/internal/java/dependency.go:72 +0x2ac
github.com/konveyor/analyzer-lsp/provider.FullDepsResponse({0x83f8f8, 0x40003145c0}, {0x400f08e7d0, 0x1, 0x4000f079a8?})
	/analyzer-lsp/provider/provider.go:279 +0x90
github.com/konveyor/analyzer-lsp/provider/internal/java.(*javaProvider).GetDependencies(0x40000bf760?, {0x83f8f8?, 0x40003145c0?})
	/analyzer-lsp/provider/internal/java/provider.go:330 +0x3c
main.main()
	/analyzer-lsp/cmd/dep/main.go:119 +0x544

I ran Kantra with the following command on this sample repo https://github.com/sixeyed/nerd-dinner:
kantra analyze -m source-only -i ./mvc4 -o nerddinner-kantra --overwrite
Note that the custom rule is not specified in the sample command as it is not relevant to the issue.

Expected Behavior

I would expect to run Kantra without fatal error with the builtin rulesets on all languages as the builtin provider is language-independent. Running analyzer-lsp with only the builtin provider works.
I would not assume that Java and Go providers configs are always active regardless of the language source.

How Reproducible

Always (Default)

Steps To Reproduce

1. Clone this sample .NET application https://github.com/sixeyed/nerd-dinner
2. Switch to nerd-dinner folder
3. Run the following kantra command: kantra analyze -m source-only -i ./mvc4 -o nerddinner-kantra --overwrite

Environment

- OS:
Mac OS 14.2.1
Using "Rancher Desktop" as Docker installation

Anything else?

Same error as in #116 but noting here that the issue is not only for Java applications.

[jwmatthews]

@eemcmullan @pranavgaikwad is there an implied assumption currently when running Kantra that it can only run against a Java project with a pom.xml?

[shawn-hurley]

Hello,

I do not think there is a built-in provider for .NET in Kantra yet, and I don't think that we have done any work to make this CLI work with more than the built-in Provider's.

If you want to test out a .NET provider, you can use https://github.com/konveyor/analyzer-lsp with that provider to do this.

If you want some help, we can chat on Slack.

As it stands, by adding the ability to use more than the built-in providers for Kantra, we would need to add an RFE and design how we want to do this. This is work that has been planned, IIRC, so it's probably going to be upcoming.

Sorry if this is not helpful right now, but I hope it gives some context.

@pranavgaikwad @eemcmullan Please correct me if I said something incorrect.

[markuszm]

Thank you for the insight.
If I understand it right, I could create language-independent rules using the builtin-provider (https://github.com/konveyor/analyzer-lsp/blob/main/docs/providers.md#builtin-provider), e.g. rules on an XML file or a JSON file (see provider conditions: https://github.com/konveyor/analyzer-lsp/blob/main/docs/rules.md#provider-condition). So regardless of the existence of a .NET provider or any other language provider, I should be able to run rules written for the builtin-provider on any repository. If this assumption is wrong, please correct me.

Regardless, thanks to this pull request konveyor/analyzer-lsp#456, the above fatal error is gone and Kantra prints this:

ERRO[0317] container run error                           error="exit status 1"
ERRO[0317] failed to run analysis                        error=
Error:

The dependency.log is the following:

time="2024-01-09T13:25:46Z" level=info msg="unable to get dependencies, using fallback" error="{\"Stderr\":null}" provider=java
time="2024-01-09T13:25:48Z" level=error msg="Analyzing POM" error="open /opt/input/source/pom.xml: no such file or directory" provider=java
time="2024-01-09T13:25:48Z" level=error msg="failed to get list of dependencies for provider" error="open /opt/input/source/pom.xml: no such file or directory" provider=java
time="2024-01-09T13:25:48Z" level=info msg="provider does not have dependency capability" provider=builtin
time="2024-01-09T13:25:48Z" level=info msg="failed to get dependencies from all given providers"

So without a pom.xml, the java provider fails.
The output.yaml with analysis results is still generated but the HTML with analysis results is not created.
I can live with this result for now, as I see the custom rules are matched and results are found for the .NET app.

But it still would be nice to not fail when the Java provider does not find a pom.xml.

[shawn-hurley]

Because we do not have an option, to tell Kantra to not run the dependency analysis (because we have built this specifically to mimic functionality in another CLI) I don't think this is going to be possible as of right now. @pranavgaikwad @eemcmullan am I missing an option?

I assume that this is something that we will want to take on quickly though if you can join a Thursday community call to give us the full background and make sure that the priority is known?

[markuszm]

Sounds good to discuss this further in a community call.
As I am a bit out-of-the-loop after the holidays, when is the next one?

[shawn-hurley]

Community Meetings are every two weeks on Thursday at 9am EST. The next one is this Thursday 1/11 at 9am EST. Hope we can see you there.

I will bring this up if you can not attend and you can watch the recording if that time doesn't work for you 😄

[eemcmullan]

@shawn-hurley Yes you're correct - we still need to add support for other providers outside of Java.

[eemcmullan]

Closing for #142