SAXParseException generating Scorecard for SonarQube

[akhvee]

I am running into SAXParseException while trying to generate scorecard using ./createScorecards.sh. find the logs below

Analyzing results from Benchmark_1.2-findsecbugs-v1.4.6-xxx.xml
Actual results file generated: ~/Benchmark/scorecard/Benchmark_v1.2_Scorecard_for_FBwFindSecBugs_v1.4.6.csv
Report written to: ~/Benchmark/scorecard/Benchmark_v1.2_Scorecard_for_FBwFindSecBugs_v1.4.6.html

Analyzing results from Benchmark_1.2-sonar-v8.4.2.xxxxx-xxx.xml
[Fatal Error] :1:11: The markup in the document following the root element must be well-formed.
Error processing results/Benchmark_1.2-sonar-v8.4.2.xxxxx-xxx.xml. Continuing.
org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 11; The markup in the document following the root element must be well-formed.
	at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
	at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
	at org.owasp.benchmark.score.BenchmarkScore.getXMLDocument(BenchmarkScore.java:1471)
	at org.owasp.benchmark.score.BenchmarkScore.readActualResults(BenchmarkScore.java:790)
	at org.owasp.benchmark.score.BenchmarkScore.process(BenchmarkScore.java:428)
	at org.owasp.benchmark.score.BenchmarkScore.main(BenchmarkScore.java:336)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.codehaus.mojo.exec.ExecJavaMojo$1.run(ExecJavaMojo.java:282)
	at java.base/java.lang.Thread.run(Thread.java:834)

The Sonar results file Benchmark_1.2-sonar-v8.4.2.xxxxx-xxx.xml was generated by ./createScorecards.sh with SonarQube (docker 8.4.2-community instance) running locally.

How do i fix this issue.

SinceBenchmark_1.2-sonar-v8.4.2.xxxxx-xxx.xml file is large ~18 MB i haven't attached it here. Let me know if it you like to get hold of it.

[davewichers]

The SonarQube parser is very old so I'm not surprised it doesn't work anymore. I'd love to update it though. Can you share the results file with me? dave dot wichers at owasp dot org is my email. And I'll update the scorecard generator to support the current XML results format.

[akhvee]

Results file attached

Benchmark_1.2-sonar-v8.4.2-x.xml.zip

[davewichers]

@darkspirit510 - Sascha - is this still an issue anymore for the updated version of SonarQube scorecard generator?

[darkspirit510]

@akhvee This XML file does not have a root tag. Even adding one artificially does not fix the file. How did you get/export this one? 🤔
@davewichers the scorecard generator can parse both xml and json (while JSON is self created through scraping SonarQube's API). So this is still an issue for XML files.

[davewichers]

@darkspirit510 - I've had tools generate invalid XML like this before. When this occurs, I've had to insert the required XML elements at the start/end of the file to 'fix' the XML, before sending it to the XML parser. This may need to be done if SonarQube is generating something that is actually invalid. Let's see what @akhvee says about how the XML was actually generated.