Some background. We have SonarCloud integrated into Azure DevOps (YAML Pipeline) with our PR builds. Here is a snippet of the SonarPrepare task:
- task: SonarCloudPrepare@1
inputs:
SonarCloud: 'redacted'
organization: 'redacted'
scannerMode: 'MSBuild'
projectKey: 'redacted'
projectName: 'redacted'
extraProperties: |
# Additional properties that will be passed to the scanner,
# Put one key=value per line, example:
# sonar.exclusions=**/*.bin
sonar.exclusions=**/Migrations/**, **/*.html
sonar.coverage.exclusions=**/Program.cs
As you can see why have a couple of file patterns that we want complete excluded. The problem is that the html exclusions appear to be ignored.
During the SonarCloudAnalyze Tasks I see the following in our logs:
This leads me to believe that the configuration is being picked up correctly. However further down in the logs we get this:
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=0ms
INFO: Sensor JavaScript inside HTML analysis [javascript]
INFO: 61 source files to be analyzed
##[error]ERROR: Failed to parse file [someredactedpath/html/somefilename.html] at line 610: Missing semicolon. (610:92)
This leads me to believe that the scanner is still scanning these files which we do not want or need scanned.
We have also tried setting the exclusions directly in the project settings in SonarCloud itself and the issue still persists. (Administration → General Settings → Analysis Scope → Source File Exclusions
I’m not sure if we just have something misconfigured or if this is a bug. Any help would be greatly appreciated!
I’ve tried to reproduce your issue without success so far. Can you confirm that your exclusions work in other cases, like for your **/Migrations/** regex?
Can you share additional logs? like the lines below
I had to take a snippet and just redact some of the keys that debug spits out but looks like it’s triggering on the Javascript inside HTML analysis but I guess my assumption is that this shouldn’t trigger if this filers are in the excluded path.
I attached a debug snippet below that I think has the information you are looking for. Please let me know if I can provide anything else.
Could you check that the 563 files that are supposedly ignored by the scanner do indeed correspond to the files your project contains?
On a Unix, you can obtain this by running:
find ${base-dir} -type f -name "build-wrapper-dump.json" | wc -l
2023-03-10T16:56:48.2623307Z ##[section]Starting: SonarCloudAnalyze
2023-03-10T16:56:48.4476905Z ==============================================================================
2023-03-10T16:56:48.4477815Z Task : Run Code Analysis
2023-03-10T16:56:48.4478012Z Description : Run scanner and upload the results to the SonarCloud server.
2023-03-10T16:56:48.4478304Z Version : 1.36.0
2023-03-10T16:56:48.4478486Z Author : sonarsource
2023-03-10T16:56:48.4479354Z Help : Version: 1.36.0. This task is not needed for Maven and Gradle projects since the scanner should be run as part of the build.
[More Information](https://docs.sonarcloud.io/advanced-setup/ci-based-analysis/sonarcloud-extension-for-azure-devops/)
2023-03-10T16:56:48.4480029Z ==============================================================================
2023-03-10T16:56:50.5665065Z [command]D:\a\_tasks\SonarCloudPrepare_14d9cde6-c1da-4d55-aa01-2965cd301255\1.33.0\classic-sonar-scanner-msbuild\SonarScanner.MSBuild.exe end
2023-03-10T16:56:50.6772814Z SonarScanner for MSBuild 5.11
2023-03-10T16:56:50.6775074Z Using the .NET Framework version of the Scanner for MSBuild
Here’s the output for the two that we really care about (Migrations and html) - I’m expecting the other two to not have anything for these projects:
find -path "**/Migrations/**" -type f | wc -l
567
find -path "**/*.html" -type f | wc -l
167
as a parallel investigation while my colleague @Ilia_Kebets checks the exclusion issue, is it possible for you to provide us (you can use private messages if needed) with the contents of the file that was failing?
We would like to know if there is any issue with our JS inside HTML parsing.
Hey Victor - I can’t send the full HTML without redacting a bunch of stuff even in a private message (sorry!) but I can tell send the part that was getting triggered for missing a semi-colon.
I’ll try and summarize the html a bit below. I’ve included the part that triggered it. Funny thing is that this html is just consumed by a unit test (which is why we want to ignore it from coverage in the first place).
<body>
<div>{a bunch more html that is most definitely malformed and missing a bunch of closing divs}</div>
<!-- Visual Studio Browser Link -->
<script type="application/json" id="__browserLink_initializationData">
{"appName":"Chrome","requestId":"47c799b70a244a701e41cdd2e834ad42"}
</script>
<script type="text/javascript" src="http://localhost:1897/6d87de3fe224441b8e8b54c7245d9acc/browserLink" async="async"></script>
<!-- End Browser Link -->
</body>
Hopefully this helps and I’m sorry if it doesn’t. Another thing to note is that we’ve been working on upgrading our pipelines to use dotnet build and dotnet test instead of the older VSBuild/Test Tasks and I’ve noticed that the scanner definitely still appears to be scanning these html files. (see below)
There’s exactly 61 html files in this source folder that we use in unit tests. As a work around we’ve removed the js from the file that was causing the error to pop up but we really don’t need these files scanned at all.
INFO: Sensor JavaScript inside HTML analysis [javascript]
INFO: 61 source files to be analyzed
INFO: 61/61 source files have been analyzed
INFO: Hit the cache for 0 out of 61
INFO: Miss the cache for 61 out of 61: FILE_CHANGED [61/61]
INFO: Sensor JavaScript inside HTML analysis [javascript] (done) | time=5045ms
yeah, that helps, thanks for the feedback. Indeed we were aware of an issue with non-js scripts which were also analyzed by the JS plugin. This will be fixed in the next release.