Best SonarQube scanner for npm Angular projects

SonarQube
1

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    SonarQube Enterprise Edition v7.9.3 LTS
    Jenkins server v2.176.2

  • what are you trying to achieve
    To know which scanner should we use to analyze npm (Angular) projects.

  • what have you tried so far to achieve this
    Analyzing Angular projects with the sonarqube-scanner npm module
    Analyzing Angular projects with the SonarScanner CLI

The SonarQube documentation recommends using specific scanners for each build system:

  • SonarScanner for Gradle
  • SonarScanner for MSBuild
  • SonarScanner for Maven
  • SonarScanner for Azure DevOps
  • SonarScanner for Jenkins
  • SonarScanner for Ant
  • SonarScanner CLI for other build systems

The sonarqube-scanner npm module allows running SonarQube analysis on npm projects. Basic properties, as the project name and the project version, are read from the package.json file. However, the rest of properties must be set in a separate sonar-project.properties file. It turns out that when a sonar-project.properties file is found, the npm scanner behaves the same as the SonarScanner CLI.

Which scanner do you recommend for analyzing npm/ng (Angular) projects?

Thanks!

2

Hi @bgelabert ,

The best scanner to use for your pure Angular project is the SonarScanner CLI if you are scanning the project without Jenkins or outside of Jenkins.

Otherwise, if you require Jenkins CI tool, then you should use the plugin available in Jenkins as described in SonarScanner for Jenkins | SonarQube Docs. The SonarScanner for Jenkins essentially uses the SonarScanner CLI also.

If you need to do something programmatic in your project with the SonarScanner, then using the sonarqube-scanner npm module will make more sense, but you don’t have to use that one.

By the way, you should update your SonarQube to the latest version or at least 8.9 LTS. There are many vulnerability fixes and feature improvements made.

Joe

3

Hi @Joe,

We are indeed analyzing our projects in Jenkins with the SonarScanner for Jenkins plugin.
And the upgrade to 8.9 LTS is on its way :slight_smile:

Thanks so much for your quick response.

BĂ rbara

1 Like