Bug: sonar-scanner-npm CLI argument splitting problem when value contains =

efmigl · November 12, 2024, 9:28am

I want to analyze GC logs. I’m using the sonarqube-scanner via NPM (4.2.1) and passing sonar.scanner.javaOpts. An example value is sonar.scanner.javaOpts=-XX:+PrintFlagsFinal -Xlog:gc*:file=gc.log.

Unfortunately, sonar-scanner-npm splits up the CLI arguments incorrectly and has trouble when there is an additional = in the value. In debug mode (-X) the bootstrapper tells me the passed values and the one for the Java options ends up as 'sonar.scanner.javaOpts': '-XX:+PrintFlagsFinal -Xlog:gc*:file'.

The problem seems to be in sonar-scanner-npm/src/properties.ts at master · SonarSource/sonar-scanner-npm · GitHub within getCommandLineProperties. Instead of doing

// Parse CLI args (eg: -Dsonar.token=xxx)
for (const arg of define) {
  const [key, value] = arg.split('=');
  properties[key] = value;
}

which splits the argument value further if there is a = we could do

// Parse CLI args (eg: -Dsonar.token=xxx)
for (const arg of define) {
  const [key, ...rest] = arg.split('=');
  const value = rest.join('=');  
  properties[key] = value;
}

which re-joins the value on =.

I have tried it locally and in that case the correct value ends up being passed to the scanner:
'sonar.scanner.javaOpts': '-XX:+PrintFlagsFinal -Xlog:gc*:file=gc.log'

Colin · November 12, 2024, 12:43pm

Hey there.

Does the issue persist with the latest version, v4.2.5?

efmigl · November 12, 2024, 12:50pm

Hi Colin, I have not tried it but the code I referenced is on master in sonar-scanner-npm so would not be fixed in 4.2.5. It has been last touched in SCANNPM-2 Sanitize input passed to child processes (#135) · SonarSource/sonar-scanner-npm@ddf9d75 · GitHub in May for the 4.0 release. Since the ticket talked about sanitizing input passed to child processes my proposed solution might not cover this sufficiently.

efmigl · November 13, 2024, 9:41am

Using sonar.scanner.javaOpts might not be the right thing for my use case (analysing GC logs).

I found out that in my case sonar-engine is used and it does not seem to be possible in sonar-scanner-npm to pass JVM arguments to it. There is scanner-engine.ts which suggests that you can set something within scanOptions.jvmOptions but at least since the already mentioned commit (see above) commander is used for processing CLI arguments to sonar-scanner-npm and that only allows -v, -X and -D and anything from CLI never makes it into scanOptions anyway.

This might be in need of a clean-up.

benjamin.raymond · November 14, 2024, 2:42pm

Hello @efmigl ,

Indeed, it looks like any property that contains an equal sign in its value will be truncated when passed through CLI options.

A workaround would be to use the programmatic API, where you can call the method and pass the jvmOptions object which will be used.

I’ve created SCANNPM-57 that you can use to track when we fix this issue.

Hope this helps

efmigl · November 14, 2024, 3:36pm

Thanks, would you consider to support JVM options on the CLI? Because the referenced issue does not mention it.