Which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)?
- SonarQube on-prem 10.5.1 Developer Edition
- TFS Plugin 4.36.2
- SonarScanner 4.8.1.3023
- Java 17.0.11 Amazon.com Inc. (64-bit)
- OS for scan Windows Server 2022 10.0 amd64
How is SonarQube deployed: zip, Docker, Helm?
Installed on Windows Server manually
What are you trying to achieve?
I want to upload a SARIF report for a C language project with an unsupported compiler, without being forced to use the C family scanner which my codebase cannot support.
My company have a requirement to static analyse C code for a set of 8051 microcontrollers. The build system used is Keil C51. This is an unsupported compiler, and as such I’ve been hacking around trying to do static analysis in traditional tools (PCLint) and simply uploading the issues generated by PCLint into SonarQube.
I have set up a pipeline to generate SARIF reports from PCLint. As buildwrapper is not compatible with Keil C51 I’ve tried to get around the compilation stage that is necessary for analysing C code. I’ve even tried the SonarQube C++ community plugin that accepts PCLint reports directly but the same problem is present: I can’t get around the SonarScanner compilation stage.
What have you tried so far to achieve this?
I can’t use BuildWrapper as the Keil C51 compiler is unsupported. I have tried using a custom compile_commands.json but I’ve found that still invokes the compiler itself, so this did not help.
2024-10-28T10:56:28.1696001Z ##[error]java.lang.IllegalStateException: The Compilation Database JSON file was found but 0 C/C++/Objective-C files were analyzed. Please make sure that:
* you are correctly invoking the scanner with correct configuration
* your compiler is supported
* you are providing the path to the correct Compilation Database JSON
* you are building and analyzing the same source checkout, absolute paths must be identical in build and analysis steps
Scanning without BuildWrapper/compile_commands.json simply results in the following error:
The only way to get an accurate analysis of C/C++/Objective-C files is by using the SonarSource build-wrapper and setting the property "sonar.cfamily.build-wrapper-output" or by using Clang Compilation Database and setting the property "sonar.cfamily.compile-commands". None of these two options were specified.
If you don't want to analyze C/C++/Objective-C files, then prevent them from being analyzed by setting the following properties:
sonar.c.file.suffixes=-
sonar.cpp.file.suffixes=-
sonar.objc.file.suffixes=-
Then if I scan with the properties suggested, my scan will upload but there will be no issues or code for the scan in the SonarQube database. The "sarif-test" branch has no lines of code. and No code files were found for analysis.
Uploading a SARIF report, from the documentation, seemed like it could be an alternative route for the traditional SonarScanner scan where a compiler is unsupported, where the developer provides the Static Analysis results themselves by another analysis tool and SonarQube has the job of storing the results and doing reporting. SARIF functionality almost seems redundant when the developer is expected to do a traditional scan anyway. So, how can I upload C files with an accompanying SARIF report without them being run through the default scanner?