When running an analysis I’m getting 0 Code Smells, bugs, Vulnerabilities, and Security Hotspots.
It used to work (showed numbers other than 0) when using the Azure DevOps SonarCloud steps but those only worked when I was able to build the code in Azure DevOps. The build environment was updated and with it the version of npm/Node got updated and couldn’t build our code anymore so I moved the build process to Docker.
I was able to run the code analysis in Docker by copying the resulting build (including source files) to a sonarsource/sonar-scanner-cli:4.6 container but that showed all ‘0’ on results. After that didn’t work I tried copying the source code, ‘compiled’ code, and test-results files into the Azure DevOps pipeline workspace and ran the same SonarCloud steps but still get '0’s.
I looked at the analysis logs and it shows “indexed with language ‘js’” and results in “774 files indexed”. I pulled the sonar results directory from the manual run in Docker and saw .pb files and other files so the analysis looks like it’s going through but not being recognized after it’s being uploaded.
Again I’ve tried both the manual method in Docker (versioned to 4.6) and the SonarCloud tasks in Azure DevOps which were working before I moved the build to happen in Docker.
Also I just noticed the warning sign. It’s “SCM provider autodetection failed. Please use “sonar.scm.provider” to define SCM of your project, or disable the SCM Sensor in the project settings.” Would that affect the results? I’ll try to resolve this anyway but wonder if I can fix this since we are using git as SCM but then copying the code into Docker to build. It should contain the .git directory though so maybe I’m just overthinking this.
I wouldn’t worry too much about the SCM data if your Overall Code on your main branch is showing 0 Lines of Code. But this will have to be addressed for your Pull Request analysis to work correctly. Let’s focus on the develop branch for now.
I would recommend turning on DEBUG level logs (append -X to the sonar-scanner command or add sonar.verbose=true as an analysis parameter) and looking in two different places:
Right after files have been indexed (before the total count is given), are there any messages about files being excluded by org.sonar.plugins.javascript.JavaScriptExclusionsFileFilter?
13:15:11.141 DEBUG: File node_modules/Test.js was excluded by sonar.javascript.exclusions or sonar.typescript.exclusions
13:15:11.141 DEBUG: 'node_modules/Test.js' excluded by org.sonar.plugins.javascript.JavaScriptExclusionsFileFilter
Sometimes files get excluded if they end up in a certain directory, such as a directory named /dist/
Under Sensor JavaScript analysis [javascript], how many source files does it say it will analyze?
13:15:13.404 INFO: Sensor JavaScript analysis [javascript]
.....
13:15:20.381 DEBUG: starting eslint-bridge server at port 54270
13:15:20.388 DEBUG: eslint-bridge server is running at port 54270
13:15:20.420 DEBUG: Starting server (done) | time=1960ms
13:15:20.429 DEBUG: Using generated tsconfig.json file /Users/colin/source/test-github-app/.scannerwork/.sonartmp/4431192170030827928.tmp
13:15:20.432 INFO: 1 source file to be analyzed
....
13:15:21.141 INFO: 1/1 source file has been analyzed
