Configure SonarCloud for an Angular project using maven and bitbucket pipeline

I might be missing something obvious, but I can’t seem to get scan results for javascript to appear in SonarCloud. The repository is 95% an angular app with 5% java code. The java code scan is appearing in SonarCloud, but really I only need to scan the javascript in the angular application.

So clearly we are connected to SonarCloud, but nothing appears for the javascript.

I added <sonar.language>js</sonar.language> to the pom.xml file, which has had the effect that no scan information at all appears in SonarCloud, presumably because this property cancels scanning any language other than javascript, and the javascript scan isn’t configured correctly.

I just want to scan the angular project and report results in SonarCloud. Either by scanning the dist/portal directory where the angular project is built, or by scanning the underlying Typescript files in src/app.

It’s fine if the java code is also scanned.

Thanks for any help or pointers you can provide.

  • ALM used: Bitbucket with Maven
  • Languages of the repository: java, javascript (only need to scan the javascript)
  • Error observed: No scan results for javascript appearing in SonarCloud

The directory structure of the repository is:

    - src
        - app
        - [rest of angular code]
    - e2e
        - [testing files]
    - deploy
        - pom.xml
        - [java code for the deploy]
    - pipelines.yml

This is the pipeline.yml, and the step that uses maven to run sonarcloud:

          caches:
            sonar: ~/.sonar/cache
          steps:  
            - step: &buildArtifacts
                name: Build and test
                image:
                  name: 604999277007.dkr.ecr.us-west-2.amazonaws.com/sky_falcon_build:1.0.1
                  aws:
                    access-key: $AWS_ACCESS_KEY
                    secret-key: $AWS_SECRET_KEY
                caches:
                - maven
                - sonar
                script:
                - source prepare_environment.sh
                - mvn -e clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
                - source ../archive.sh ${RELEASE_TAG}
                - source ../make_rpm.sh ${RELEASE_TAG}
                - cd -
                - mkdir artifact
                - cp /root/rpmbuild/driver-portal-build/*.tar.gz ./artifact
                - cp /root/rpmbuild/driver-portal-build/*.rpm ./artifact
                artifacts:
                - artifact/**

And this is the properties inside the pom.xml in the deploy/directory:

	<properties>
		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
		<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
		<java.version>1.8</java.version>
        <sonar.language>js</sonar.language>
        <sonar.sources>${project.basedir}/../dist/portal</sonar.sources>
	</properties>

When using mvn to scan a project, I think only the code that Maven is aware will be scanned. Is your Maven project aware of the JavaScript code in it? Does Maven consider that code as sources? I’m asking because I just don’t know, I’ve only ever used Maven for Java projects.

If you don’t care about the Java code, then using the scanner for CLI looks more appropriate for you. Even more specifically, using our scan pipe should make this easier on Bitbucket Cloud. I suggest to give that a try!

Great, thanks for the response Janos.

I don’t know how to tell Maven that the javascript code is source, so I’ll have to look into that.

I did include the <sonar.sources> attribute as listed above, but no idea if that’s sufficient.

I’ll give the scan pipe a shot and see if I can get a scan of the Angular app working that way.

That property means nothing to Maven! In any case, as I wrote, using the pipe looks a much better option for your use case.

Got it.

Yes, I’m going with the pipe solution. Running into some memory size issues.

Container 'docker' exceeded memory limit.

error waiting for container: unexpected EOF"

So I’m reading up on how to tweak these default memory allotments…

https://confluence.atlassian.com/bitbucket/run-docker-commands-in-bitbucket-pipelines-879254331.html#RunDockercommandsinBitbucketPipelines-Dockermemorylimits

1 Like

Ok, well, I have the full thing running, no errors, in the pipeline output it says the analysis was SUCCESSFUL, and 345 files were analyzed, including 149 Typescript files.

But no results at all in SonarCloud. Everything passing with 0 issues and no bugs. I know this project has a lot of issues. What configuration am I still missing?

This is the pipelines file step and definition:

definitions:
  services:
    docker: 
      memory: 2048
  caches:
    sonar: ~/.sonar/cache
  steps:  
    - step: &buildTestSonarCloud
        name: Build, test and analyze on SonarCloud
        caches:
          - node
          - sonar
        script:
          - npm update && npm install
          # - npm run test -- --code-coverage --no-watch --no-progress --browsers=ChromeHeadlessNoSandbox  
          - pipe: sonarsource/sonarcloud-scan:0.1.5
            variables:
              SONAR_TOKEN: ${SONAR_TOKEN}
              EXTRA_ARGS: '-Dsonar.sources=src/app' #  '-Dsonar.sources=src -Dsonar.tests=src -Dsonar.test.inclusions="**/testing/**,**/*.spec.ts"' # -Dsonar.typescript.lcov.reportPaths=coverage/lcov.info'
              SONAR_SCANNER_OPTS: -Xmx512m
              DEBUG: "false"

And here’s the pipeline output:

INFO: Working dir: /opt/atlassian/pipelines/agent/build/.scannerwork
INFO: Load project settings for component key: 'XXXXXXXXXXXX'
INFO: Load project settings for component key: 'XXXXXXXXXXXX-portal' (done) | time=177ms
INFO: Found an active CI vendor: 'Bitbucket Pipelines'
INFO: Load project branches
INFO: Load project branches (done) | time=102ms
INFO: Check ALM binding of project 'XXXXXXXXX-portal'
INFO: Detected project binding: BOUND
INFO: Check ALM binding of project 'XXXXXXXXXX-portal' (done) | time=92ms
INFO: Load project pull requests
INFO: Load project pull requests (done) | time=109ms
INFO: Load branch configuration
INFO: Detected analysis for branch 'feature/sonarcloud-scan'
INFO: Auto-configuring branch feature/sonarcloud-scan
INFO: Load branch configuration (done) | time=2ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=137ms
INFO: Load active rules
INFO: Load active rules (done) | time=2935ms
INFO: Organization key: XXXXXXXX
INFO: Branch name: feature/sonarcloud-scan, type: short living
INFO: SCM collecting changed files in the branch
INFO: SCM collecting changed files in the branch (done) | time=271ms
INFO: Indexing files...
INFO: Project configuration:
INFO: 345 files indexed
INFO: 0 files ignored because of scm ignore settings
INFO: Quality profile for css: Sonar way
INFO: Quality profile for ts: Sonar way
INFO: Quality profile for web: Sonar way
INFO: ------------- Run sensors on module XXXXXXXXXX-portal
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=104ms
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by net.sf.cglib.core.ReflectUtils$1 (file:/root/.sonar/cache/a89f1943fc75b65becd9fb4ecab8d913/sonar-tsql-plugin.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of net.sf.cglib.core.ReflectUtils$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
INFO: Sensor SonarCSS Metrics [cssfamily]
INFO: Sensor SonarCSS Metrics [cssfamily] (done) | time=582ms
INFO: Sensor SonarCSS Rules [cssfamily]
INFO: 196 source files to be analyzed
INFO: 196/196 source files have been analyzed
INFO: Sensor SonarCSS Rules [cssfamily] (done) | time=3297ms
INFO: Sensor JavaXmlSensor [java]
INFO: Sensor JavaXmlSensor [java] (done) | time=5ms
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=977ms
INFO: Sensor SonarTS [typescript]
INFO: Since SonarTS v2.0, TypeScript analysis is performed by SonarJS analyzer v6.0 or later. No TypeScript analysis is performed by SonarTS.
INFO: Sensor SonarTS [typescript] (done) | time=0ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: 'sonar.coverage.jacoco.xmlReportPaths' is not defined. Using default locations: target/site/jacoco/jacoco.xml,target/site/jacoco-it/jacoco.xml,build/reports/jacoco/test/jacocoTestReport.xml
INFO: No report imported, no coverage information will be imported by JaCoCo XML Report Importer
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=12ms
INFO: Sensor TypeScript analysis [javascript]
INFO: TypeScript dependency was not found inside project directory, Node.js will search TypeScript using module resolution algorithm; analysis will fail without TypeScript.
INFO: Found 1 tsconfig.json file(s): [/opt/atlassian/pipelines/agent/build/tsconfig.json]
INFO: 149 source files to be analyzed
INFO: Analyzing 149 files using tsconfig: /opt/atlassian/pipelines/agent/build/tsconfig.json
INFO: 146/149 files analyzed, current file: src/app/account/sign-up/cancel-signup/cancel-signup.component.ts
INFO: 149/149 source files have been analyzed
INFO: Sensor TypeScript analysis [javascript] (done) | time=12422ms
INFO: Sensor ThymeLeaf template sensor [securityjavafrontend]
INFO: Sensor ThymeLeaf template sensor [securityjavafrontend] (done) | time=5ms
INFO: Sensor JavaSecuritySensor [security]
INFO: Reading type hierarchy from: /opt/atlassian/pipelines/agent/build/.scannerwork/ucfg2/java
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /opt/atlassian/pipelines/agent/build/.scannerwork/ucfg2/java
INFO: No UCFGs have been included for analysis.
INFO: Sensor JavaSecuritySensor [security] (done) | time=11ms
INFO: Sensor CSharpSecuritySensor [security]
INFO: Reading type hierarchy from: /opt/atlassian/pipelines/agent/build/ucfg_cs2
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /opt/atlassian/pipelines/agent/build/ucfg_cs2
INFO: No UCFGs have been included for analysis.
INFO: Sensor CSharpSecuritySensor [security] (done) | time=0ms
INFO: Sensor PhpSecuritySensor [security]
INFO: Reading type hierarchy from: /opt/atlassian/pipelines/agent/build/.scannerwork/ucfg2/php
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /opt/atlassian/pipelines/agent/build/.scannerwork/ucfg2/php
INFO: No UCFGs have been included for analysis.
INFO: Sensor PhpSecuritySensor [security] (done) | time=1ms
INFO: Sensor PythonSecuritySensor [security]
INFO: Reading type hierarchy from: /opt/atlassian/pipelines/agent/build/.scannerwork/ucfg2/python
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /opt/atlassian/pipelines/agent/build/.scannerwork/ucfg2/python
INFO: No UCFGs have been included for analysis.
INFO: Sensor PythonSecuritySensor [security] (done) | time=0ms
INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=49ms
INFO: CPD Executor 17 files had no CPD blocks
INFO: CPD Executor Calculating CPD for 231 files
INFO: CPD Executor CPD calculation finished (done) | time=206ms
INFO: SCM writing changed lines
INFO: SCM writing changed lines (done) | time=7ms
INFO: Analysis report generated in 112ms, dir size=448 KB
INFO: Analysis report compressed in 284ms, zip size=295 KB
INFO: Analysis report uploaded in 553ms
INFO: ANALYSIS SUCCESSFUL, you can find the results at: https://sonarcloud.io/dashboard?id=X-portal&branch=feature%2Fsonarcloud-scan&resolved=false
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at https://sonarcloud.io/api/ce/task?id=AXJYdLqkBQTiFZBXWeMx
INFO: Analysis total time: 28.010 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 56.030s
INFO: Final Memory: 29M/104M
INFO: ------------------------------------------------------------------------
✔ SonarCloud analysis was successful.

And then I still see this in sonarCloud (even though I know these .ts files have tons of issues):

The screenshot is not visible. Can you edit your post to fix it? It might be helpful.

I can see that the analysis is for branch feature/sonarcloud-scan. Note that a branch analysis will show only the issues in the changed code compared to the target branch. If you go to this branch on SonarCloud, and go to the Code tab, do you see changed .ts files there? And then, the lines that were changed in the branch will be highlighted with yellow background. Only the issues in the highlighted area would show up in the list of issues for the branch.

Oh, that’s a great insight. So maybe it’s just analyzing the changes, and in this case there are no changed Typescript files. But when the code is merged into develop only then will a full scan run and be reported. I’ve looked at each individual branch in sonar-cloud and still not seeing anything.

Ok I’m going to make some Typescript changes and will get back to you.

Reattaching the screenshot here:

Are you able to see that (above)?

Ok, that worked.

I had another issue as well where there was the additional other invocation of SonarCloud scan in the maven pom.xml, and that was overwriting the Typescript/JS scan I’d set up with the pipe.

Removed that additional invocation, merged the pipeline code with the new pipe into the primary branch, and good now.

Last thing is I’ll have to figure out how to get our code coverage / unit testing report to be picked up. But I’m good for now, thank you!

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.