juanfer007
October 10, 2023, 2:16pm
1
Hi community!
Hello.
I have tried addressing the scan directly to the Dockerfile. I have also done this by addressing the scan to the folder containing the file.
I have created a different project with a different Dockerfile and a new pipeline, but the problem persists.
I really appreciate any help you can give me
The Dockerfile is found but is not analyzed.
12:37:23.119 DEBUG: * VB.NET => "vbnet"
12:37:23.119 DEBUG: * Python => "py"
12:37:23.119 DEBUG: * T-SQL => "tsql"
12:37:23.119 DEBUG: * JavaScript => "js"
12:37:23.119 DEBUG: * TypeScript => "ts"
12:37:23.119 DEBUG: * CSS => "css"
12:37:23.119 DEBUG: * COBOL => "cobol"
12:37:23.119 DEBUG: * PHP => "php"
12:37:23.119 DEBUG: * ABAP => "abap"
12:37:23.119 DEBUG: * YAML => "yaml"
12:37:23.119 DEBUG: * JSON => "json"
12:37:23.120 INFO: Quality profile for xml: Sonar way
12:37:26.546 INFO: Sensor XML Sensor [xml] (done) | time=261ms
12:37:26.546 INFO: Sensor TextAndSecretsSensor [text]
12:37:26.976 INFO: 1 source file to be analyzed
12:37:26.976 INFO: 1/1 source file has been analyzed
12:37:27.001 INFO: Sensor IaC Docker Sensor [iac]
12:37:27.011 INFO: 0 source files to be analyzed
12:37:27.083 INFO: 0/0 source files have been analyzed
12:37:27.084 INFO: Sensor IaC Docker Sensor [iac] (done) | time=83ms
PipelineConfiguration (yaml file)
trigger: none
pool:
vmImage: ubuntu-latest
steps:
- checkout: self
fetchDepth: 0
- task: SonarCloudPrepare@1
inputs:
SonarCloud: '***'
organization: '***'
scannerMode: 'CLI'
configMode: 'manual'
cliProjectKey: '***'
cliProjectName: '***'
cliSources: 'SonarCloud/sonar-docker'
extraProperties: |
sonar.verbose=true
- task: SonarCloudAnalyze@1
displayName: 'Run SonarCloud analysis'
- task: SonarCloudPublish@1
displayName: 'Publish results on build summary'
SonarCloud Config
sonar.docker.activate=true
sonar.docker.file.patterns=Dockerfile,*.dockerfile
grams
October 10, 2023, 5:17pm
3
Scanning a repo with Automatic analysis does not scan Dockerfile
ALM used : GitHub
CI system used: None (Automatic analysis; otherwise : GitHub actions)
Scanner command used when applicable: None
Languages of the repository: PHP, HTML, Docker, YAML
Error observed: None
Steps to reproduce
Turn on automatic analysis
Look at files scanned project>main branch>code: files can be seen but no Dockerfile
No rule triggered on the Dockerfile
Potential workaround
commit a .sonarcloud.properties file with:
# Path to sources
sonar.sources=./
sonar.exclusions=tests/**/*,doctrine_migrations/**/*
sonar.tests=tests/
sonar.php.coverage.reportPaths=coverage/coverage.xml
sonar.docker.file.patterns=Dockerfile,**/Dockerfile,**/*.dockerfile,**/Dockerfile.*,**/*.dockerfile.*
Same behavior. No Dockerfile in the list of scanned files.
Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!
ganncamp
October 11, 2023, 4:47pm
4
Hi,
Welcome to the community!
I suppose that sonar.docker.file.patterns value is what you’ve come to in your attempts to make this work?
You don’t need to specify full paths, and I suspect the fact that you have isn’t helping.
The default value for this is Dockerfile,*.dockerfile. I guess that didn’t work for you? Or perhaps, based on your value, Dockerfile,*.dockerfile, Dockerfile.*.
grams
October 11, 2023, 5:55pm
5
Yes Ann, you are right: those values in .sonarcloud.properties is the result of quite a few run-fail-and-try-something-else attempts…
It all started with automatic analysis with all the default settings ignoring a Dockerfile at the root of the repo. Here, I made a simple test case to reproduce:
Created a public repo with a single Dockerfile file at GitHub - Evaneos/sonarcloud-test-case
In SonarCloud added this project as a new project, Next, Next, Next.
Waited a bit for first analysis.
Result : No analysis. SonaCloud web now reads Automatic analysis not recommended : “No languages detected in your repository”.Docker static code analysis | Security Hotspot: Allowing shell scripts execution during package installation is security-sensitive )
Guillaume
ganncamp
October 11, 2023, 6:06pm
6
Hi Guillaume,
Thanks for the confirmation. I kinda figured it was the case, especially since another SonarCloud user reported pretty much the same thing (but with standard file patterns) at the same time.
And since I do think this is the same thing, I’m going to move this into that other thread, which is already flagged for the language specialists.
ganncamp
October 12, 2023, 12:17pm
8
Hi @juanfer007 ,
Are you using autoscan or your own CI?
juanfer007
October 12, 2023, 2:17pm
10
Hi Ann
We are using autoscan.
Thank you.
Hello @juanfer007 ,
We think we found the underlying issue and are working on a fix that should be ready soon. I’ll update this thread once it is in production.
juanfer007
October 18, 2023, 3:16pm
12
Hi Martin Bednorz
Do you have any news about this issue ?
Thanks so much.
The fix should be released. Could you try again?
juanfer007
October 19, 2023, 12:39pm
14
Hello Martin Bednorz
Yes. I confirm that’s working.
Thanks so much.
12:33:41.971 DEBUG: 'SonarCloud/sonar-docker-demo/Dockerfile' indexed with language 'docker'
12:33:45.157 DEBUG: 'SonarCloud/sonar-docker-demo/Dockerfile' generated metadata with charset 'UTF-8'
12:33:45.166 INFO: 1 source file to be analyzed
12:33:45.192 INFO: 1/1 source file has been analyzed
12:33:45.192 INFO: Sensor TextAndSecretsSensor [text] (done) | time=506ms
12:33:45.193 INFO: Sensor IaC Docker Sensor [iac]
12:33:45.208 INFO: 1 source file to be analyzed
12:33:45.365 INFO: 1/1 source file has been analyzed
12:33:45.367 INFO: Sensor IaC Docker Sensor [iac] (done) | time=174ms