Error njsscan repot upload throught externalIssuesReportPath

Hello.
I tested Sonar and njsscan. I try to upload njsscan report to SonarQube. I use SonarQube 8.7 and sonar-scanner-cli:latest into docker

My error:

ERROR: Error during SonarScanner execution
java.lang.IllegalArgumentException: 9 is not a valid line offset for pointer. File routes/search.js has 8 character(s) at line 58
at org.sonar.api.utils.Preconditions.checkArgument(Preconditions.java:43)
at org.sonar.api.batch.fs.internal.DefaultInputFile.checkValid(DefaultInputFile.java:339)
at org.sonar.api.batch.fs.internal.DefaultInputFile.newPointer(DefaultInputFile.java:272)
at org.sonar.scanner.externalissue.ExternalIssueImporter.fillLocation(ExternalIssueImporter.java:132)
at org.sonar.scanner.externalissue.ExternalIssueImporter.importIssue(ExternalIssueImporter.java:81)
at org.sonar.scanner.externalissue.ExternalIssueImporter.execute(ExternalIssueImporter.java:57)
at org.sonar.scanner.externalissue.ExternalIssuesImportSensor.execute(ExternalIssuesImportSensor.java:74)
at org.sonar.scanner.sensor.AbstractSensorWrapper.analyse(AbstractSensorWrapper.java:48)
at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:85)
at org.sonar.scanner.sensor.ModuleSensorsExecutor.lambda$execute$1(ModuleSensorsExecutor.java:59)
at org.sonar.scanner.sensor.ModuleSensorsExecutor.withModuleStrategy(ModuleSensorsExecutor.java:77)
at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:59)
at org.sonar.scanner.scan.ModuleScanContainer.doAfterStart(ModuleScanContainer.java:82)
at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:137)
at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:123)
at org.sonar.scanner.scan.ProjectScanContainer.scan(ProjectScanContainer.java:389)
at org.sonar.scanner.scan.ProjectScanContainer.scanRecursively(ProjectScanContainer.java:385)
at org.sonar.scanner.scan.ProjectScanContainer.doAfterStart(ProjectScanContainer.java:354)
at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:137)
at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:123)
at org.sonar.scanner.bootstrap.GlobalContainer.doAfterStart(GlobalContainer.java:144)
at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:137)
at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:123)
at org.sonar.batch.bootstrapper.Batch.doExecute(Batch.java:72)
at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:66)
at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.base/java.lang.reflect.Method.invoke(Unknown Source)
at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60)
at com.sun.proxy.$Proxy0.execute(Unknown Source)
at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:189)
at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:138)
at org.sonarsource.scanner.cli.Main.execute(Main.java:112)
at org.sonarsource.scanner.cli.Main.execute(Main.java:75)
at org.sonarsource.scanner.cli.Main.main(Main.java:61)

step to reproduce:
git clone GitHub - juice-shop/juice-shop: OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
sudo pip install njsscan
cd juice-shop && njsscan --sonarqube -o JuceShop.json ./
docker run --rm -e SONAR_HOST_URL=“https://sonar-host” \
-e SONAR_LOGIN=“token_here”
-v “$(pwd):/usr/src” sonarsource/sonar-scanner-cli -D sonar.projectKey=“JuiceShop_test”
-D sonar.c.file.suffixes=- -D sonar.cpp.file.suffixes=- -D sonar.objc.file.suffixes=-
-D sonar.externalIssuesReportPaths=JuceShop.json

Befor this step was created a clear project JuiceShop_test
njsscan gave the report as described here: Generic issue import format

I attached report of njscan.
JuceShop.json (15.9 KB)

Hey there.

Thanks for the detailed reproduction steps. I get an error at another file, but the same idea.

ERROR: Error during SonarQube Scanner execution
java.lang.IllegalArgumentException: 68 is not a valid line offset for pointer. File lib/insecurity.js has 67 character(s) at line 32

In this case (and the case you describe), the error claims that the line offset (endColumn as reported in the generic issue report) is 1 greater than the actual length of the line (endLine)( for the issue.

While you may find when opening a code editor that line 32 of lib/insecurity.js is 68 characters long (or line 8 of routes/search.js is 9 characters long). The issue is that endColumn is expected to be 0-indexed (offset 0 is actually column 1).

• endColumn - integer, optional. 0-indexed

So I would suggest that you report this to the maintainers of njsscan.

Hi - I raised ticket to NodeJSScan maintainers regarding this issue Error importing sonarqube report into sonar · Issue #68 · ajinabraham/njsscan · GitHub

As a workaround, below jq command subtract the endColumn value by 1 and generate an output json

jq ‘.issues | .primaryLocation.textRange.endColumn = .primaryLocation.textRange.endColumn - 1’

• 1

Regards
Muthu