External issues not loading into SonarCloud dashboard

SonarCloud
,
1
  • ALM used: GitHub
  • CI system used: Circle CI
  • Scanner command used: CircleCI orb
  • Languages of the repository: Golang

I’ve tested golangci-lint and the output looks right, but there is no vulnerabilities in the dashboard, a different result compared to running locally. Do you know what is happening here? See that the line INFO: Importing /home/circleci/repo/report.xml is there sucessfully importing. Look how data about other things as coverage is unchanged, differently of other branches.

image
image772×502 20.7 KB

#!/bin/bash -eo pipefail
set -e
VERSION=4.1.0.1829
SONAR_TOKEN=$SONAR_TOKEN
SCANNER_DIRECTORY=/tmp/cache/scanner
export SONAR_USER_HOME=$SCANNER_DIRECTORY/.sonar
OS="linux"
echo $SONAR_USER_HOME

if [[ ! -x "$SCANNER_DIRECTORY/sonar-scanner-$VERSION-$OS/bin/sonar-scanner" ]]; then
  curl -Ol https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-$VERSION-$OS.zip
  unzip -qq -o sonar-scanner-cli-$VERSION-$OS.zip -d $SCANNER_DIRECTORY
fi

chmod +x $SCANNER_DIRECTORY/sonar-scanner-$VERSION-$OS/bin/sonar-scanner
chmod +x $SCANNER_DIRECTORY/sonar-scanner-$VERSION-$OS/jre/bin/java

$SCANNER_DIRECTORY/sonar-scanner-$VERSION-$OS/bin/sonar-scanner

/tmp/cache/scanner/.sonar
INFO: Scanner configuration file: /tmp/cache/scanner/sonar-scanner-4.1.0.1829-linux/conf/sonar-scanner.properties
INFO: Project root configuration file: /home/circleci/repo/sonar-project.properties
INFO: SonarQube Scanner 4.1.0.1829
INFO: Java 11.0.3 AdoptOpenJDK (64-bit)
INFO: Linux 4.15.0-1092-aws amd64
INFO: User cache: /tmp/cache/scanner/.sonar/cache
INFO: SonarQube server 8.5.0
INFO: Default locale: "en", source code encoding: "UTF-8"
INFO: Load global settings
INFO: Load global settings (done) | time=569ms
INFO: Server id: 1BD809FA-AWHW8ct9-T_TB3XqouNu
INFO: User cache: /tmp/cache/scanner/.sonar/cache
INFO: Load/download plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=130ms
INFO: Load/download plugins (done) | time=301ms
INFO: Loaded core extensions: developer-scanner
INFO: JavaScript/TypeScript frontend is enabled
INFO: Found an active CI vendor: 'CircleCI'
INFO: Load project settings for component key: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
INFO: Load project settings for component key: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' (done) | time=116ms
INFO: Process project properties
INFO: Execute project builders
INFO: Execute project builders (done) | time=1ms
INFO: Project key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
INFO: Base dir: /home/circleci/repo
INFO: Working dir: /home/circleci/repo/.scannerwork
INFO: Load project branches
INFO: Load project branches (done) | time=105ms
INFO: Check ALM binding of project 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
INFO: Detected project binding: BOUND
INFO: Check ALM binding of project 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' (done) | time=98ms
INFO: Load project pull requests
INFO: Load project pull requests (done) | time=165ms
INFO: Load branch configuration
INFO: Auto-configuring branch golangci-lint-setup
INFO: Load branch configuration (done) | time=2ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=142ms
INFO: Load active rules
INFO: Load active rules (done) | time=3285ms
INFO: Organization key: xxxxxxxxxx
INFO: Branch name: golangci-lint-setup, type: short-lived
INFO: SCM collecting changed files in the branch
INFO: SCM collecting changed files in the branch (done) | time=226ms
INFO: Indexing files...
INFO: Project configuration:
INFO:   Excluded sources: sql/**, e2e/**, cmd/accountsub/**, cmd/api/**, **/mocks/**, **/*_test.go
INFO:   Included tests: **/mocks/**, **/*_test.go
INFO: 84 files indexed
INFO: 175 files ignored because of inclusion/exclusion patterns
INFO: 3 files ignored because of scm ignore settings
INFO: Quality profile for go: Golangci-lint
INFO: Quality profile for plsql: Sonar way
INFO: Quality profile for xml: Sonar way
INFO: ------------- Run sensors on module xxxxxxxxxxxxxxxxxxxxxxxx
INFO: JavaScript/TypeScript frontend is enabled
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=101ms
INFO: Sensor SonarCSS Rules [cssfamily]
INFO: No CSS, PHP, HTML or VueJS files are found in the project. CSS analysis is skipped.
INFO: Sensor SonarCSS Rules [cssfamily] (done) | time=2ms
INFO: Sensor PL/SQL Sensor [plsql]
WARN: The Data Dictionary is not configured for PLSQL analyzer which prevents rule(s) S3641, S3921, S3618, S3651 to raise issues. See https://sonarcloud.io/documentation/analysis/languages/plsql/
INFO: 2 source files to be analyzed
INFO: 2/2 source files have been analyzed
INFO: Sensor PL/SQL Sensor [plsql] (done) | time=169ms
INFO: Sensor C# Properties [csharp]
INFO: Sensor C# Properties [csharp] (done) | time=1ms
INFO: Sensor JavaXmlSensor [java]
INFO: 1 source files to be analyzed
INFO: Sensor JavaXmlSensor [java] (done) | time=140ms
INFO: 1/1 source files have been analyzed
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=3ms
INFO: Sensor XML Sensor [xml]
INFO: 1 source file to be analyzed
INFO: 1/1 source file has been analyzed
INFO: Sensor XML Sensor [xml] (done) | time=82ms
INFO: Sensor VB.NET Properties [vbnet]
INFO: Sensor VB.NET Properties [vbnet] (done) | time=1ms
INFO: Sensor Code Quality and Security for Go [go]
INFO: 33 source files to be analyzed
INFO: Sensor Code Quality and Security for Go [go] (done) | time=928ms
INFO: 33/33 source files have been analyzed
INFO: Sensor Go Cover sensor for Go coverage [go]
INFO: Load coverage report from '/home/circleci/repo/cover.out'
INFO: Sensor Go Cover sensor for Go coverage [go] (done) | time=60ms
INFO: Sensor Import of GolangCI-Lint issues [go]
INFO: Importing /home/circleci/repo/report.xml
INFO: Sensor Import of GolangCI-Lint issues [go] (done) | time=27ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: 'sonar.coverage.jacoco.xmlReportPaths' is not defined. Using default locations: target/site/jacoco/jacoco.xml,target/site/jacoco-it/jacoco.xml,build/reports/jacoco/test/jacocoTestReport.xml
INFO: No report imported, no coverage information will be imported by JaCoCo XML Report Importer
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=3ms
INFO: Sensor ThymeLeaf template sensor [securityjavafrontend]
INFO: Sensor ThymeLeaf template sensor [securityjavafrontend] (done) | time=1ms
INFO: Sensor JavaSecuritySensor [security]
INFO: Reading type hierarchy from: /home/circleci/repo/.scannerwork/ucfg2/java
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /home/circleci/repo/.scannerwork/ucfg2/java
INFO: No UCFGs have been included for analysis.
INFO: Sensor JavaSecuritySensor [security] (done) | time=3ms
INFO: Sensor CSharpSecuritySensor [security]
INFO: Reading type hierarchy from: /home/circleci/repo/ucfg_cs2
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /home/circleci/repo/ucfg_cs2
INFO: No UCFGs have been included for analysis.
INFO: Sensor CSharpSecuritySensor [security] (done) | time=0ms
INFO: Sensor PhpSecuritySensor [security]
INFO: Reading type hierarchy from: /home/circleci/repo/.scannerwork/ucfg2/php
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /home/circleci/repo/.scannerwork/ucfg2/php
INFO: No UCFGs have been included for analysis.
INFO: Sensor PhpSecuritySensor [security] (done) | time=1ms
INFO: Sensor PythonSecuritySensor [security]
INFO: Reading type hierarchy from: /home/circleci/repo/.scannerwork/ucfg2/python
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /home/circleci/repo/.scannerwork/ucfg2/python
INFO: No UCFGs have been included for analysis.
INFO: Sensor PythonSecuritySensor [security] (done) | time=0ms
INFO: Sensor JsSecuritySensor [security]
INFO: Reading type hierarchy from: /home/circleci/repo/.scannerwork/ucfg2/js
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /home/circleci/repo/.scannerwork/ucfg2/js
INFO: No UCFGs have been included for analysis.
INFO: Sensor JsSecuritySensor [security] (done) | time=0ms
INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=6ms
INFO: CPD Executor 1 file had no CPD blocks
INFO: CPD Executor Calculating CPD for 34 files
INFO: CPD Executor CPD calculation finished (done) | time=33ms
INFO: SCM writing changed lines
INFO: SCM writing changed lines (done) | time=5ms
INFO: Analysis report generated in 147ms, dir size=234 KB
INFO: Analysis report compressed in 74ms, zip size=77 KB
INFO: Analysis report uploaded in 321ms
INFO: ANALYSIS SUCCESSFUL, you can find the results at: https://sonarcloud.io/dashboard?id=xxxxxxxxxxxxxxxxx&branch=golangci-lint-setup&resolved=false
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at https://sonarcloud.io/api/ce/task?id=AXfLFDUEeZCnlPUzU9KO
INFO: Analysis total time: 8.648 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 11.008s
INFO: Final Memory: 26M/94M
INFO: ------------------------------------------------------------------------
4

Hello @GabrielNegreirosLima

If I understand correctly, you created a new branch to add the support of golangci-lint. When looking locally in the report, you can see issues, but when analyzing the branch/PR, nothing is reported? Did I get it right?

In fact, the trick is that in a branch/PR, only the issues related to the new code will be displayed. Thinking about it, that’s fair: you are discovering already existing issues, they should not appear on new code.

If you want to make sure everything is working, you could try to add a piece of code with a golangci-lint issue and see if it is reported.
Once merged, the issues already existing will be reported in your project, and new ones will be reported in the new codes.

Hope it helps.

Quentin

2 Likes
5

Hi @Quentin.

Thank you for your reply. Yes, you got it, and I have added a new line with a really close statement that was flagged as a vulnerability with golangci-lint and it looks like it’s been detected by Sonar, but the vulnerability has not. Look at the screenshot below:

image

If a issue was risen with that new line, it would appear here, right?

Thankfully,

6

The line of the issue should match exactly the line of the new code, otherwise, we will not report it in the PR panel. Adding one line after will not do the trick, the code you are adding should contain an issue.

At this point, if it is still not working, it would be great if you could provide us a reproducer: a code sample with the related golangci-lint report.