Helm chart not parsed

SonarQube Cloud
1

Hi,

We would like SonarCloud to analyze both code and helm chart although despite many tries our helm chart is not detected.
From the root of the repo we have one folder for source code and one for helm chart which contain a template folder with atleast 1 deployment object.

Kubernetes language is activated (we also tried by expliciting sonar.kubernetes.activate)
We use BitbucketCloud and version 3.11.0.3922 of sonar-maven-plugin
We did add -Dsonar.maven.scanAll=true to mvn verify:

mvn verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.maven.scanAll=true -Dsonar.host.url=XXX -Dsonar.login=XXX -Dsonar.organization=XXX -Dsonar.qualitygate.wait=true

If during CI we list files before mvn verify we can see properly helm chart folder.

Logs:
[INFO] --- sonar:3.11.0.3922:sonar (default-cli) @ XXX-service ---
[INFO] 07:28:35.394 Java 21.0.2 Eclipse Adoptium (64-bit)
[INFO] 07:28:35.394 Linux 5.10.197-186.748.amzn2.x86_64 (amd64)
[INFO] 07:28:35.395 Bitbucket Cloud Pipelines detected, no host variable set. Defaulting to sonarcloud.io.
[INFO] 07:28:35.437 User cache: /root/.sonar/cache
[INFO] 07:28:36.831 Communicating with SonarCloud
[INFO] 07:28:36.848 Parameter sonar.maven.scanAll is enabled. The scanner will attempt to collect additional sources.
…
[INFO] 07:28:43.376 Preprocessing files...
[INFO] 07:28:43.701 2 languages detected in 114 preprocessed files
[INFO] 07:28:43.701 0 files ignored because of inclusion/exclusion patterns
[INFO] 07:28:43.702 0 files ignored because of scm ignore settings

2 languages detected being java and xml (pom.xml).

Any idea why our helm chart is not parsed?

Regards,

Simon

2

Hi Simon,

Welcome to the community!

Can you provide the text of your full analysis log, please?

 
Thx,
Ann

3

Hi Ann,

Please find attached full analysis log:
sonar-analysis-logs.txt (20.8 KB)

Regards,

Simon

4

Hi Simon,

What’s your Helm chart named, and where is it located?

As you stated originally, analysis should be picking up all files

Parameter sonar.maven.scanAll is enabled.

But it’s possible the file is still being overlooked.

 
Thx,
Ann

5

Hi Ann,

We run mvn verify from root of repository.
At root of repo we have a folder helm which contain:

ls helm/
Chart.yaml  templates  values-XXX.yaml  values.yaml

And in templates we have atleast 1 deployment object

Regards,

Simon

7

Hi Simon,

Thanks for that detail.

I’ve flagged this for the team that owns the scanner. I’m wondering if it’s a question of an extra directory at project root instead of individual files.

 
Thx,
Ann

9

Hello @Simon_Lachouffe, welcome to the Sonar Community!

I tried to reproduce your scenario with a manual analysis and the option -Dsonar.maven.scanAll=true is detecting and scanning the .yaml files.

The reproducer I used has the following structure:

β”œβ”€β”€ helm
β”‚   └── charts
β”‚       β”œβ”€β”€ configMap.yaml
β”‚       └── values.yaml
β”œβ”€β”€ pom.xml
└── src
    └── main
        └── java
            └── org
                └── example
                    β”œβ”€β”€ Main.java
                    └── MyClass.java

And the analysis logs show that the .yaml files are detected and analyzed:

[INFO] 10:53:56.287 3 languages detected in 6 preprocessed files
[INFO] 10:53:56.287 0 files ignored because of inclusion/exclusion patterns
...

[INFO] 10:53:56.786 6 files indexed
[INFO] 10:53:56.789 Quality profile for java: Sonar way
[INFO] 10:53:56.789 Quality profile for xml: Sonar way
[INFO] 10:53:56.789 Quality profile for yaml: Sonar way
...

[INFO] 10:57:24.571 Sensor IaC Kubernetes Sensor [iac]
[INFO] 10:57:24.603 1 source file to be analyzed
[INFO] 10:57:24.617 1/1 source file has been analyzed
[INFO] 10:57:24.617 Sensor IaC Kubernetes Sensor [iac] (done) | time=46ms

From the logs you provided I can’t spot anything unusual. Can you confirm that:

  • No inclusion and exclusion patterns are configured
  • The .yaml files you’re expecting are part of the PR being analyzed

Ultimately, in case you’re still experiencing the issue, would you be able to send the a small reproducer?

Cheers,
Angelo

10

Hi Angelo,

Our helm chart structure differs from what you described. We have:

β”œβ”€β”€ helm
β”‚   β”œβ”€β”€ values-${ENV}.yaml
β”‚   └── templates
β”‚       β”œβ”€β”€ XXX.yaml
β”‚       └── deployment.yaml
β”œβ”€β”€ pom.xml
└── src
    └── main
        └── java
            └── org
                └── example
                    β”œβ”€β”€ Main.java
                    └── XXX.java

I guess exact structure do not matter for your parser as it’s probably checking all .yaml for k8s manifests from root folder.
If we do ls just before mvn verify in our CI we properly see content of helm chart including a deployment object which has all k8s manifest minimum specs.

On cloud we have some settings in code coverage / duplication exclusion but nothing in files analysis. On mvn parameters we do not specify anything related to inclusion / exclusion.
We did put scanAll in both PR and on main branch, still no analysis result.

What we see exactly in logs:

[INFO] 06:21:55.088 Project configuration:
[INFO] 06:21:55.089   Excluded sources: **/build-wrapper-dump.json
[INFO] 06:21:55.090   Excluded sources for coverage: **/model/*, **/domain/*, **/*Controller.java, **/*Exception.java, **/exception/*, **/repository/*, **/items/*, **/*Properties.java, **/types/*, **/spec/*
[INFO] 06:21:55.090   Excluded sources for duplication: **/model/*, **/domain/*, **/items/*
[INFO] 06:21:55.131 114 files indexed
[INFO] 06:21:55.138 Quality profile for java: XXX Way
[INFO] 06:21:55.138 Quality profile for xml: Sonar way

So need to understand why we don’t have your:

[INFO] 10:53:56.789 Quality profile for yaml: Sonar way

Despite having on cloud settings quality profile Kubernetes: Sonar Way / language sonar.kubernetes.activate

Regards,

Simon

11

Hi @Simon_Lachouffe,

I can’t help you with the information available since I cannot reproduce the issue. I can provide you with the following information:

  • The sonar.maven.scanAll=true will scan all files, except when the -Dsonar.sources property is set. In this case you will see in the analysis log the following message:

    Parameter sonar.maven.scanAll is enabled but the scanner will not collect additional sources because sonar.sources has been overridden

  • Files are filtered after the scan phase, so setting sonar.exclusions to a specific pattern will remove those files from the list of analyzed files.

To identify the problem, I suggest you run the analysis without setting any non-mandatory property and having the sonar.maven.scanAll=true. See if the desired files are analyzed, and try to incrementally add the other properties to identify which one is conflicting and causing the issue.

It would be appreciated if you could report any useful findings to us.

Cheers,
Angelo

1 Like