How do I force analysis of a project that has both Gradle and node?

trajano · November 8, 2022, 10:34pm

I have a project that has both Node and Gradle.

More fixes · trajano/spring-cloud-demo@a6dab63 (github.com)

The tool detects the gradle and errors out. Is there a way to make it ignore it?

Colin · November 10, 2022, 12:33pm

Hey there.

What’s your end goal?

Analyze the Java Code and Javascript code together
Only analyze the Javascript (Node) code?

If it’s the former, you’ll have to use the Scanner for Gradle – there’s no way around it.

If you’re only trying to analyze the other code… I’d be interested in hearing more about your usecase.

trajano · December 21, 2022, 1:28am

Not sure what you mean by “scanner for gradle”
But I’m simply just trying to do an analysis of code that’s right now a single code base because I am learning to integrate both a java backend and a React Native front end in a single mono repo / gradle multiproject repository.

Colin · December 21, 2022, 3:58pm

Did the documentation I linked help?

trajano · December 22, 2022, 7:57pm

Not really because I have used this for Gradle already before when it was just the server side. The problem was when I introduce a NodeJS project (i.e. the client side) code which is written in a totally different language/platform the tool detects that it is a Gradle project and it is forcing me to run Gradle only.

Here’s where I have it, it’s been there for a while.

github.com

trajano/spring-cloud-demo/blob/rework/build.gradle#L27


      
          gradleEnterprise {
              if (System.getenv("CI") != null) {
                  buildScan {
                      publishAlways()
                      termsOfServiceUrl = "https://gradle.com/terms-of-service"
                      termsOfServiceAgree = "yes"
                  }
              }
          }
          
          
sonarqube {
              properties {
                  property "sonar.projectKey", "trajano_spring-cloud-demo"
                  property "sonar.organization", "trajano"
                  property "sonar.host.url", "https://sonarcloud.io"
              }
          }

It is called via

github.com

trajano/spring-cloud-demo/blob/rework/.github/workflows/publish.yml#L36


      
                  restore-keys: ${{ runner.os }}-sonar
              - name: Cache Gradle packages
                uses: actions/cache@v1
                with:
                  path: ~/.gradle/caches
                  key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}
                  restore-keys: ${{ runner.os }}-gradle
          
          
    - name: Setup Gradle
                uses: gradle/gradle-build-action@v2
              - name: Execute Gradle build
                run: ./gradlew build sonarqube --scan --info
                env:
                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
                  SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
          
          
build:
          
          
  runs-on: ubuntu-latest
            strategy:
              matrix:

I don’t mind having two different .github/workflow files one for app and one for the server. The closest solution I can think of to resolve this at the moment is to break it into two git repos but that’s something I am holding off for now since I work on the files together.

My current build file is for the app’s sonar is here

github.com

trajano/spring-cloud-demo/blob/rework/.github/workflows/sonarcloud.yml

name: Build
on:
  push:
    branches:
      - rework
  pull_request:
    types: [opened, synchronize, reopened]
jobs:
  expo-app:
    name: SonarCloud
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          submodules: recursive
          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
      - run: yarn install --frozen-lockfile
      - run: yarn workspace run test --coverage --ci
      - name: SonarCloud Scan
        uses: SonarSource/sonarcloud-github-action@master

This file has been truncated. show original

Colin · December 22, 2022, 8:49pm

Hey there.

I think I understand your context a bit better now – thanks! This will be a multi-part explanation.

The SonarScanner for Gradle (which you’re already using) isn’t analyzing your NodeJS (Typescript) files because the Scanner for Gradle derives sonar.sources from the information available to Gradle. Specifically ${sourceSets.main.allSource.srcDirs}.

You can check the Scanner for Gradle documentation on Analyzing custom source sets to try and add additional files, but this is tricky and I don’t have a good example to share. There may be more sophisticated ways to work a Node project into a Gradle project – but I don’t know it.

Back to the the SonarCloud Scan Action… that is being prevented from running based on this condition (which checks the base directory for a build.gradle file). It’s not sophisticated enough to understand that you want to analyze all the stuff that isn’t already being analyzed the Scanner for Gradle.

Something you could try if all of your Typescript files are isolated to a given subdirectory, you can use the projectBaseDir property to tell the action to start from another directory (where no build.gradle file is found)

uses: sonarsource/sonarcloud-github-action@master
with:
  projectBaseDir: my-custom-directory

trajano · December 23, 2022, 4:26pm

The typescript files are isolated in a directory, BUT… the yarn.lock files are on the root. But I can try that out.