How to analyze a node.js package in node_modules, including test coverage info

SonarQube Developer Edition Version 9.9
Github enterprise

Our node.js based product has a main application package that depends on a number of our own support packages, along with many 3rd party node.js packages.

Our support packages are tested by starting the main application package and running a suite of regression tests to exercise both the main application and our support packages.
We use SonarQube to analyze the main application package, including regression test coverage report in coverage/, and we have integrated with github so that our PRs are gated by SonarQube quality criteria including test coverage - as well as Jenkins reports of test suites pass/fail. Our Jenkins job starts the application, runs the regression tests, generates coverage report, runs SonarScanner on the application (ignoring node_modules/**) and reports results to our SonarQube server.

Now I am trying to add the support packages to SonarQube as projects and set up the same kind of SonarQube integration so that PRs to the support packages will be scanned and report scan results and test coverage to the SonarQube project for the relevant package. There is a separate Jenkinsfile for each support package repo that works like the main application’s Jenkinsfile. It starts the main application and runs the regression test suites and reports results to github to gate PR acceptance/merge.

My approach is to run the main application with coverage, with the coverage report including js files in node_modules/support_package/ then to run SonarScanner on the js files in node_modules/support_package/
I am getting a lot of problems:

  • coverage report info not being used, probably paths in not matching paths in my project
  • modified files in PR branch of support_package not being reflected in my github PR

Instead of getting into details, my first question is whether there is any guidance on how to do this (or how not to do this), scanning a package in node_modules/
It feels like I am fighting the system so I want to check if there is a pattern or anti-pattern for handling this.

Thanks for any help or pointers.


Your problem is probably that files in “usual directories such as node_modules” are excluded by default.

If for some reason analysis of files in these directories is desired, it can be configured by setting sonar.javascript.exclusions property to empty value, i.e. sonar.javascript.exclusions=""


I changed my approach and this works fine:

  1. run regression tests on the main application with coverage scoped to include node_modules/<support_package>/
  2. change the paths in coverage report - remove the prefix node_modules/<support_package>/ from ‘SF:’ paths to match paths in support package repo
  3. run SonarScanner on a clone of support package (not in app/node_modules/<support_package>

All works fine. Code in support package is scanned as usual by SonarScanner, usual summary / reports in SonarQube server along with coverage results.

1 Like