How to scan JS files which are not being compiled with Maven

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension) - Community Edition Version 9.4 (build 54424)
  • what are you trying to achieve - JS files are not being scanned
  • what have you tried so far to achieve this - Compile the code and tried the scan with SonarQube. Only Java files are scanned but not JS.

Need guidance on analyzing all files (Java and JS) available in a git repo.

Hey there.

You can update <sonar.sources> in your pom.xml to include other directories (it defaults to src/main/java). You can include multiple, comma separated directories.

Currently I am using below goals in Maven for Sonar Analysis.

mvn -Pbootstrap clean install sonar:sonar

Please confirm if the below tag to be added to sonar.properties file.

<sonar.sources>src/js</sonar.sources>

This would be added instead of your Maven pom.xml file, either at the root or for a specific project (if only one project contains Javascript files, for example).

@Colin - Thank you Colin for the prompt response but unfortunately suggested solution didn’t work.

I have added below properties to pom.

Any other alternate option?

* *

  • <sonar.sources>src/js</sonar.sources>*

As per Analysis JavaScript and Java in one project - #2 by TomVanBraband

It’s probably best if you share the logs from an analysis (mvn sonar:sonar) where you’ve made the adjustment, as well as the pom.xml that you adjusted.

Looks like I found the root cause
I used Sonar Secret plugins for free text password but now they are not compatible with Java11.

Can Sonar Community edition scan and report free text passwords from JS files?

Hey there.

I’m not sure I understand – what plugin were you using, and where was it installed?

Hi @Colin -
I have used Sonar Secret plugins - GitHub - Skyscanner/sonar-secrets: SonarQube plugin for identifying hardcoded secrets, such as passwords, API keys, AWS credentials, etc.. in Java 8 [Sonar Community edition - * 8.8 (build 42792).
Now I am in * Community Edition * Version 9.4 (build 54424) .
Somehow JS files are being ignored even with pom change

Okay. As mentioned before: