Is there a way to import golangci-lint to SonarCloud using CI?

Hi! I’m working on using SonarCloud in my company as a SAST tool for our private repos. We’re mainly using Golang, and browsing around I’ve noticed that there are not a great range of default rules for it, and the best workaround that I saw in this forum was Importing the reports using sonar.go.golangci-lint.reportPaths.

I wanted to understand better how this works. Do the report have to stay in the repo? Can I generate this report in the pipeline (we use CircleCI) and get the possible vulnerabilities in the dashboard without the file being stored in the repo?

Any ideas involving those questions could help. Thank you.

  • ALM used: GitHub Orgs
  • CI system used: Circle CI
  • Languages of the repository: Golang, Javascript
1 Like

Welcome to the community!

The report does not have be in the report, in fact it’s recommended to not keep such files under version control. As you suggested, it’s best to generate this file in your build pipeline, then run the analysis. When our scanner runs in your CI system, it will import the report, add the issues from it to its own report by our own analyzers, and all the issues will be available on SonarCloud.

1 Like

Hi Janos! Glad to be onboard.

Thank you for your time and the explanation. I’ll try this out and let you know.

Hi @janos. Thanks again for your help. I’ve tested and the output looks right, but there is no vulnerabilities in the dashboard. Do you know what is happening here? See that the line INFO: Importing /home/circleci/repo/report.xml is there. Look how data about other things as coverage, differently of other branches.

#!/bin/bash -eo pipefail
set -e
VERSION=4.1.0.1829
SONAR_TOKEN=$SONAR_TOKEN
SCANNER_DIRECTORY=/tmp/cache/scanner
export SONAR_USER_HOME=$SCANNER_DIRECTORY/.sonar
OS="linux"
echo $SONAR_USER_HOME

if [[ ! -x "$SCANNER_DIRECTORY/sonar-scanner-$VERSION-$OS/bin/sonar-scanner" ]]; then
  curl -Ol https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-$VERSION-$OS.zip
  unzip -qq -o sonar-scanner-cli-$VERSION-$OS.zip -d $SCANNER_DIRECTORY
fi

chmod +x $SCANNER_DIRECTORY/sonar-scanner-$VERSION-$OS/bin/sonar-scanner
chmod +x $SCANNER_DIRECTORY/sonar-scanner-$VERSION-$OS/jre/bin/java

$SCANNER_DIRECTORY/sonar-scanner-$VERSION-$OS/bin/sonar-scanner

/tmp/cache/scanner/.sonar
INFO: Scanner configuration file: /tmp/cache/scanner/sonar-scanner-4.1.0.1829-linux/conf/sonar-scanner.properties
INFO: Project root configuration file: /home/circleci/repo/sonar-project.properties
INFO: SonarQube Scanner 4.1.0.1829
INFO: Java 11.0.3 AdoptOpenJDK (64-bit)
INFO: Linux 4.15.0-1092-aws amd64
INFO: User cache: /tmp/cache/scanner/.sonar/cache
INFO: SonarQube server 8.5.0
INFO: Default locale: "en", source code encoding: "UTF-8"
INFO: Load global settings
INFO: Load global settings (done) | time=569ms
INFO: Server id: 1BD809FA-AWHW8ct9-T_TB3XqouNu
INFO: User cache: /tmp/cache/scanner/.sonar/cache
INFO: Load/download plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=130ms
INFO: Load/download plugins (done) | time=301ms
INFO: Loaded core extensions: developer-scanner
INFO: JavaScript/TypeScript frontend is enabled
INFO: Found an active CI vendor: 'CircleCI'
INFO: Load project settings for component key: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
INFO: Load project settings for component key: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' (done) | time=116ms
INFO: Process project properties
INFO: Execute project builders
INFO: Execute project builders (done) | time=1ms
INFO: Project key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
INFO: Base dir: /home/circleci/repo
INFO: Working dir: /home/circleci/repo/.scannerwork
INFO: Load project branches
INFO: Load project branches (done) | time=105ms
INFO: Check ALM binding of project 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
INFO: Detected project binding: BOUND
INFO: Check ALM binding of project 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' (done) | time=98ms
INFO: Load project pull requests
INFO: Load project pull requests (done) | time=165ms
INFO: Load branch configuration
INFO: Auto-configuring branch golangci-lint-setup
INFO: Load branch configuration (done) | time=2ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=142ms
INFO: Load active rules
INFO: Load active rules (done) | time=3285ms
INFO: Organization key: xxxxxxxxxx
INFO: Branch name: golangci-lint-setup, type: short-lived
INFO: SCM collecting changed files in the branch
INFO: SCM collecting changed files in the branch (done) | time=226ms
INFO: Indexing files...
INFO: Project configuration:
INFO:   Excluded sources: sql/**, e2e/**, cmd/accountsub/**, cmd/api/**, **/mocks/**, **/*_test.go
INFO:   Included tests: **/mocks/**, **/*_test.go
INFO: 84 files indexed
INFO: 175 files ignored because of inclusion/exclusion patterns
INFO: 3 files ignored because of scm ignore settings
INFO: Quality profile for go: Golangci-lint
INFO: Quality profile for plsql: Sonar way
INFO: Quality profile for xml: Sonar way
INFO: ------------- Run sensors on module xxxxxxxxxxxxxxxxxxxxxxxx
INFO: JavaScript/TypeScript frontend is enabled
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=101ms
INFO: Sensor SonarCSS Rules [cssfamily]
INFO: No CSS, PHP, HTML or VueJS files are found in the project. CSS analysis is skipped.
INFO: Sensor SonarCSS Rules [cssfamily] (done) | time=2ms
INFO: Sensor PL/SQL Sensor [plsql]
WARN: The Data Dictionary is not configured for PLSQL analyzer which prevents rule(s) S3641, S3921, S3618, S3651 to raise issues. See https://sonarcloud.io/documentation/analysis/languages/plsql/
INFO: 2 source files to be analyzed
INFO: 2/2 source files have been analyzed
INFO: Sensor PL/SQL Sensor [plsql] (done) | time=169ms
INFO: Sensor C# Properties [csharp]
INFO: Sensor C# Properties [csharp] (done) | time=1ms
INFO: Sensor JavaXmlSensor [java]
INFO: 1 source files to be analyzed
INFO: Sensor JavaXmlSensor [java] (done) | time=140ms
INFO: 1/1 source files have been analyzed
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=3ms
INFO: Sensor XML Sensor [xml]
INFO: 1 source file to be analyzed
INFO: 1/1 source file has been analyzed
INFO: Sensor XML Sensor [xml] (done) | time=82ms
INFO: Sensor VB.NET Properties [vbnet]
INFO: Sensor VB.NET Properties [vbnet] (done) | time=1ms
INFO: Sensor Code Quality and Security for Go [go]
INFO: 33 source files to be analyzed
INFO: Sensor Code Quality and Security for Go [go] (done) | time=928ms
INFO: 33/33 source files have been analyzed
INFO: Sensor Go Cover sensor for Go coverage [go]
INFO: Load coverage report from '/home/circleci/repo/cover.out'
INFO: Sensor Go Cover sensor for Go coverage [go] (done) | time=60ms
INFO: Sensor Import of GolangCI-Lint issues [go]
INFO: Importing /home/circleci/repo/report.xml
INFO: Sensor Import of GolangCI-Lint issues [go] (done) | time=27ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: 'sonar.coverage.jacoco.xmlReportPaths' is not defined. Using default locations: target/site/jacoco/jacoco.xml,target/site/jacoco-it/jacoco.xml,build/reports/jacoco/test/jacocoTestReport.xml
INFO: No report imported, no coverage information will be imported by JaCoCo XML Report Importer
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=3ms
INFO: Sensor ThymeLeaf template sensor [securityjavafrontend]
INFO: Sensor ThymeLeaf template sensor [securityjavafrontend] (done) | time=1ms
INFO: Sensor JavaSecuritySensor [security]
INFO: Reading type hierarchy from: /home/circleci/repo/.scannerwork/ucfg2/java
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /home/circleci/repo/.scannerwork/ucfg2/java
INFO: No UCFGs have been included for analysis.
INFO: Sensor JavaSecuritySensor [security] (done) | time=3ms
INFO: Sensor CSharpSecuritySensor [security]
INFO: Reading type hierarchy from: /home/circleci/repo/ucfg_cs2
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /home/circleci/repo/ucfg_cs2
INFO: No UCFGs have been included for analysis.
INFO: Sensor CSharpSecuritySensor [security] (done) | time=0ms
INFO: Sensor PhpSecuritySensor [security]
INFO: Reading type hierarchy from: /home/circleci/repo/.scannerwork/ucfg2/php
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /home/circleci/repo/.scannerwork/ucfg2/php
INFO: No UCFGs have been included for analysis.
INFO: Sensor PhpSecuritySensor [security] (done) | time=1ms
INFO: Sensor PythonSecuritySensor [security]
INFO: Reading type hierarchy from: /home/circleci/repo/.scannerwork/ucfg2/python
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /home/circleci/repo/.scannerwork/ucfg2/python
INFO: No UCFGs have been included for analysis.
INFO: Sensor PythonSecuritySensor [security] (done) | time=0ms
INFO: Sensor JsSecuritySensor [security]
INFO: Reading type hierarchy from: /home/circleci/repo/.scannerwork/ucfg2/js
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /home/circleci/repo/.scannerwork/ucfg2/js
INFO: No UCFGs have been included for analysis.
INFO: Sensor JsSecuritySensor [security] (done) | time=0ms
INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=6ms
INFO: CPD Executor 1 file had no CPD blocks
INFO: CPD Executor Calculating CPD for 34 files
INFO: CPD Executor CPD calculation finished (done) | time=33ms
INFO: SCM writing changed lines
INFO: SCM writing changed lines (done) | time=5ms
INFO: Analysis report generated in 147ms, dir size=234 KB
INFO: Analysis report compressed in 74ms, zip size=77 KB
INFO: Analysis report uploaded in 321ms
INFO: ANALYSIS SUCCESSFUL, you can find the results at: https://sonarcloud.io/dashboard?id=xxxxxxxxxxxxxxxxx&branch=golangci-lint-setup&resolved=false
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at https://sonarcloud.io/api/ce/task?id=AXfLFDUEeZCnlPUzU9KO
INFO: Analysis total time: 8.648 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 11.008s
INFO: Final Memory: 26M/94M
INFO: ------------------------------------------------------------------------

CircleCI received exit code 0

From your scanner output I see the analysis is for a short-lived branch. Keep in mind that you will see here issues for new code only. That is, code that is in the diff with the target branch I suppose master in your case). When you browse the code of the branch on SonarCloud (in the Code tab of the branch), do you see there the code on which you expect issues?

All in all, in your analyses, you should see the exact same result on SonarCloud whether the coverage report file is committed to the repo (not recommended) or not. If you see differences, then there must be some other difference in the analyses.

I have the same problem but they tell me that there’s automatic
jozoppi@giorgio-XPS-15-7590:/tmp/sonar-scanner-4.7$ ./bin/sonar-scanner -Dproject.settings=./conf/sonar-scanner.properties
INFO: Scanner configuration file: /tmp/sonar-scanner-4.7/conf/sonar-scanner.properties
INFO: Project root configuration file: /tmp/sonar-scanner-4.7/./conf/sonar-scanner.properties
INFO: SonarScanner 4.7
INFO: Java 11.0.9.1 AdoptOpenJDK (64-bit)
INFO: Linux 5.4.0-67-generic amd64
INFO: User cache: /home/jozoppi/.sonar/cache
INFO: Scanner configuration file: /tmp/sonar-scanner-4.7/conf/sonar-scanner.properties
INFO: Project root configuration file: /tmp/sonar-scanner-4.7/./conf/sonar-scanner.properties
INFO: Analyzing on SonarCloud
INFO: Default locale: “en_US”, source code encoding: “UTF-8” (analysis is platform dependent)
INFO: Load global settings
INFO: Load global settings (done) | time=450ms
INFO: Server id: 1BD809FA-AWHW8ct9-T_TB3XqouNu
INFO: User cache: /home/jozoppi/.sonar/cache
INFO: Load/download plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=110ms
INFO: Load/download plugins (done) | time=224ms
INFO: Loaded core extensions: developer-scanner
INFO: JavaScript/TypeScript frontend is enabled
INFO: Load project settings for component key: ‘RstorLabs_rocket-s3’
INFO: Load project settings for component key: ‘RstorLabs_rocket-s3’ (done) | time=75ms
INFO: ------------------------------------------------------------------------
INFO: EXECUTION FAILURE
INFO: ------------------------------------------------------------------------
INFO: Total time: 2.279s
INFO: Final Memory: 7M/37M
INFO: ------------------------------------------------------------------------
ERROR: Error during SonarScanner execution
ERROR: You are running manual analysis while Automatic Analysis is enabled. Please consider disabling one or the other.
ERROR:
ERROR: Re-run SonarScanner using the -X switch to enable full debug logging.

I don’t see any point to disable. Cannot locate the page specified in the documentation.