Js files not being scanned

JS files not scanned

Hi started using sonarqube yesterday got it working kind’a

I have a repo with 2 js files and one html file in the same directory. The html file is being scanned but I dont think that the 2 *.js files are being scanned. I get the data back to my project in sonarqube so that works. The js files are served by a nginx to be injected into webpages and is not actually part of a running application. In my project there is no sign of the 2 js files. Had to use args since I never got the props file to be picked up with proj name in it.

Log says:
15:29:35.452 DEBUG: ‘JavaScript analysis’ skipped because there is no related file in current project

Github action yaml

name: Prod SonarQube Scan

on:
  push:
    branches: [main]

jobs:
  run-scan:
    name: Run SonarQube Scan
    env:
      # runner_image: quay.io/redhat-github-actions/buildah-runner
      runner_image: docker-remote.repo.mydomain.com/buildpack-deps:buster
    runs-on: [gaas-cacheless-v1]
    
    environment: prod
    
    steps:
    - name: Checkout
      id: checkout
      uses: actions/checkout@v3

    # scan need node to scan js file's and lint them since the linter is wtritten in JS
    - name: install node
      id: node
      uses: actions/setup-node@v2.1.2
      with:
        node-version: 18
        registry-url: https://repo.mydomain.com/artifactory/api/npm/seb-npm/

    - name: Sonarqube test
      id: scan_code
      uses:actions/sonarqube-scanner@v2
      with:
  #      projectBaseDir: content/adrum
        use-https: false
        args: >
          -D sonar.host.url=${{ secrets.SONAR_HOST_URL }}
          -D sonar.token=${{ secrets.SONAR_TOKEN }}
          -D sonar.projectKey=${{ secrets.SONAR_PROJECT }}
          -D sonar.verbose=true

Hey there.

Are these files with code you have actually written, or code generated by Nginx? The latter is not intended to be scanned by SonarQube.

And, as mentioned in the template post, what version of SonarQube are you using?

Hi .Code is written by a vendor to measure timings in modern browser API’s. Ang gets inserted into html head tag

Sonarqube is at: * Enterprise Edition

  • Version 9.9 (build 65466)

I have digged in a bit more into this. And the 2 js file are minified. So I unminified them and put copies in the same directory.

And now I get this in the logs:

09:18:44.471 DEBUG: File content/adrum/adextnom-.js was excluded because it looks like a bundle. (Disable detection with sonar.javascript.detectBundles=false)
09:18:44.527 INFO: Some of the project files were automatically excluded because they looked like generated code. Enable debug logging to see which files were excluded. You can disable bundle detection by setting sonar.javascript.detectBundles=false
09:18:44.527 DEBUG: 'content/adrum/adextnom-.js' excluded by org.sonar.plugins.javascript.filter.JavaScriptExclusionsFileFilter
09:18:44.529 DEBUG: Evaluate issue exclusions for 'content/adrum/adnom.js'
09:18:44.549 DEBUG: 'content/adrum/adnom.js' generated metadata with charset 'US-ASCII'
09:18:44.552 DEBUG: Average line length for content/adrum/adnom.js is 54
09:18:44.553 DEBUG: File content/adrum/adnom.js was excluded because it looks like a bundle. (Disable detection with sonar.javascript.detectBundles=false)
09:18:44.553 DEBUG: 'content/adrum/adnom.js' excluded by org.sonar.plugins.javascript.filter.JavaScriptExclusionsFileFilter

Tried adding -D sonar.javascript.detectBundles=true no difference

You would need to make sure this is -Dsonar.javascript.detectBundles=true

And, we really don’t recommend analyzing this code. You won’t get meaningful results.

Alright I got it now.
So the issue is with your js scanner. I had a commented line that was really long. When I removed that commented line in the top of the files. The scanner picked up my files.

So I think you need to open a ticket to dev’s to not count commented lines when determining if it is a bundle or not.

Oh and -Dsonar.javascript.detectBundles=true didnt make any difference.

Thx for now.

Rereading your post…

It looks like you’re setting sonar.javascript.detectBundles=true.

The logs recommend sonar.javascript.detectBundles=false.

How long was the line?

We’ll the commented lines were 54+ chars the log said.