I am using BitBucket Pipe for sonar-scanner against Sonarcloud
- step: &Build-step
image: node:14.18.1
size: 2x
caches:
- node
- docker
script:
- npm rebuild
- npm install
- npm run test-coverage
- pipe: sonarsource/sonarcloud-scan:1.4.0
variables:
SONAR_TOKEN: ${SONAR_TOKEN}
EXTRA_ARGS: '-Dsonar.sources=controllers,utils,schemas,services -Dsonar.test.inclusions=**/tests/** -Dsonar.exclusions=node_modules/** -Dsonar.projectBaseDir=/opt/atlassian/pipelines/agent/build/ -Dsonar.cpd.exclusions=**/* -Dsonar.scm.provider=git -Dsonar.eslint.reportPaths=eslint-report.json -Dsonar.javascript.lcov.reportPaths=coverage/lcov.info'
And this is where it ends up
`INFO: 10:02:32.094159 Building Runtime Type propagation graph`
`INFO: 10:02:32.406955 Running Tarjan on 53819 nodes`
`INFO: 10:02:32.476709 Tarjan found 53805 components`
`INFO: 10:02:32.612284 Variable type analysis: done`
`INFO: 10:02:32.614801 Building Runtime Type propagation graph`
`INFO: 10:02:33.005223 Running Tarjan on 53819 nodes`
`INFO: 10:02:33.056775 Tarjan found 53805 components`
`INFO: 10:02:33.171646 Variable type analysis: done`
`INFO: Analyzing 6114 ucfgs to detect vulnerabilities.`
`INFO: Taint analysis starting. Entrypoints: 364`
`INFO: Running symbolic analysis for 'JS'`
`INFO: High simulation costs for sink in /opt/atlassian/pipelines/agent/build/services/file-service.js:532. Stop analysing this sink.`
`INFO: High simulation costs for sink in /opt/atlassian/pipelines/agent/build/services/document-generator-helper.js:166. Stop analysing this sink.`
`INFO: Taint analysis: done.`
`INFO: Sensor JsSecuritySensor [security] (done) | time=2493189ms`
What does “Stop analysing this sink” and how do I do this? I presume this is the cause.