We are using the dotnet sonarscanner for our project. Our project is broken up into a C# backend and an Angular frontend. We have included the Angular folder in the csproj file to include the files at build time. The SonarScanner picks up all the files as well as the ESLint output for the scan. However SonarCloud does not show any .js or .ts files shown for our project.
First question: which version of the scanner are you using? It has to be at least 8.0.0 for these files to be analyzed (and ideally it should be the latest, 9.0.2 as we corrected a lot of issues since then).
If you are indeed using a compatible version, could you share a bit more about your issue?
A pointer to your repo if it is public, or a high level overview of your repo hierarchy
the (redacted) content of your pipeline
redacted logs of the begin and end step generated with /d:sonar.verbose=true
Well to address this I do want to start out by saying we were using 6.1.0 (Had not noticed until you asked). This has been fixed and we are now on 9.0.2!
Since running that version some things have picked up but we are still experiencing a lot of files missing but showing up in the scan report in our pipeline.
For our repo hierarchy we have a C# backend and Angular Frontend. the backend picks up correctly but the front end is the issue.
As you can see in this screenshot we have lots of files (src has over 2500 files in it)
Which is no where near what it should be picking up.
for the pipeline commands we are running the following:
jobs:
sonarqube-scan:
runs-on: ubuntu-latest-16-cores
steps:
- name: Set up JDK 17
uses: actions/setup-java@v3
with:
distribution: 'zulu'
java-version: '17'
- name: Setup .NET Core SDK
uses: actions/setup-dotnet@v3
- uses: actions/setup-node@v3
with:
node-version: 22.0.0
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Install SonarCloud scanner
run: |
dotnet tool update dotnet-sonarscanner --tool-path ./.sonar/scanner
- name: Cache SonarQube cache # Caches various cache locations used by the SonarQube scanner.
id: cache-sonar-cache
uses: actions/cache@v3
with:
path: |
/home/runner/.sonar/cache
key: ${{ runner.os }}-sonar-cache
- name: Cache SonarQube Build node_modules # Caches the node_modules generated by dotnet build performed as part of the SonarQube scan.
id: cache-sonar-node-modules
uses: actions/cache@v3
with:
path: |
Atlas.Angular/node_modules/
key: ${{ runner.os }}-sonar-node-modules
- name: Run ESLint
run: |
cd ./Atlas.Angular
rm -rf node_modules/
yarn cache clean
yarn
yarn add eslint
yarn add eslint-plugin-only-warn
yarn run eslint -f json -o /home/runner/eslint-results.json
cd ../
- name: Sonarqube scan
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# cli parameters used when scanning a branch push.
BRANCH_OPTS: /d:sonar.branch.name=${{ github.ref_name }}
run: |
./.sonar/scanner/dotnet-sonarscanner begin /k:"RegScale_regscale" /o:"regscale" /d:sonar.token="${{ secrets.SONAR_TOKEN }}" /d:sonar.host.url="https://sonarcloud.io" \
${{ github.event_name != 'pull_request' && env.BRANCH_OPTS || '' }} \
/d:sonar.javascript.node.maxspace=8192 \
/d:sonar.scanner.scanAll=true \
/d:sonar.javascript.detectBundles=false \
/d:sonar.eslint.reportPaths=/home/runner/eslint-results.json \
/d:sonar.typescript.tsconfigPaths=./Atlas.Angular/tsconfig.json \
# Dotnet build
dotnet build ./atlas/Atlas.csproj # path is important
# Sonar end
./.sonar/scanner/dotnet-sonarscanner end /d:sonar.token="${{ secrets.SONAR_TOKEN }}" | tee /home/runner/sonar-scan-output.txt
task_url=$(grep "More about the report processing at" /home/runner/sonar-scan-output.txt | awk '{print $NF}')
# Add the sonar API authentication token to the url.
echo task_url=${task_url/sonarcloud.io/${{ secrets.SONAR_TOKEN }}@sonarcloud.io} >> "$GITHUB_ENV"
- name: Wait for analysis to complete
run: | # This step checks the sonarcloud API to see if the server-side analysis is complete. It retries the request up to 20 times to provide ample time for the analysis to be performed. This guarantees that any steps which depend on this step can safely assume that the server-side analysis is complete.
echo Checking task status at API url: ${{ env.task_url }}
for i in {1..20}; do
curl -m 10 -s "${{ env.task_url }}" | grep '"status":"SUCCESS"' && break || echo "Waiting for analysis to complete..."; sleep 10;
done
during the pipeline run you can see it includes the quality profiles
Would you mind sharing the complete layout of the repo and re-running this with the proper flag: /d:sonar.verbose=true (you forgot the r in verbose it seems).
The Atlas.Entities folder are excluded and the the test folders are not included I believe. The atlas/Atlas.csproj is what is being run in the MSBuild wehich pull sin everythign else.
Here is the correct sonar run with the verbose: sonarscan.zip (3.5 MB)
Looking at the logs I can see a lot of issues being raised in files in the Atlas.Angular/src/services/ directory.
Do you see them in SonarQube Cloud?
What is strange is that we only see 22lines counted in the Atlas.Angular directory in your screenshot, which strikes me as… low, as you yourself put it.
Could you share a screenshot of the list in SonarQube Cloud for the Atlas.Angular/src/services/ directory?
I finally had some time to investigate it and I think what is happening is incremental PR analysis is preventing the issues from being propagated to the server, since they are “unchanged”.
Could you try setting this parameter on the scanner begin step:
sonar.analysisCache.enabled=false
If that does not work either, please send me the verbose logs with this flag set again.
Thanks and sorry for the delay.
This is interesting.
To narrow a bit if the problem is on the scanner for .NET or on the javascript/typescript analysis, could you please try to analyze the same project (all of it, from the same root) but using the scanner for NPM and send me the verbose logs again?
If it is the S4NET’s fault, you should see all the JS/TS files.
If it is not, you will still see the same 22 lines.
(you will not see any C# code, but that’s okay for now)
Sorry for this extra effort, but everything seems as it should on your logs.
I am not sure what the problem is.
This did not work. I see that it is scanning them still but nothing is getting files over into SonarCloud. Here are the Verbose logs for the sonar-scanner
Is there any way we can schedule a meeting to go over this (not sure if that’s possible or not). This is time sensitive for us an we have already been at this a month with no solution.
Sorry for the delay, I understand that this can be frustrating.
I looked at the logs and, again, they (unfortunately) seem normal.
Since even without the S4NET you have the same issue in JS/TS analysis, I assigned the topic to the squad that is responsible for that analyzer and I will ping them to get a second opinion.
