.Net SonarScanner not including .js/.ts files in SonarCloud

We are using the dotnet sonarscanner for our project. Our project is broken up into a C# backend and an Angular frontend. We have included the Angular folder in the csproj file to include the files at build time. The SonarScanner picks up all the files as well as the ESLint output for the scan. However SonarCloud does not show any .js or .ts files shown for our project.

  • CI System - Github
  • scanner command:
./.sonar/scanner/dotnet-sonarscanner begin /k:"RegScale_regscale" /o:"regscale" /d:sonar.login="${{ secrets.SONAR_TOKEN }}" /d:sonar.host.url="https://sonarcloud.io" \
${{ github.event_name != 'pull_request' && env.BRANCH_OPTS || '' }} \
/d:sonar.javascript.node.maxspace=8192 \
/d:sonar.scanner.scanAll=true \
/d:sonar.javascript.detectBundles=false \
/d:sonar.eslint.reportPaths=/home/runner/eslint-results.json \
/d:sonar.exclusions=Atlas.Entities/Migrations/**,Atlas.Angular/node_modules/**,Atlas.Angular/e2e/**
  • Languages - C#, XML, CSS, JavaScript, TypeScript
  • No errors just not reporting on JavaScript and TypeScript

Hi there, @rmac0118

First question: which version of the scanner are you using? It has to be at least 8.0.0 for these files to be analyzed (and ideally it should be the latest, 9.0.2 as we corrected a lot of issues since then).

If you are indeed using a compatible version, could you share a bit more about your issue?

  • A pointer to your repo if it is public, or a high level overview of your repo hierarchy
  • the (redacted) content of your pipeline
  • redacted logs of the begin and end step generated with /d:sonar.verbose=true

Denis

Well to address this I do want to start out by saying we were using 6.1.0 (Had not noticed until you asked). This has been fixed and we are now on 9.0.2!

Since running that version some things have picked up but we are still experiencing a lot of files missing but showing up in the scan report in our pipeline.

For our repo hierarchy we have a C# backend and Angular Frontend. the backend picks up correctly but the front end is the issue.
As you can see in this screenshot we have lots of files (src has over 2500 files in it)

Sonar is picking up this:


Which is no where near what it should be picking up.

for the pipeline commands we are running the following:

jobs:
  sonarqube-scan:
    runs-on: ubuntu-latest-16-cores
    steps:
    - name: Set up JDK 17
      uses: actions/setup-java@v3
      with:
        distribution: 'zulu' 
        java-version: '17'
    - name: Setup .NET Core SDK
      uses: actions/setup-dotnet@v3
    - uses: actions/setup-node@v3
      with:
        node-version: 22.0.0
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
    - name: Install SonarCloud scanner
      run: |
        dotnet tool update dotnet-sonarscanner --tool-path ./.sonar/scanner
    - name: Cache SonarQube cache # Caches various cache locations used by the SonarQube scanner.
      id: cache-sonar-cache
      uses: actions/cache@v3
      with:
        path: |
          /home/runner/.sonar/cache
        key: ${{ runner.os }}-sonar-cache
    - name: Cache SonarQube Build node_modules # Caches the node_modules generated by dotnet build performed as part of the SonarQube scan.
      id: cache-sonar-node-modules
      uses: actions/cache@v3
      with:
        path: |
          Atlas.Angular/node_modules/
        key: ${{ runner.os }}-sonar-node-modules
    - name: Run ESLint
      run: |
        cd ./Atlas.Angular
        rm -rf node_modules/
        yarn cache clean
        yarn
        yarn add eslint
        yarn add eslint-plugin-only-warn
        yarn run eslint -f json -o /home/runner/eslint-results.json
        cd ../
    - name: Sonarqube scan
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        # cli parameters used when scanning a branch push.
        BRANCH_OPTS: /d:sonar.branch.name=${{ github.ref_name }}
      run: |
        ./.sonar/scanner/dotnet-sonarscanner begin /k:"RegScale_regscale" /o:"regscale" /d:sonar.token="${{ secrets.SONAR_TOKEN }}" /d:sonar.host.url="https://sonarcloud.io" \
          ${{ github.event_name != 'pull_request' && env.BRANCH_OPTS || '' }} \
          /d:sonar.javascript.node.maxspace=8192 \
          /d:sonar.scanner.scanAll=true \
          /d:sonar.javascript.detectBundles=false \
          /d:sonar.eslint.reportPaths=/home/runner/eslint-results.json \
          /d:sonar.typescript.tsconfigPaths=./Atlas.Angular/tsconfig.json \

        # Dotnet build
        dotnet build ./atlas/Atlas.csproj # path is important

        # Sonar end 
        ./.sonar/scanner/dotnet-sonarscanner end /d:sonar.token="${{ secrets.SONAR_TOKEN }}" | tee /home/runner/sonar-scan-output.txt
        task_url=$(grep "More about the report processing at" /home/runner/sonar-scan-output.txt | awk '{print $NF}')
        # Add the sonar API authentication token to the url.
        echo task_url=${task_url/sonarcloud.io/${{ secrets.SONAR_TOKEN }}@sonarcloud.io} >> "$GITHUB_ENV"
    - name: Wait for analysis to complete
      run: | # This step checks the sonarcloud API to see if the server-side analysis is complete. It retries the request up to 20 times to provide ample time for the analysis to be performed. This guarantees that any steps which depend on this step can safely assume that the server-side analysis is complete.
        echo Checking task status at API url: ${{ env.task_url }}
        for i in {1..20}; do
          curl -m 10 -s "${{ env.task_url }}" | grep '"status":"SUCCESS"' && break || echo "Waiting for analysis to complete..."; sleep 10;
        done

during the pipeline run you can see it includes the quality profiles

,

the typescript analysis

,

and the javascript analysis

Sonar verbose run:
sonar-verbose-run.txt (5.2 MB)

Thank you, @rmac0118

Would you mind sharing the complete layout of the repo and re-running this with the proper flag: /d:sonar.verbose=true (you forgot the r in verbose it seems).

Denis

Here is the layout of the repository:

The Atlas.Entities folder are excluded and the the test folders are not included I believe. The atlas/Atlas.csproj is what is being run in the MSBuild wehich pull sin everythign else.

Here is the correct sonar run with the verbose:
sonarscan.zip (3.5 MB)

@denis.troller Any update on this?

Sorry for the late answer,

Looking at the logs I can see a lot of issues being raised in files in the Atlas.Angular/src/services/ directory.

Do you see them in SonarQube Cloud?
What is strange is that we only see 22lines counted in the Atlas.Angular directory in your screenshot, which strikes me as… low, as you yourself put it.
Could you share a screenshot of the list in SonarQube Cloud for the Atlas.Angular/src/services/ directory?

Denis

The screenshot that shows the 22 lines of code is all that i see in sonarcloud.

Here is the most recent screenshot of all the files Sonarcloud is seeing:

As you can see there are a lot of files being scanned in the logs but they are not being brought over to SonarCloud.

Indeed, I’m sorry , for some reason I thought we were looking at a parent directory.

Let me call in some expert eyes here…

Denis

Denis,
Any update from the expert eyes?

@denis.troller,
Any update on this?

@denis.troller,
Any update on this?