I’m trying to scan my private WebApp repository. I’m using ASP.Net with AngularJS and Javascript. The Summary page shows [Bugs 0, Vulnerabilities 0, Code Smells 0, Duplications 0]. Looking at the Code page it shows all the .cs, .js, and .HTML files minus the /Scripts folder that I have excluded, but it doesn’t appear to actually scan them.
The Quality Profiles are set to Default: Sonar Way
I see two errors in the log file. One deals with an unknown word in a .css file and the other deals with the tsconfig.json. Either one should not prevent scanning the files for vulnerabilities.
Any Ideas?
Build Log
Starting: Run Code Analysis
==============================================================================
Task : Run Code Analysis
Description : Run scanner and upload the results to the SonarCloud server.
Version : 1.22.0
Author : sonarsource
Help : Version: 1.22.0. This task is not needed for Maven and Gradle projects since the scanner should be run as part of the build.
[More Information](https://sonarcloud.io/documentation/analysis/scan/sonarscanner-for-azure-devops/)
==============================================================================
D:\a\_tasks\SonarCloudPrepare_14d9cde6-c1da-4d55-aa01-2965cd301255\1.19.0\classic-sonar-scanner-msbuild\SonarScanner.MSBuild.exe end
SonarScanner for MSBuild 5.2.1
Using the .NET Framework version of the Scanner for MSBuild
Post-processing started.
Calling the TFS Processor executable...
Attempting to locate the CodeCoverage.exe tool...
Attempting to locate the CodeCoverage.exe tool using setup configuration...
Code coverage command line tool: C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\Team Tools\Dynamic Code Coverage Tools\CodeCoverage.exe
Fetching code coverage report information from TFS...
Attempting to locate a test results (.trx) file...
Looking for TRX files in: D:\a\1\TestResults
No test results files found
Did not find any binary coverage files in the expected location.
Falling back on locating coverage files in the agent temp directory.
Searching for coverage files in D:\a\_temp
No coverage files found in the agent temp directory.
Coverage report conversion completed successfully.
The TFS Processor has finished
Calling the SonarScanner CLI...
INFO: Scanner configuration file: D:\a\_tasks\SonarCloudPrepare_14d9cde6-c1da-4d55-aa01-2965cd301255\1.19.0\classic-sonar-scanner-msbuild\sonar-scanner-4.6.1.2450\bin\..\conf\sonar-scanner.properties
INFO: Project root configuration file: D:\a\1\.sonarqube\out\sonar-project.properties
INFO: SonarScanner 4.6.1.2450
INFO: Java 11.0.11 AdoptOpenJDK (64-bit)
INFO: Windows Server 2016 10.0 amd64
INFO: User cache: C:\Users\VssAdministrator\.sonar\cache
INFO: Scanner configuration file: D:\a\_tasks\SonarCloudPrepare_14d9cde6-c1da-4d55-aa01-2965cd301255\1.19.0\classic-sonar-scanner-msbuild\sonar-scanner-4.6.1.2450\bin\..\conf\sonar-scanner.properties
INFO: Project root configuration file: D:\a\1\.sonarqube\out\sonar-project.properties
INFO: Analyzing on SonarCloud
INFO: Default locale: "en_US", source code encoding: "windows-1252" (analysis is platform dependent)
INFO: Load global settings
INFO: Load global settings (done) | time=565ms
INFO: Server id: 1BD809FA-AWHW8ct9-T_TB3XqouNu
INFO: User cache: C:\Users\VssAdministrator\.sonar\cache
INFO: Load/download plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=229ms
INFO: Load/download plugins (done) | time=22486ms
INFO: Loaded core extensions: developer-scanner
INFO: JavaScript/TypeScript frontend is enabled
INFO: Found an active CI vendor: 'Azure DevOps'
INFO: Load project settings for component key: 'UTRGV_PurchasaingReports'
INFO: Load project settings for component key: 'UTRGV_PurchasaingReports' (done) | time=110ms
INFO: Process project properties
INFO: Execute project builders
INFO: Execute project builders (done) | time=113ms
INFO: Project key: UTRGV_PurchasaingReports
INFO: Base dir: D:\a\1\s
INFO: Working dir: D:\a\1\.sonarqube\out\.sonar
INFO: Load project branches
INFO: Load project branches (done) | time=104ms
INFO: Check ALM binding of project 'UTRGV_PurchasaingReports'
INFO: Detected project binding: BOUND
Row 2. Clickable
Expanded
Row 2. Clickable
Collapsed
Row 2. Clickable
@mickaelcaro I added the command in the Prepare Analysis on SonarCloud task:
steps:
- task: SonarSource.sonarcloud.14d9cde6-c1da-4d55-aa01-2965cd301255.SonarCloudPrepare@1
displayName: 'Prepare analysis on SonarCloud'
inputs:
SonarCloud: 'SoarCloud Purchasing'
organization: 'utrgv-webapps'
projectKey: 'UTRGV_PurchasaingReports'
projectName: PurchasaingReports
extraProperties: |
# Additional properties that will be passed to the scanner,
# Put one key=value per line, example:
sonar.exclusions=/Scripts/**/*
system.debug=true
Having reviewed them rapidly, i have some remarks :
You are building 2 solutions one after the other, only the second one is taken into account. (You can see in the Run Code Analysis log, all the files that will be analyzed are listed, starting line 71 of the 7* log)
You are analyzing a short-lived branch : Have you analyze the default (master/main) branch of your repo first ?
Are you checking out the target branch of your branch before the build ?
Thanks for assistance. Yes you was right, I was scanning the Develop branch and not the Master. I scanned Master and now I get all the results! Perhaps add that fact in the documents would be of help to others. If it was there I missed it.
I didn’t realize that it also scans for HTML accessibility issues as well, bonus!
Thank you again for your assistance. I will continue evaluating product and hopefully recommend it to my boss.