Not scanning indexed files: Results: [Bugs 0, Vulnerabilities 0, Code Smells 0, Duplications 0]

Hello,

  • Azure DevOps
  • ASP.Net, C#, AngularJS, Javascript

I’m trying to scan my private WebApp repository. I’m using ASP.Net with AngularJS and Javascript. The Summary page shows [Bugs 0, Vulnerabilities 0, Code Smells 0, Duplications 0]. Looking at the Code page it shows all the .cs, .js, and .HTML files minus the /Scripts folder that I have excluded, but it doesn’t appear to actually scan them.

The Quality Profiles are set to Default: Sonar Way

I see two errors in the log file. One deals with an unknown word in a .css file and the other deals with the tsconfig.json. Either one should not prevent scanning the files for vulnerabilities.

Any Ideas?

Build Log

Starting: Run Code Analysis
==============================================================================
Task         : Run Code Analysis
Description  : Run scanner and upload the results to the SonarCloud server.
Version      : 1.22.0
Author       : sonarsource
Help         : Version: 1.22.0. This task is not needed for Maven and Gradle projects since the scanner should be run as part of the build.

[More Information](https://sonarcloud.io/documentation/analysis/scan/sonarscanner-for-azure-devops/)
==============================================================================
D:\a\_tasks\SonarCloudPrepare_14d9cde6-c1da-4d55-aa01-2965cd301255\1.19.0\classic-sonar-scanner-msbuild\SonarScanner.MSBuild.exe end
SonarScanner for MSBuild 5.2.1
Using the .NET Framework version of the Scanner for MSBuild
Post-processing started.
Calling the TFS Processor executable...
Attempting to locate the CodeCoverage.exe tool...
Attempting to locate the CodeCoverage.exe tool using setup configuration...
Code coverage command line tool: C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\Team Tools\Dynamic Code Coverage Tools\CodeCoverage.exe
Fetching code coverage report information from TFS...
Attempting to locate a test results (.trx) file...
Looking for TRX files in: D:\a\1\TestResults
No test results files found
Did not find any binary coverage files in the expected location.
Falling back on locating coverage files in the agent temp directory.
Searching for coverage files in D:\a\_temp
No coverage files found in the agent temp directory.
Coverage report conversion completed successfully.
The TFS Processor has finished
Calling the SonarScanner CLI...
INFO: Scanner configuration file: D:\a\_tasks\SonarCloudPrepare_14d9cde6-c1da-4d55-aa01-2965cd301255\1.19.0\classic-sonar-scanner-msbuild\sonar-scanner-4.6.1.2450\bin\..\conf\sonar-scanner.properties
INFO: Project root configuration file: D:\a\1\.sonarqube\out\sonar-project.properties
INFO: SonarScanner 4.6.1.2450
INFO: Java 11.0.11 AdoptOpenJDK (64-bit)
INFO: Windows Server 2016 10.0 amd64
INFO: User cache: C:\Users\VssAdministrator\.sonar\cache
INFO: Scanner configuration file: D:\a\_tasks\SonarCloudPrepare_14d9cde6-c1da-4d55-aa01-2965cd301255\1.19.0\classic-sonar-scanner-msbuild\sonar-scanner-4.6.1.2450\bin\..\conf\sonar-scanner.properties
INFO: Project root configuration file: D:\a\1\.sonarqube\out\sonar-project.properties
INFO: Analyzing on SonarCloud
INFO: Default locale: "en_US", source code encoding: "windows-1252" (analysis is platform dependent)
INFO: Load global settings
INFO: Load global settings (done) | time=565ms
INFO: Server id: 1BD809FA-AWHW8ct9-T_TB3XqouNu
INFO: User cache: C:\Users\VssAdministrator\.sonar\cache
INFO: Load/download plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=229ms
INFO: Load/download plugins (done) | time=22486ms
INFO: Loaded core extensions: developer-scanner
INFO: JavaScript/TypeScript frontend is enabled
INFO: Found an active CI vendor: 'Azure DevOps'
INFO: Load project settings for component key: 'UTRGV_PurchasaingReports'
INFO: Load project settings for component key: 'UTRGV_PurchasaingReports' (done) | time=110ms
INFO: Process project properties
INFO: Execute project builders
INFO: Execute project builders (done) | time=113ms
INFO: Project key: UTRGV_PurchasaingReports
INFO: Base dir: D:\a\1\s
INFO: Working dir: D:\a\1\.sonarqube\out\.sonar
INFO: Load project branches
INFO: Load project branches (done) | time=104ms
INFO: Check ALM binding of project 'UTRGV_PurchasaingReports'
INFO: Detected project binding: BOUND
Row 2. Clickable

Expanded

Row 2. Clickable

Collapsed

Row 2. Clickable

Hi @Ray.Garza , welcome to the community.

Can you share your pipeline configuration please ?

Thanks.

Sure, here is the pipeline yaml:

steps:
- task: NuGetToolInstaller@0
  displayName: 'Use NuGet 4.4.1'
  inputs:
    versionSpec: 4.4.1

steps:
- task: NuGetCommand@2
  displayName: 'NuGet restore'
  inputs:
    restoreSolution: '$(Parameters.solution)'

steps:
- task: SonarSource.sonarcloud.14d9cde6-c1da-4d55-aa01-2965cd301255.SonarCloudPrepare@1
  displayName: 'Prepare analysis on SonarCloud'
  inputs:
    SonarCloud: 'SoarCloud Purchasing'
    organization: 'utrgv-webapps'
    projectKey: 'UTRGV_PurchasaingReports'
    projectName: PurchasaingReports
    extraProperties: |
     # Additional properties that will be passed to the scanner, 
     # Put one key=value per line, example:
     sonar.exclusions=/Scripts/**/*

steps:
- task: VSBuild@1
  displayName: 'Build solution'
  inputs:
    solution: '$(Parameters.solution)'
    msbuildArgs: '/p:DeployOnBuild=true /p:WebPublishMethod=Package /p:PackageAsSingleFile=true /p:SkipInvalidConfigurations=true /p:PackageLocation="$(build.artifactstagingdirectory)\\"'
    platform: '$(BuildPlatform)'
    configuration: '$(BuildConfiguration)'

steps:
- task: SonarSource.sonarcloud.ce096e50-6155-4de8-8800-4221aaeed4a1.SonarCloudAnalyze@1
  displayName: 'Run Code Analysis'

steps:
- task: VSTest@2
  displayName: 'Test Assemblies'
  inputs:
    testAssemblyVer2: |
     **\$(BuildConfiguration)\*test*.dll
     !**\obj\**
    platform: '$(BuildPlatform)'
    configuration: '$(BuildConfiguration)'

steps:
- task: PublishSymbols@2
  displayName: 'Publish symbols path'
  inputs:
    SearchPattern: '**\bin\**\*.pdb'
    PublishSymbols: false
  continueOnError: true

steps:
- task: PublishBuildArtifacts@1
  displayName: 'Publish Artifact'
  inputs:
    PathtoPublish: '$(build.artifactstagingdirectory)'
    ArtifactName: '$(Parameters.ArtifactName)'
  condition: succeededOrFailed()

steps:
- task: SonarSource.sonarcloud.38b27399-a642-40af-bb7d-9971f69712e8.SonarCloudPublish@1
  displayName: 'Publish Quality Gate Result'

Hi @mickaelcaro, any word on this issue?

Hi @Ray.Garza

I will need also the debug log of the Run Code Analysis task please (i can PM you so you can share it privately, let me know).

You can activate this by adding the following pipeline variable

system.debug = true

Thanks in advance.

Morning @mickaelcaro, I’ll get you the log file. Thanks

@mickaelcaro I added the command in the Prepare Analysis on SonarCloud task:

steps:
- task: SonarSource.sonarcloud.14d9cde6-c1da-4d55-aa01-2965cd301255.SonarCloudPrepare@1
  displayName: 'Prepare analysis on SonarCloud'
  inputs:
    SonarCloud: 'SoarCloud Purchasing'
    organization: 'utrgv-webapps'
    projectKey: 'UTRGV_PurchasaingReports'
    projectName: PurchasaingReports
    extraProperties: |
     # Additional properties that will be passed to the scanner, 
     # Put one key=value per line, example:
     sonar.exclusions=/Scripts/**/*
     system.debug=true

Where does one find the debug file/output?

Hi,

It’s a pipeline variable, you’d better add it like this, on top of your yaml file :

variables:
- name: system.debug
  value: true 

Logs can then be extracted from the build summary view (Click on the 3 dots menus on the top right and click “Download logs”

@mickaelcaro, ok I have the log file ready
logs_2261.zip (1.8 MB)

Hi @Ray.Garza

Thanks for the logs.

Having reviewed them rapidly, i have some remarks :

  • You are building 2 solutions one after the other, only the second one is taken into account. (You can see in the Run Code Analysis log, all the files that will be analyzed are listed, starting line 71 of the 7* log)
  • You are analyzing a short-lived branch : Have you analyze the default (master/main) branch of your repo first ?
  • Are you checking out the target branch of your branch before the build ?

Thanks.

Morning @mickaelcaro

Thanks for assistance. Yes you was right, I was scanning the Develop branch and not the Master. I scanned Master and now I get all the results! Perhaps add that fact in the documents would be of help to others. If it was there I missed it.

I didn’t realize that it also scans for HTML accessibility issues as well, bonus!

Thank you again for your assistance. I will continue evaluating product and hopefully recommend it to my boss.

Cheers,
Ray Garza

1 Like

Glad it works. Thanks for your answer, we’ll consider this doc gap of course.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.