we have a nodejs Container (Linux x64) on which we want to execute the sonar analysis. This container is set up as a jenkins agent. The sonar analysis is one step within that agent.
The scanner should use the node version installed on the Container (PATH). We achieved this by setting sonar.nodejs.executable to the host’s node. However, sonar downloads another nodejs version on the host (in .sonar/js/node-runtime).
Is there a way to prevent sonar from downloading an additional nodejs version? We have security scans on our machines and need to be in control which libraries and versions are installed.
Version details:
Sonar 10.4.0.87286, deployed via Docker
SonarScanner 5.0.1.3006
Sonar Jenkins Plugin
Welcome to the Community, and thanks for bringing this up!
Indeed this was a limitation in SonarQube 10.4 that has now been fixed.
Starting from SonarQube 10.5, if you set sonar.nodejs.executable, then the .sonar/ folder will not be populated with a Node.js runtime.
Keep in mind this does mean you should provide a compatible version of Node.js in the environment or the analysis will fail. We encourage you to use the latest LTS version and regularly do the necessary updates to benefit from the security patches.