Prevent sonar scanner from downloading nodejs

Hi all,

we have a nodejs Container (Linux x64) on which we want to execute the sonar analysis. This container is set up as a jenkins agent. The sonar analysis is one step within that agent.
The scanner should use the node version installed on the Container (PATH). We achieved this by setting sonar.nodejs.executable to the host’s node. However, sonar downloads another nodejs version on the host (in .sonar/js/node-runtime).

Is there a way to prevent sonar from downloading an additional nodejs version? We have security scans on our machines and need to be in control which libraries and versions are installed.

Version details:
Sonar, deployed via Docker
Sonar Jenkins Plugin

Thanks in advance

1 Like

Hi Stephan,

Welcome to the Community, and thanks for bringing this up!

Indeed this was a limitation in SonarQube 10.4 that has now been fixed.

Starting from SonarQube 10.5, if you set sonar.nodejs.executable, then the .sonar/ folder will not be populated with a Node.js runtime.

Keep in mind this does mean you should provide a compatible version of Node.js in the environment or the analysis will fail. We encourage you to use the latest LTS version and regularly do the necessary updates to benefit from the security patches.

1 Like

Thanks, Gabriel, for your quick response.

In addition, i just found two similar issues that solve my problem also with 10.4:
sonar.nodejs.forceHost=true, see: (and the linked one).

Okay, it seems that this parameter only prevents the error message, the embedded node version will be downloaded anyways…

1 Like