Scan Javascripts code embedded in yaml files

I have an application that is developed with a dsl, this dsl is yaml based, the yml files can also contain javascript code. We use SonarCube Cloud to analyse for potential vulnerabilities in code and would like it to scan the yml files for all potential vulnerabilities in the javascript code, I believe this cannot be done out of the box, especially with SonarCube Cloud as it cannot run any custom plugins.

We are thinking the only approach would be to use a preprocessing script during the build to extract JavaScript from YAML files into temporary .js files and scan them separately, but before embarking on this I would like to hear if anyone has attempted this before?
How would the analyser work with files not committed into the repo? How about new vs old code?

Hi,

We automatically pick up and analyze JavaScript embedded in HTML and YAML files.

 
HTH,
Ann

Thanks @ganncamp, based on earlier messages I found on this site I got the wrong impression that it wasn’t possible.

I currently have a .Net framework solution which includes yml files with embedded js , the C# and *.js files are correctly analysed but the js embedded in *.yml does not show up in the analysis. Is this enabled out-of-the-box or does it require special setup? Do you have any pointers on what to do to enable this?

Hi,

Ah. Are the yml files being picked up at all?

Depending on the version of the SonarScanner for .NET you’re using, they may be skipped by default.

 
Ann

Thanks @ganncamp , setting sonar.scanner.scanAll=true is now including the yml files in the scan, however I see no indication that the javascript included in those files is being scanned as no issues have been identified (on the other hand javascript in *.js file are). Is there any other setting that I need to check to have the js included in the scan?

Hi,

Thanks for coming back to me. Now it’s time for me to check on my side. I’m going to flag this for more expert eyes.

 
Ann

Hello @alexvaccaro,

Could you please tell me which scanner version you use?
If you are with Azure Dev Ops ignore this question.

Also, could you provide us with verbose logs of all the scanner steps?
You can do this by following the instructions below.

Share the Scanner for .NET verbose logs

If you analyze your code from the CLI:

• Add /d:"sonar.verbose=true" to the…

  • SonarScanner.MSBuild.exe or dotnet sonarscanner begin command to get more detailed logs
    • For example: SonarScanner.MSBuild.exe begin /k:"MyProject" /d:"sonar.verbose=true"

  If you analyze with Azure DevOps:

  • “SonarQubePrepare” or “SonarCloudPrepare” task’s extraProperties argument if you are using Azure DevOps
    • For example:

      - task: SonarCloudPrepare@3
          inputs:
            SonarCloud: 'sonarcloud'
            organization: 'foo'
            scannerMode: 'dotnet'
            projectKey: 'foo_sonar-scanning-someconsoleapp'
            projectName: 'sonar-scanning-someconsoleapp'
            extraProperties: |
              sonar.verbose=true
      

• The important logs are in the END step (i.e. SonarQubeAnalyze / SonarCloudAnalyze / “Run Code Analysis”)

thanks a lot!

Hi

We use Azure DevOps.

I will send you the logs with a support request as I don’t want to share them publicly.

Just to for anyone else that might be interested, the response I got from support is that currently SonarQube Cloud only scans JavaScript code inside of AWS SAM templates, in my scenario our yml is in a proprietary format so SonarCube will not be able to detect the JavaScript.