Scanner fails on JS files with HTML tags

Chris_McBrien · September 28, 2022, 4:03pm

Using SonarQube 9.6.1.59531 and sonar-scanner-cli-4.7.0.2747-windows.

We use a web form tool (Form Assembly) for Salesforce integration. JS code has to be provided to the tool inside tags. So, basically it treats our custom code as an HTML snippet.

Here is an example:

<script src="https://unpkg.com/gridjs/dist/gridjs.production.min.js"></script>
<link rel="stylesheet" type="text/css" href="https://unpkg.com/gridjs/dist/theme/mermaid.min.css">
<script>

	/* Bunch of Javascript here */

</script>
<style type="text/css">

	/*  CSS appears here */

</style>

When I pull out our code and save it as a *.js file, the scanner doesn’t see our code. Here’s the log output:

INFO: 1 source file to be analyzed
INFO: 1/1 source file has been analyzed
INFO: Sensor Text Sensor [text] (done) | time=17ms
INFO: Sensor VB.NET Project Type Information [vbnet]
INFO: Sensor VB.NET Project Type Information [vbnet] (done) | time=2ms
INFO: Sensor VB.NET Analysis Log [vbnet]
INFO: Sensor VB.NET Analysis Log [vbnet] (done) | time=31ms
INFO: Sensor VB.NET Properties [vbnet]
INFO: Sensor VB.NET Properties [vbnet] (done) | time=0ms
INFO: ------------- Run sensors on project
INFO: Sensor Analysis Warnings import [csharp]
INFO: Sensor Analysis Warnings import [csharp] (done) | time=1ms
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=7ms
INFO: SCM Publisher No SCM system was detected. You can use the 'sonar.scm.provider' property to explicitly specify it.
INFO: CPD Executor Calculating CPD for 0 files
INFO: CPD Executor CPD calculation finished (done) | time=0ms
INFO: Analysis report generated in 117ms, dir size=133.8 kB
INFO: Analysis report compressed in 41ms, zip size=18.7 kB
INFO: Analysis report uploaded in 29ms
INFO: ANALYSIS SUCCESSFUL, you can find the results at: http://localhost:9000/dashboard?id=New
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report

When I save the file as *.html, then the scanner only analyzes what appears inside the tags and still ignores the Javascript.

ilia · September 30, 2022, 11:22am

Hi Chris,

What do you mean by “When I pull out our code and save it as a *.js file”? Do you simply copy/paste the JS code between the tags into its own file?

Could you paste the full log from the scanner that you run?

Best,
Ilia