Scanning .qfl VBSCript files in SonarQube

SonarQube Server / Community Build
, ,
1
  • Version - Enterprise Edition Version 8.9.3 (build 48735)
  • SonarQube is deployed: zip
  • I am trying to achieve: I want to scan the VBScript files (suffix ‘*.qfl’)
  • What I have tried so far:
  1. In my sonarqube instance one of the languages that are configured is ‘Visual Basics’. Further, I have configured this language to have one of the suffixes as ‘qfl’.
  2. I have included a parameter in my sonar-scanner command:
    -D sonar.lang.patterns.vb=‘*.qfl’
  3. My .qfl file contains both VBScript language and HTML language code in it. But when sonar-scanner runs, only the HTML code in the file gets analyzed against the rules. The analysis does not show any issues in the VBScript code even though there are some issues present there.
  4. I have tried searching if there is a plugin available in sonarqube for VBScript(more specifically for .QFL language, but have not found any plugin as such.
  • Questions:
    • does any latest version of sonarqube has a plugin for the VBScript language?
    • If I am to use any customized plugin for QFL language, is there a template for this?
2

Hi @Pranjali_Kamblekar,

SonarQube does not support analysis of QFL format. You might get analysis results for VBScript files if you configure the suffixes as you’ve mentioned. I don’t think VBScript is officially supported, but it should work as it’s mainly a subset of VB6.

While it is possible to write your own custom plugin (see docs), it’s a nontrivial task as you’d need to implement plugin itself, parser that would understand the files and your own rules. It might be easier to extract the VB fragments into dedicated autogenerated valid VB6 files before SQ analysis and analyze those.

A side note: Setting the sonar.lang.patterns.vb has the same effect as configuring it via UI for the VB plugin. So you should not need to do that.

Pavel

3

Hi Pavel_Miluka ,

Thanks for your reply.
Below are the configurations I have done:

  1. Under Settings → Languages → Visual Basic → Added file suffix as ‘.qfl’.

  2. While running the sonar command included this parameter:

    sonar.lang.patterns.vb='*.qfl'

even though by using this parameter, Sonarqube scans the QFL files, the analysis does not include scanning the VBScript code that is in the file. It only scans the HTML part of the file(My QFL files contain both VBS code and HTML code in it)