We are running first scans of a js repo on SonarCloud.
How can we confirm that it is checking for
- npm dependencies?
- all relevant js tests?
Thank you.
Hey there.
SonarCloud doesn’t perform any particular scan of 3rd party dependencies – it focuses on the code your developers are writing.
What do you mean by this?
Hello,
Our first Sonar test scan against our api repository came out 100% perfect.
While I have great developers, this seems suspicious.
Can you please help us ensure that we have configured everything correctly for our account / this project so that we know for sure that the code is being completely reviewed against the JS tests you offer?
You’ve analyzed a merge request – which will only analyze the changed lines in the merge request! Probably just the configuraiton files you’ve modified to enable SonarCloud analysis.
Once you merge that into your main branch and the analysis runs, you’re good to go 
Colin,
Thanks for your helpful note.
I performed a successful merge and I don’t see any updated info on SonarCloud.
Can you please advise?
Do I need be looking somewhere else – do I need to have the development branch to be the one I look at on Sonar Cloud?
Also Colin, it is not clear to us how we kick off an analysis of the development branch – the “main” branch referred to in your letter I think.
I have configured something on Sonarcloud (see below) but there is no “BUTTON” to initiate the analysis in your UI.
Hey there.
You’re right – there is no button in the UI to trigger an analysis. That is all done by your CI tool (here, GitLab CI).
- Looking at the pipeline logs for your
developmentbranch, do you see the SonarQube Scanner logs? - If not, can you share your GitLab CI Pipeline YAML?
Colin,
It is easiest right now (I’m on a flight) for me to send the yaml.
Here it is attached.
Do you know where in Gitlab CI/CD I can view the logs (sorry, not with my devs at the moment)!
Thanks for your attention to this.
Danny
(Attachment gitlab-ci.yml is missing)
Colin,
Here is a resend, with yaml content embedded in the email body:
It is easiest right now (I’m on a flight) for me to send the yaml.
Here it is below.
Do you know where in Gitlab CI/CD I can view the logs (sorry, not with my devs at the moment)!
Thanks for your attention to this.
Danny
image: node:latest
stages:
- test
- electron
- installer
- deploy_MSI
- deploy
test:
stage: test
before_script:
# Add Google Chrome to aptitude's (package manager) sources
- echo "deb [http://dl.google.com/linux/chrome/deb/](http://dl.google.com/linux/chrome/deb/) stable main" | tee -a /etc/apt/sources.list
# Fetch Chrome's PGP keys for secure installation
- wget -q -O - [https://dl-ssl.google.com/linux/linux_signing_key.pub](https://dl-ssl.google.com/linux/linux_signing_key.pub) | apt-key add -
# Update aptitude's package sources
- apt-get -qq update -y
# Install latest Chrome stable, Xvfb packages
- apt-get -qq install -y google-chrome-stable xvfb libxss1 gtk2-engines-pixbuf xfonts-cyrillic xfonts-100dpi xfonts-75dpi xfonts-base xfonts-scalable imagemagick x11-apps default-jre
# Launch Xvfb
- Xvfb :0 -ac -screen 0 1024x768x24 &
# Export display for Chrome
- export DISPLAY=:99
# Install remaining project dependencies
- npm i
script:
- npm run ci
build_electron_windows:
stage: electron
tags:
- windows
image: node:12
script:
- choco install python -y --version=2.7.11
- refreshenv
- $env:PATH = 'C:\tools\python;' + $env:PATH; [Environment]::SetEnvironmentVariable('PATH', $env:PATH, [EnvironmentVariableTarget]::Machine);
- Write-Output $Env:PATH
- npm i
- npm run update:version
# - npm run build
- npm run build:windows
# If we have wix-toolkit v3* available in the pipeline we can build windows-electron app with a msi by running:
# - npm run build:windowsWithMsi
- dir
artifacts:
paths:
- ENGAUGE-win*
expire_in: 1 week
build_electron_windows_installer:
stage: installer
# NOTE: when using shared runners with the tag 'windows' no image can be selected. A default image is used instead.
# image: registry.gitlab.com/engusdev/engauge/engauge-wix:latest
# image: kayanme/wix-toolset
tags:
- windows
dependencies:
- build_electron_windows
script:
- powershell "Set-Service -Name wuauserv -StartupType Manual; Install-WindowsFeature -Name NET-Framework-Features -Verbose"
- choco install wixtoolset -y
- choco install python -y --version=2.7.11
- dir "C:\Program Files (x86)\WiX Toolset v3.11\bin"
- $env:PATH = 'C:\Program Files (x86)\WiX Toolset v3.11\bin;' + $env:PATH; [Environment]::SetEnvironmentVariable('PATH', $env:PATH, [EnvironmentVariableTarget]::Machine);
- Write-Output $Env:PATH
- light
- npm i
- npm run update:version
- npm run build:windows:msi
artifacts:
paths:
- windows_installer
expire_in: 1 week
deploy_installer:
stage: deploy_MSI
image: alpine:latest
dependencies:
- build_electron_windows_installer
before_script:
- apk update && apk add openssh-client rsync
# Setup SSH deploy keys
- 'which ssh-agent || ( apk add --update openssh )'
- eval $(ssh-agent -s)
- ssh-add <(echo "$UPDATE_SSH_KEY")
- mkdir -p ~/.ssh
- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
- chmod 700 ~/.ssh
Hey there.
The GitLab CI YAML you shared doesn’t actually contain anything related to running SonarQube analysis… so I have a feeling it’s not matching the one that ran on your pull request. There should be something like this included:
sonarqube-check:
image:
name: sonarsource/sonar-scanner-cli:latest
entrypoint: [""]
variables:
SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar" # Defines the location of the analysis task cache
GIT_DEPTH: "0" # Tells git to fetch all the branches of the project, required by the analysis task
cache:
key: "${CI_JOB_NAME}"
paths:
- .sonar/cache
script:
- sonar-scanner
allow_failure: true
only:
- merge_requests
- master # or the name of your main branch
- develop
I would recommend syncing with your devs on this.
Thanks Colin.
We will work on this.
One question though- we applied the yaml content prescribed on the SonarCloud UI not sure why now you have sent other details.
Thanks,
Danny
It’s the same as what’s in the SonarCloud UI… but missing from the YAML file you shared above.
Colin,