SonarScanner tries to open node-gyp in node_modules autonomously


  • SonarScanner:;
  • SonarQube: 8.5.1 (build 38104).

Error observed

I’m in a Javascript node-based environment. I want to launch the scanner in the back end.
Although I explicitly included three javascript files in the configuration GUI of SonarQube, SonarScanner in any case tries to open the node_modules/.bin/node-gyp files. I think it’s a bug because there are tons of similar files in the same directory which are correctly ignored; if I manually remove the files node-gyp, node-gyp.bat and node-gyp.ps1 from node_modules/.bin, everything works.

Reproducing the bug

For reproducing the bug, it’s enough to install node-gyp or a library that uses it, like sqlite3.

Here a snapshot from the command line:

Hi @Thefolle,

Could you please share your configuration? I take it you have a file, or pass params directly to the scanner?

Hello, it actually works now. I didn’t update sonarqube and I didn’t change any project file neither meanwhile. I have just run the scanner again and it doesn’t raise any exception about that file.
I also changed the JDK from 11 to 1.8 but it still works.

I suppose that the problem was not on Sonar side, maybe on Windows side. What to do you think about it?

This is my configuration on the GUI, anyway:

This is the command on the console:
sonar-scanner.bat -D"sonar.projectKey=" -D"" -D"sonar.login="


Happy that it works now.

The typical way to configure your analysis, is to set sonar.sources rather than sonar.inclusions. sonar.coverage.exclusions won’t exclude files from the analysis, by the way, only from the coverage reports (i.e., unit test coverage).

You can read more about it here, but typically:

  • You set sonar.sources to point to your folder containing your main source code (say, src/).
  • If anything inside that folder needs to be ignored, you can use sonar.exclusions (say, src/tests/fixtures/**)
  • If anything outside that folder need to be analyzed as well, you can use sonar.inclusions (say, ./index.ts, which is outside of src/)

So, in your case, you could set sonar.sources=pulsebs-client/,pulsebs-server, and sonar.exclusions=**/node_modules/**,**/coverage/**, for example.

I hope this helps! Cheers.