SonarScanner warning indicating nodejs 12 being used on node:14-alpine docker image

hastudillo · February 15, 2022, 10:29pm

CI system used: Bitbucket Cloud
Languages of the repository: TypeScript
Scanner command: Here below the step of the Bitbucket cloud pipeline that runs the SonarCloud analysis:

    - step: &SonarCloud
        name: SonarCloud SCA
        image: node:14-alpine
        caches:
          - node
          - sonar
        script:
          - pipe: sonarsource/sonarcloud-scan:1.2.1
            variables:
              SONAR_TOKEN: ${SONAR_TOKEN}
              EXTRA_ARGS: '-Dsonar.sources=src
                -Dsonar.tests=src
                -Dsonar.test.inclusions=**/*.spec.ts
                -Dsonar.coverage.exclusions="**/node_modules/**,**/*.spec.ts"
                -Dsonar.javascript.lcov.reportPaths=coverage/lcov.info'

Error observed:

WARN: You are using Node.js version 12, which reached end-of-life. Support for this version will be dropped in future release, please upgrade Node.js to more recent version.

Potential workaround:
We noticed the binary is at /usr/local/bin/node for alpine, so why not to add the following arg?
-Dsonar.nodejs.executable=/usr/local/bin/node
Here below the error:

docker container run \
   --volume=/opt/atlassian/pipelines/agent/build:/opt/atlassian/pipelines/agent/build \
   --volume=/opt/atlassian/pipelines/agent/ssh:/opt/atlassian/pipelines/agent/ssh:ro \
   --volume=/usr/local/bin/docker:/usr/local/bin/docker:ro \
   --volume=/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes:/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes \
   --volume=/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes/sonarsource/sonarcloud-scan:/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes/sonarsource/sonarcloud-scan \
   --workdir=$(pwd) \
   --label=org.bitbucket.pipelines.system=true \
   --env=BITBUCKET_STEP_TRIGGERER_UUID="$BITBUCKET_STEP_TRIGGERER_UUID" \
   --env=BITBUCKET_REPO_FULL_NAME="$BITBUCKET_REPO_FULL_NAME" \
   --env=BITBUCKET_GIT_HTTP_ORIGIN="$BITBUCKET_GIT_HTTP_ORIGIN" \
   --env=BITBUCKET_PROJECT_UUID="$BITBUCKET_PROJECT_UUID" \
   --env=BITBUCKET_REPO_IS_PRIVATE="$BITBUCKET_REPO_IS_PRIVATE" \
   --env=BITBUCKET_WORKSPACE="$BITBUCKET_WORKSPACE" \
   --env=BITBUCKET_PR_DESTINATION_COMMIT="$BITBUCKET_PR_DESTINATION_COMMIT" \
   --env=BITBUCKET_REPO_OWNER_UUID="$BITBUCKET_REPO_OWNER_UUID" \
   --env=BITBUCKET_BRANCH="$BITBUCKET_BRANCH" \
   --env=BITBUCKET_REPO_UUID="$BITBUCKET_REPO_UUID" \
   --env=BITBUCKET_PROJECT_KEY="$BITBUCKET_PROJECT_KEY" \
   --env=BITBUCKET_REPO_SLUG="$BITBUCKET_REPO_SLUG" \
   --env=CI="$CI" \
   --env=BITBUCKET_PR_ID="$BITBUCKET_PR_ID" \
   --env=BITBUCKET_REPO_OWNER="$BITBUCKET_REPO_OWNER" \
   --env=BITBUCKET_STEP_RUN_NUMBER="$BITBUCKET_STEP_RUN_NUMBER" \
   --env=BITBUCKET_BUILD_NUMBER="$BITBUCKET_BUILD_NUMBER" \
   --env=BITBUCKET_GIT_SSH_ORIGIN="$BITBUCKET_GIT_SSH_ORIGIN" \
   --env=BITBUCKET_PIPELINE_UUID="$BITBUCKET_PIPELINE_UUID" \
   --env=BITBUCKET_COMMIT="$BITBUCKET_COMMIT" \
   --env=BITBUCKET_PR_DESTINATION_BRANCH="$BITBUCKET_PR_DESTINATION_BRANCH" \
   --env=BITBUCKET_CLONE_DIR="$BITBUCKET_CLONE_DIR" \
   --env=PIPELINES_JWT_TOKEN="$PIPELINES_JWT_TOKEN" \
   --env=BITBUCKET_STEP_UUID="$BITBUCKET_STEP_UUID" \
   --env=BITBUCKET_DOCKER_HOST_INTERNAL="$BITBUCKET_DOCKER_HOST_INTERNAL" \
   --env=DOCKER_HOST="tcp://host.docker.internal:2375" \
   --env=BITBUCKET_PIPE_SHARED_STORAGE_DIR="/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes" \
   --env=BITBUCKET_PIPE_STORAGE_DIR="/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes/sonarsource/sonarcloud-scan" \
   --env=EXTRA_ARGS="-Dsonar.sources=src -Dsonar.tests=src -Dsonar.test.inclusions=**/*.spec.ts -Dsonar.coverage.exclusions=\"**/node_modules/**,**/*.spec.ts\" -Dsonar.javascript.lcov.reportPaths=coverage/lcov.info -Dsonar.nodejs.executable=/usr/local/bin/node" \
   --env=SONAR_TOKEN="${SONAR_TOKEN}" \
   --add-host="host.docker.internal:$BITBUCKET_DOCKER_HOST_INTERNAL" \
   sonarsource/sonarcloud-scan:1.2.1
Unable to find image 'sonarsource/sonarcloud-scan:1.2.1' locally
1.2.1: Pulling from sonarsource/sonarcloud-scan
Status: Downloaded newer image for sonarsource/sonarcloud-scan:1.2.1
INFO: Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties
INFO: Project root configuration file: NONE
INFO: SonarScanner 4.4.0.2170
INFO: Java 11.0.2 Oracle Corporation (64-bit)
INFO: Linux 5.11.0-1025-aws amd64
INFO: Bitbucket Cloud Pipelines detected
INFO: User cache: /root/.sonar/cache
INFO: Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties
INFO: Project root configuration file: NONE
INFO: Analyzing on SonarQube server 9.0.1
INFO: Default locale: "en", source code encoding: "UTF-8" (analysis is platform dependent)
INFO: Load global settings
INFO: Load global settings (done) | time=573ms
INFO: Server id: 1BD809FA-AWHW8ct9-T_TB3XqouNu
INFO: User cache: /root/.sonar/cache
INFO: Load/download plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=133ms
INFO: Load/download plugins (done) | time=33557ms
INFO: Loaded core extensions: developer-scanner
INFO: Found an active CI vendor: 'Bitbucket Pipelines'
INFO: Detected project key '$REGISTRY_USER_precision_backend' from 'Bitbucket Cloud Pipelines'
INFO: Detected organization key '$REGISTRY_USER' from 'Bitbucket Cloud Pipelines'
INFO: Load project settings for component key: '$REGISTRY_USER_precision_backend'
INFO: Load project settings for component key: '$REGISTRY_USER_precision_backend' (done) | time=114ms
INFO: Process project properties
INFO: Execute project builders
INFO: Execute project builders (done) | time=1ms
INFO: Project key: $REGISTRY_USER_precision_backend
INFO: Base dir: /opt/atlassian/pipelines/agent/build
INFO: Working dir: /opt/atlassian/pipelines/agent/build/.scannerwork
INFO: Load project branches
INFO: Load project branches (done) | time=150ms
INFO: Check ALM binding of project '$REGISTRY_USER_precision_backend'
INFO: Detected project binding: BOUND
INFO: Check ALM binding of project '$REGISTRY_USER_precision_backend' (done) | time=120ms
INFO: Load project pull requests
INFO: Load project pull requests (done) | time=121ms
INFO: Load branch configuration
INFO: Detected analysis for pull request '100' targeting 'develop'
INFO: Auto-configuring pull request 100
INFO: Load branch configuration (done) | time=684ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=154ms
INFO: Load active rules
INFO: Load active rules (done) | time=3908ms
INFO: Organization key: $REGISTRY_USER
INFO: Pull request 100 for merge into develop from PPORTB-100-solve-critical-sonar-issues
INFO: Load project repositories
INFO: Load project repositories (done) | time=231ms
INFO: SCM collecting changed files in the branch
INFO: SCM collecting changed files in the branch (done) | time=289ms
INFO: Indexing files...
INFO: Project configuration:
INFO:   Excluded sources: **/build-wrapper-dump.json, **/*.spec.ts
INFO:   Included tests: **/*.spec.ts
INFO:   Excluded sources for coverage: **/node_modules/**, **/*.spec.ts
INFO: 187 files indexed
INFO: 187 files ignored because of inclusion/exclusion patterns
INFO: 0 files ignored because of scm ignore settings
INFO: Quality profile for json: Sonar way
INFO: Quality profile for ts: Sonar way
INFO: Quality profile for web: Sonar way
INFO: ------------- Run sensors on module $REGISTRY_USER_precision_backend
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=113ms
INFO: Sensor IaC CloudFormation Sensor [iac]
INFO: 0 source files to be analyzed
INFO: 0/0 source files have been analyzed
INFO: Sensor IaC CloudFormation Sensor [iac] (done) | time=33ms
INFO: Sensor C# Project Type Information [csharp]
INFO: Sensor C# Project Type Information [csharp] (done) | time=2ms
INFO: Sensor C# Analysis Log [csharp]
INFO: Sensor C# Analysis Log [csharp] (done) | time=18ms
INFO: Sensor C# Properties [csharp]
INFO: Sensor C# Properties [csharp] (done) | time=0ms
INFO: Sensor HTML [web]
INFO: Sensor HTML is restricted to changed files only
INFO: Sensor HTML [web] (done) | time=6ms
INFO: Sensor Text Sensor [text]
INFO: 187 source files to be analyzed
INFO: 187/187 source files have been analyzed
INFO: Sensor Text Sensor [text] (done) | time=370ms
INFO: Sensor VB.NET Project Type Information [vbnet]
INFO: Sensor VB.NET Project Type Information [vbnet] (done) | time=2ms
INFO: Sensor VB.NET Analysis Log [vbnet]
INFO: Sensor VB.NET Analysis Log [vbnet] (done) | time=17ms
INFO: Sensor VB.NET Properties [vbnet]
INFO: Sensor VB.NET Properties [vbnet] (done) | time=1ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: 'sonar.coverage.jacoco.xmlReportPaths' is not defined. Using default locations: target/site/jacoco/jacoco.xml,target/site/jacoco-it/jacoco.xml,build/reports/jacoco/test/jacocoTestReport.xml
INFO: No report imported, no coverage information will be imported by JaCoCo XML Report Importer
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=6ms
INFO: Sensor TypeScript analysis [javascript]
INFO: Deploying custom rules bundle jar:file:/root/.sonar/cache/c8528df5e461867acf060f71702dbe39/sonar-securityjsfrontend-plugin.jar!/js-vulnerabilities-rules-1.0.0.tgz to /opt/atlassian/pipelines/agent/build/.scannerwork/.sonartmp/eslint-bridge-bundle/package/custom-rules4107045911113260394
ERROR: Provided Node.js executable file does not exist. Property 'sonar.nodejs.executable' was set to '/usr/local/bin/node'
ERROR: Provided Node.js executable file does not exist.
org.sonarsource.nodejs.NodeCommandException: Provided Node.js executable file does not exist.
	at org.sonarsource.nodejs.NodeCommandBuilderImpl.retrieveNodeExecutableFromConfig(NodeCommandBuilderImpl.java:207)
	at org.sonarsource.nodejs.NodeCommandBuilderImpl.build(NodeCommandBuilderImpl.java:141)
	at org.sonar.plugins.javascript.eslint.EslintBridgeServerImpl.initNodeCommand(EslintBridgeServerImpl.java:182)
	at org.sonar.plugins.javascript.eslint.EslintBridgeServerImpl.startServer(EslintBridgeServerImpl.java:127)
	at org.sonar.plugins.javascript.eslint.EslintBridgeServerImpl.startServerLazily(EslintBridgeServerImpl.java:201)
	at org.sonar.plugins.javascript.eslint.AbstractEslintSensor.execute(AbstractEslintSensor.java:66)
	at org.sonar.scanner.sensor.AbstractSensorWrapper.analyse(AbstractSensorWrapper.java:62)
	at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:75)
	at org.sonar.scanner.sensor.ModuleSensorsExecutor.lambda$execute$1(ModuleSensorsExecutor.java:48)
	at org.sonar.scanner.sensor.ModuleSensorsExecutor.withModuleStrategy(ModuleSensorsExecutor.java:66)
	at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:48)
	at org.sonar.scanner.scan.ModuleScanContainer.doAfterStart(ModuleScanContainer.java:64)
	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:123)
	at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:109)
	at org.sonar.scanner.scan.ProjectScanContainer.scan(ProjectScanContainer.java:440)
	at org.sonar.scanner.scan.ProjectScanContainer.scanRecursively(ProjectScanContainer.java:436)
	at org.sonar.scanner.scan.ProjectScanContainer.doAfterStart(ProjectScanContainer.java:394)
	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:123)
	at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:109)
	at org.sonar.scanner.bootstrap.GlobalContainer.doAfterStart(GlobalContainer.java:128)
	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:123)
	at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:109)
	at org.sonar.batch.bootstrapper.Batch.doExecute(Batch.java:58)
	at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:52)
	at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60)
	at com.sun.proxy.$Proxy0.execute(Unknown Source)
	at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:189)
	at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:138)
	at org.sonarsource.scanner.cli.Main.execute(Main.java:112)
	at org.sonarsource.scanner.cli.Main.execute(Main.java:75)
	at org.sonarsource.scanner.cli.Main.main(Main.java:61)

…still guessing what’s going on, for a command find just before the pipe: sonarsource/sonarcloud-scan:1.2.1 finds correctly the /usr/local/bin/node file…
Where does it come from the NodeJS default version 12?
Should we use maybe another docker image?

Colin · February 16, 2022, 12:40pm

Hey there.

I suggest upgrading the version of the sonarsource/sonarcloud-scan pipe to 1.4.0, which has a newer version of Node baked in.

hastudillo · February 20, 2022, 9:35pm

Thank you very much @Colin
It is the first thing to do, but …oops, it is the last one we checked… XD
By the way it works perfectly now, thank you again