TFLint ReportImporterException - file could not be resolved

SonarQube Server / Community Build
1

Must-share information (formatted with Markdown):

  • SonarQube Server
  • Helm
  • Import an TFLint json report file in CI analysis process
  • Populated sonar.terraform.tflint.reportPaths config, report file is picked up but all issues within the report fail to save due to subject (file could not be resolved)

When the analysis runs I can see 39 files being indexed, a few relevant examples of that group are -

15:37:34.413 DEBUG: 'azure_sql_infrastructure/azure_sql_storage_accounts/main.tf' indexed with language 'terraform'
15:37:34.413 DEBUG: 'azure_sql_infrastructure/azure_sql_storage_accounts/outputs.tf' indexed with language 'terraform'
15:37:34.413 DEBUG: 'azure_sql_infrastructure/azure_sql_storage_accounts/variables.tf' indexed with language 'terraform'

Then I get an entry to say the indexing is done -
15:37:34.422 INFO: 39 files indexed (done) | time=16ms

All good so far :slight_smile:

Then I get an entry detailing the TFLint report being picked up
15:37:34.909 INFO: TFLint report importing: Importing external report from: /workspace/source/tflint.json

Every issue within the report fails the same way.. however, the files which cannot be resolved have been indexed - exactly same path. Examples -

15:37:34.913 DEBUG: failed to save issue
org.sonar.iac.common.reports.ReportImporterException: The file: azure_sql_infrastructure/azure_sql_storage_accounts/main.tf could not be resolved

15:37:34.914 DEBUG: failed to save issue
org.sonar.iac.common.reports.ReportImporterException: The file: azure_sql_infrastructure/azure_sql_storage_accounts/variables.tf could not be resolved

I have read a few issues raised which looked similar, however you could see the path differed between the report and the root analysis..

To prove where the analysis was running, I used this value for the reportPaths
-Dsonar.terraform.tflint.reportPaths=tflint.json

You can see as quoted above that file is picked up from /workspace/source/tflint.json which is the root of the repo where the dir azure_sql_infrastructure lives..

I’m a bit stuck.. if you could suggest something for me to try that would be amazing.. :slight_smile:

Many thanks
Tony

1 Like
2

Sorry.. a couple more things which are relevant..

tflint cmd

tflint --recursive --format=json | jq > /workspace/source/tflint.json

SQ cmd

      echo "Running SonarQube analysis for pull request"
      sonar-scanner \
      -Dsonar.projectKey="$REPO_NAME" \
      -Dsonar.host.url=https://<our_host> \
      -Dsonar.token="$TOKEN" \
      -Dsonar.pullrequest.base="$PULL_BASE_REF" \
      -Dsonar.pullrequest.key="$PULL_NUMBER" \
      -Dsonar.pullrequest.branch="$(git rev-parse --abbrev-ref HEAD)" \
      -Dsonar.scm.revision="$PULL_PULL_SHA" \
      -Dsonar.terraform.provider.azure.version="$TF_VERSION" \
      -Dsonar.terraform.tflint.reportPaths=tflint.json \
      -Dsonar.verbose=true \
      -Dsonar.qualitygate.wait=true

Full issue import fail example

08:19:19.154 INFO: TFLint report importing: Importing external report from: /workspace/source/tflint.json
08:19:19.159 DEBUG: failed to save issue
org.sonar.iac.common.reports.ReportImporterException: The file: azure_sql_infrastructure/azure_sql_storage_accounts/main.tf could not be resolved
	at org.sonar.iac.common.reports.AbstractJsonReportImporter.inputFile(AbstractJsonReportImporter.java:146)
	at org.sonar.iac.terraform.reports.tflint.TFLintImporter.rangeToLocation(TFLintImporter.java:131)
	at org.sonar.iac.terraform.reports.tflint.TFLintImporter.issueLocation(TFLintImporter.java:111)
	at org.sonar.iac.terraform.reports.tflint.TFLintImporter.toExternalIssue(TFLintImporter.java:99)
	at org.sonar.iac.common.reports.AbstractJsonReportImporter.saveIssues(AbstractJsonReportImporter.java:108)
	at org.sonar.iac.common.reports.AbstractJsonReportImporter.lambda$importReport$0(AbstractJsonReportImporter.java:71)
	at java.base/java.lang.Iterable.forEach(Iterable.java:75)
	at org.sonar.iac.common.reports.AbstractJsonReportImporter.importReport(AbstractJsonReportImporter.java:69)
	at org.sonar.iac.terraform.plugin.TerraformSensor.lambda$importExternalReports$0(TerraformSensor.java:79)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
	at org.sonar.iac.terraform.plugin.TerraformSensor.importExternalReports(TerraformSensor.java:79)
	at org.sonar.iac.common.extension.IacSensor.execute(IacSensor.java:90)
	at org.sonar.scanner.sensor.AbstractSensorWrapper.analyse(AbstractSensorWrapper.java:69)
	at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:88)
	at org.sonar.scanner.sensor.ModuleSensorsExecutor.lambda$execute$1(ModuleSensorsExecutor.java:61)
	at org.sonar.scanner.sensor.ModuleSensorsExecutor.withModuleStrategy(ModuleSensorsExecutor.java:79)
	at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:61)
	at org.sonar.scanner.scan.SpringModuleScanContainer.doAfterStart(SpringModuleScanContainer.java:80)
	at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:227)
	at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:206)
	at org.sonar.scanner.scan.SpringProjectScanContainer.scan(SpringProjectScanContainer.java:212)
	at org.sonar.scanner.scan.SpringProjectScanContainer.scanRecursively(SpringProjectScanContainer.java:208)
	at org.sonar.scanner.scan.SpringProjectScanContainer.doAfterStart(SpringProjectScanContainer.java:178)
	at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:227)
	at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:206)
	at org.sonar.scanner.bootstrap.SpringScannerContainer.doAfterStart(SpringScannerContainer.java:339)
	at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:227)
	at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:206)
	at org.sonar.scanner.bootstrap.SpringGlobalContainer.doAfterStart(SpringGlobalContainer.java:142)
	at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:227)
	at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:206)
	at org.sonar.batch.bootstrapper.Batch.doExecute(Batch.java:73)
	at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:67)
	at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60)
	at jdk.proxy1/jdk.proxy1.$Proxy0.execute(Unknown Source)
	at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:189)
	at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:138)
	at org.sonarsource.scanner.cli.Main.execute(Main.java:126)
	at org.sonarsource.scanner.cli.Main.execute(Main.java:81)
	at org.sonarsource.scanner.cli.Main.main(Main.java:62)
4

Anyone have any ideas? :frowning:

5

Sometimes you just have to be patient.

6

yeah understand @Colin apologies.. its more my frustration at not getting it working rather than lack of response..

8

Hello @tonysnowden-mqube,

thanks for reaching out! Unfortunately, I don’t see any obvious problems with what you described, and I would also expect that indexed files will be resolved correctly during import. The only known problem with tflint is that it raises some issues on non-existent files (e.g. terraform_required_version can raise on terraform.tf even if it’s absent), which is clearly not the case here.

Could you share what version of tflint you are using and which version of SonarQube Server? Also, could you share the problematic section of JSON report, if possible? Also, is /workspace/source a regular directory?

If you want to try some things on your end, you could change locations in tflint.json to be absolute paths and see if it works.

Cheers,
Peter

9

Hey @peter.trifanov, thanks for the reply..

Version-wise were running
TFLint version 0.58.0
SQ * Enterprise Edition * v2025.3 (108892)

The first couple of issues from the report are as follows (both suffer the same “could not be resolved” fail)

{
  "issues": [
    {
      "rule": {
        "name": "terraform_required_version",
        "severity": "warning",
        "link": "https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.12.0/docs/rules/terraform_required_version.md"
      },
      "message": "terraform \"required_version\" attribute is required",
      "range": {
        "filename": "azure_sql_infrastructure/azure_sql_storage_accounts/main.tf",
        "start": {
          "line": 1,
          "column": 1
        },
        "end": {
          "line": 1,
          "column": 10
        }
      },
      "callers": []
    },
    {
      "rule": {
        "name": "terraform_typed_variables",
        "severity": "warning",
        "link": "https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.12.0/docs/rules/terraform_typed_variables.md"
      },
      "message": "`azurerm_mqube` variable has no type",
      "range": {
        "filename": "azure_sql_infrastructure/azure_sql_storage_accounts/variables.tf",
        "start": {
          "line": 2,
          "column": 1
        },
        "end": {
          "line": 2,
          "column": 25
        }
      },
      "callers": []
    },
...

I have tried defining reportPaths using the full path in the cmd ie
-Dsonar.terraform.tflint.reportPaths=/workspace/source/tflint.json
But it unfortunately doesn’t change the fail..

Do you know what the SQ engine is doing when it processes the tflint report with respects to the “filename”? Does it attempt to find/read the file in the repo or is it doing something else.. checking the indexed files maybe?

The dir /workspace/source is our base work dir for pipelines.. On a standard run it contains the repo at HEAD commit and as the pipeline steps process, it can contain other resources tokens/reports/code-coverage. Permissions are open to the user running the pipeline.

I’m going to try and define the report location globally in the UI and remove it from the cmd.. I just found out that is how we do it for golangci-lint reports.. Those are in a diff format (checkstyle xml) but worth a try to change the process.

Appreciate the help…
Tony

10

Hello again @tonysnowden-mqube,

Yes, report importer first retrieves file names from JSON and then tries to match them either as relative paths (relative to the scanner execution directory), or as absolute paths (so in theory you could try to manually edit the JSON to have only absolute paths and see if the problem goes away). I still don’t see why it wouldn’t see indexed files… Version-wise your setup also seems fine; one missing piece is which version of sonar-scanner are you using?

Could you maybe share the full log of this execution? If you’d rather do it privately and not post here, I can send you a PM.

HTH,
Peter

11

Hi & thanks @peter.trifanov

We are on quite an old version - SonarScanner 5.0.1.3006..

I recall testing a more recent image (11.0) a few months ago on a different repo but had some user permission issues.. This older version runs as root rather than the scanner-cli user in the newer image, some cmds errored so I reverted back. There wasn’t any issues with the version we were using, I just thought it was time to update.

Maybe this is the issue that forces an update.. I’ll give it a whirl on the latest version with some user tweaks and see if the result is different.

Cheers
Tony

12

Hi @peter.trifanov

Tried again with image - sonarsource/sonar-scanner-cli:11.3.1.1910_7.1.0
Unfortunately unsuccessful with the same issue.

Thought I would come back with this info sooner than later as there might’ve been something critical in the more recent image.

I’m willing to share the full pipeline log yes.. please PM me and I’ll get it sent over..

Much appreciated..
Tony

13

Another small update.. I tried updating the tflint report range.filename value to full path definitions.. Example section of the report -

{
  "issues": [
    {
      "rule": {
        "name": "terraform_required_version",
        "severity": "warning",
        "link": "https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.12.0/docs/rules/terraform_required_version.md"
      },
      "message": "terraform \"required_version\" attribute is required",
      "range": {
        "filename": "/workspace/source/azure_sql_infrastructure/azure_sql_storage_accounts/main.tf",
        "start": {
          "line": 1,
          "column": 1
        },
        "end": {
          "line": 1,
          "column": 10
        }
      },
      "callers": []
    },

Same error reported when issues are being imported

12:57:42.696 DEBUG failed to save issue
org.sonar.iac.common.reports.ReportImporterException: The file: /workspace/source/azure_sql_infrastructure/azure_sql_storage_accounts/main.tf could not be resolved
14

As diagnosed by @peter.trifanov after receiving the logs -

I can see that the regular Terraform analysis, which starts right after the tflint importer, only targets one file:

11:23:01.398 INFO  1 source file to be analyzed
11:23:01.402 DEBUG 'main.tf' generated metadata with charset 'UTF-8'
11:23:01.462 INFO  1/1 source file has been analyzed
11:23:01.462 INFO  Sensor IaC Terraform Sensor [iac] (done) | time=215ms

However, it should target all files indexed with language ‘terraform’. Which makes me think that at this point neither of sensors “sees” all the files.

Now, I also see that you are running incremental PR analysis, judging by the -Dsonar.pullrequest.* keys and these lines:

11:23:00.816 INFO  SCM collecting changed files in the branch (done) | time=138ms
11:23:00.816 DEBUG SCM reported 7 files changed in the branch

This leads to a hypothesis that files that are not changed in this PR are not visible to the analyzer. Normally, this shouldn’t happen, because Terraform sensor doesn’t have explicit support for incremental analysis, but this would explain the results you’re seeing.

Do I assume correctly that you are setting up tflint import for the first time in a PR, and the base branch analysis doesn’t have these issues yet?

Peter is correct :face_with_monocle:
This run was the first PR after adding SonarQube analysis in lighthouse.. and bar one tweak to the root main.tf, no other changes to terraform files.. As there are no changes & the analysis is incremental, the files are not resolved as part of the tflint issues.

I’ve merged the updates into the default branch and can see the analysis process runs as expected.. The tflint report is imported and from the UI the issues are displayed against the relevant branch.

Thanks again for the support here Peter :trophy:

1 Like
15

Great to hear that the problem is solved!

I created a ticket to track the problem of misleading warnings on our side, however, at the moment I don’t have any estimate on when it will get addressed.

P.S. and thanks @tonysnowden-mqube for providing a lot of details!

Best,

Peter

2 Likes
17

And for the record that ticket is SONARIAC-2086 :slight_smile:

1 Like