CI system used: GitLab CI
Languages of the repository: javascript (React)
Reproduce: https://rules.sonarsource.com/html/type/Bug/RSPEC-1097
Hello @11138,
How do you scan your repository ? You run your CI scan yourself or you use SonarCloud autoscan ?
If you run your CI scan yourself, can you send the logs of the scan please.
Olivier
thanks for the answer, I started deploy. While deploy is running, sonarcloud analyze my code. So after my trying to reproduce bug in html code, The result isn’t good bcs no bugs on the main page.
OK, but can you clarify how this analysis is done ? Do you rely on SonarCloud automatic scan (ie you have no specific step in your pipeline to scan the code) ? I suspect this is the case but would like to be sure…
Also I would like to understand how is your code organized. You mention jsx but you don’t give much details on this and the link to the HTML issue you expect.
Running with gitlab-runner 13.6.0 (8fa89735)
2 on docker-auto-scale ed2dce3a
3Preparing the “docker+machine” executor
00:18
4Using Docker executor with image sonarsource/sonar-scanner-cli:latest …
5Pulling docker image sonarsource/sonar-scanner-cli:latest …
6Using docker image sha256:d2689cf15e8424e2ae5114f1477394c22f8dc2283d05c3ba1705f4087043ab84 for sonarsource/sonar-scanner-cli:latest with digest sonarsource/sonar-scanner-cli@sha256:1358151cc4c3bcd9dc9edabe9feff4671812660db8d1abf08bfb2a777f25d2fd …
8Preparing environment
00:03
9Running on runner-ed2dce3a-project-22945891-concurrent-0 via runner-ed2dce3a-srm-1607429125-8960cdb5…
11Getting source from Git repository
00:01
12$ eval “$CI_PRE_CLONE_SCRIPT”
13Fetching changes…
14Initialized empty Git repository in /builds/test_stanislav_project/react_sonar_test/.git/
15Created fresh repository.
16Checking out 1c94638c as master…
17Skipping Git submodules setup
19Restoring cache
00:07
20Checking cache for sonarcloud-check…
21Downloading cache.zip from https://storage.googleapis.com/gitlab-com-runners-cache/project/22945891/sonarcloud-check
22Successfully extracted cache
24Executing “step_script” stage of the job script
00:31
25$ sonar-scanner
26INFO: Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties
27INFO: Project root configuration file: /builds/test_stanislav_project/react_sonar_test/sonar-project.properties
28INFO: SonarScanner 4.5.0.2216
29INFO: Java 11.0.6 AdoptOpenJDK (64-bit)
30INFO: Linux 4.19.78-coreos amd64
31INFO: User cache: /builds/test_stanislav_project/react_sonar_test/.sonar/cache
32INFO: Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties
33INFO: Project root configuration file: /builds/test_stanislav_project/react_sonar_test/sonar-project.properties
34INFO: Analyzing on SonarQube server 8.5.0
35INFO: Default locale: “en_US”, source code encoding: “UTF-8” (analysis is platform dependent)
36INFO: Load global settings
37INFO: Load global settings (done) | time=678ms
38INFO: Server id: 1BD809FA-AWHW8ct9-T_TB3XqouNu
39INFO: User cache: /builds/test_stanislav_project/react_sonar_test/.sonar/cache
40INFO: Load/download plugins
41INFO: Load plugins index
42INFO: Load plugins index (done) | time=170ms
43INFO: Load/download plugins (done) | time=532ms
44INFO: Loaded core extensions: developer-scanner
45INFO: JavaScript/TypeScript frontend is enabled
46INFO: Found an active CI vendor: ‘Gitlab CI’
47INFO: Load project settings for component key: ‘22945891’
48INFO: Load project settings for component key: ‘22945891’ (done) | time=127ms
49INFO: Process project properties
50INFO: Execute project builders
51INFO: Execute project builders (done) | time=4ms
52INFO: Project key: 22945891
53INFO: Base dir: /builds/test_stanislav_project/react_sonar_test
54INFO: Working dir: /builds/test_stanislav_project/react_sonar_test/.scannerwork
55INFO: Load project branches
56INFO: Load project branches (done) | time=117ms
57INFO: Check ALM binding of project ‘22945891’
58INFO: Detected project binding: NOT_BOUND
59INFO: Check ALM binding of project ‘22945891’ (done) | time=114ms
60INFO: Load project pull requests
61INFO: Load project pull requests (done) | time=117ms
62INFO: Load branch configuration
63INFO: Auto-configuring branch master
64INFO: Load branch configuration (done) | time=5ms
65INFO: Load quality profiles
66INFO: Load quality profiles (done) | time=178ms
67INFO: Load active rules
68INFO: Load active rules (done) | time=3853ms
69INFO: Organization key: stanislav-andreev-1998
70INFO: Branch name: master, type: long living
71INFO: Indexing files…
72INFO: Project configuration:
73INFO: Load project repositories
74INFO: Load project repositories (done) | time=118ms
75INFO: 18 files indexed
76INFO: 0 files ignored because of scm ignore settings
77INFO: Quality profile for css: Sonar way
78INFO: Quality profile for js: Sonar way
79INFO: Quality profile for web: Sonar way
80INFO: ------------- Run sensors on module 22945891
81INFO: JavaScript/TypeScript frontend is enabled
82INFO: Load metrics repository
83INFO: Load metrics repository (done) | time=122ms
84INFO: Sensor SonarCSS Metrics [cssfamily]
85INFO: Sensor SonarCSS Metrics [cssfamily] (done) | time=92ms
86INFO: Sensor SonarCSS Rules [cssfamily]
87INFO: 3 source files to be analyzed
88INFO: 3/3 source files have been analyzed
89INFO: Sensor SonarCSS Rules [cssfamily] (done) | time=1902ms
90INFO: Sensor C# Properties [csharp]
91INFO: Sensor C# Properties [csharp] (done) | time=1ms
92INFO: Sensor JavaXmlSensor [java]
93INFO: Sensor JavaXmlSensor [java] (done) | time=5ms
94INFO: Sensor HTML [web]
95INFO: Sensor HTML [web] (done) | time=107ms
96INFO: Sensor VB.NET Properties [vbnet]
97INFO: Sensor VB.NET Properties [vbnet] (done) | time=1ms
98INFO: Sensor JaCoCo XML Report Importer [jacoco]
99INFO: ‘sonar.coverage.jacoco.xmlReportPaths’ is not defined. Using default locations: target/site/jacoco/jacoco.xml,target/site/jacoco-it/jacoco.xml,build/reports/jacoco/test/jacocoTestReport.xml
100INFO: No report imported, no coverage information will be imported by JaCoCo XML Report Importer
101INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=6ms
102INFO: Sensor JavaScript analysis [javascript]
103INFO: Deploying custom rules bundle jar:file:/builds/test_stanislav_project/react_sonar_test/.sonar/cache/4158f9352ed99547675b573f57377fda/sonar-securityjsfrontend-plugin.jar!/js-vulnerabilities-rules-1.0.0.tgz to /builds/test_stanislav_project/react_sonar_test/.scannerwork/.sonartmp/901449771535204150
104INFO: 6 source files to be analyzed
105INFO: Version of TypeScript used during analysis: 3.8.3
106INFO: 6/6 source files have been analyzed
107INFO: Java-based frontend sensor [javascript]
108INFO: 6 source files to be analyzed
109INFO: 6/6 source files have been analyzed
110INFO: Java-based frontend sensor [javascript] (done) | time=751ms
111INFO: Sensor JavaScript analysis [javascript] (done) | time=5670ms
112INFO: Sensor ThymeLeaf template sensor [securityjavafrontend]
113INFO: Sensor ThymeLeaf template sensor [securityjavafrontend] (done) | time=2ms
114INFO: Sensor JavaSecuritySensor [security]
115INFO: Reading type hierarchy from: /builds/test_stanislav_project/react_sonar_test/.scannerwork/ucfg2/java
116INFO: Read 0 type definitions
117INFO: Reading UCFGs from: /builds/test_stanislav_project/react_sonar_test/.scannerwork/ucfg2/java
118INFO: No UCFGs have been included for analysis.
119INFO: Sensor JavaSecuritySensor [security] (done) | time=9ms
120INFO: Sensor CSharpSecuritySensor [security]
121INFO: Reading type hierarchy from: /builds/test_stanislav_project/react_sonar_test/ucfg_cs2
122INFO: Read 0 type definitions
123INFO: Reading UCFGs from: /builds/test_stanislav_project/react_sonar_test/ucfg_cs2
124INFO: No UCFGs have been included for analysis.
125INFO: Sensor CSharpSecuritySensor [security] (done) | time=2ms
126INFO: Sensor PhpSecuritySensor [security]
127INFO: Reading type hierarchy from: /builds/test_stanislav_project/react_sonar_test/.scannerwork/ucfg2/php
128INFO: Read 0 type definitions
129INFO: Reading UCFGs from: /builds/test_stanislav_project/react_sonar_test/.scannerwork/ucfg2/php
130INFO: No UCFGs have been included for analysis.
131INFO: Sensor PhpSecuritySensor [security] (done) | time=3ms
132INFO: Sensor PythonSecuritySensor [security]
133INFO: Reading type hierarchy from: /builds/test_stanislav_project/react_sonar_test/.scannerwork/ucfg2/python
134INFO: Read 0 type definitions
135INFO: Reading UCFGs from: /builds/test_stanislav_project/react_sonar_test/.scannerwork/ucfg2/python
136INFO: No UCFGs have been included for analysis.
137INFO: Sensor PythonSecuritySensor [security] (done) | time=2ms
138INFO: Sensor JsSecuritySensor [security]
139INFO: Reading type hierarchy from: /builds/test_stanislav_project/react_sonar_test/.scannerwork/ucfg2/js
140INFO: Read 0 type definitions
141INFO: Reading UCFGs from: /builds/test_stanislav_project/react_sonar_test/.scannerwork/ucfg2/js
142INFO: 12:07:06.742598 Building Type propagation graph
143INFO: 12:07:06.75452 Running Tarjan on 39 nodes
144INFO: 12:07:06.757623 Tarjan found 39 components
145INFO: 12:07:06.766017 Variable type analysis: done
146INFO: 12:07:06.766756 Building Type propagation graph
147INFO: 12:07:06.773987 Running Tarjan on 39 nodes
148INFO: 12:07:06.774811 Tarjan found 39 components
149INFO: 12:07:06.776063 Variable type analysis: done
150INFO: Analyzing 12 ucfgs to detect vulnerabilities.
151INFO: rule: S3649, entrypoints: 6
152INFO: Running symbolic analysis
153INFO: rule: S3649 done
154INFO: Sensor JsSecuritySensor [security] (done) | time=340ms
155INFO: ------------- Run sensors on project
156INFO: Sensor Zero Coverage Sensor
157INFO: Sensor Zero Coverage Sensor (done) | time=17ms
158INFO: SCM Publisher SCM provider for this project is: git
159INFO: SCM Publisher 1 source file to be analyzed
160INFO: SCM Publisher 1/1 source file have been analyzed (done) | time=177ms
161INFO: CPD Executor 2 files had no CPD blocks
162INFO: CPD Executor Calculating CPD for 5 files
163INFO: CPD Executor CPD calculation finished (done) | time=15ms
164INFO: Analysis report generated in 367ms, dir size=171 KB
165INFO: Analysis report compressed in 51ms, zip size=44 KB
166INFO: Analysis report uploaded in 392ms
167INFO: ANALYSIS SUCCESSFUL, you can find the results at: https://sonarcloud.io/dashboard?id=22945891&branch=master
168INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
169INFO: More about the report processing at https://sonarcloud.io/api/ce/task?id=AXZCP4WxObpShwSmkP7x
170INFO: Analysis total time: 25.116 s
171INFO: ------------------------------------------------------------------------
172INFO: EXECUTION SUCCESS
173INFO: ------------------------------------------------------------------------
174INFO: Total time: 29.033s
175INFO: Final Memory: 28M/92M
176INFO: ------------------------------------------------------------------------
178Saving cache for successful job
00:12
179Creating cache sonarcloud-check…
180.sonar/cache: found 149 matching files and directories
181Uploading cache.zip to https://storage.googleapis.com/gitlab-com-runners-cache/project/22945891/sonarcloud-check
182Created cache
184Cleaning up file based variables
00:00
186Job succeeded
Thanks Stanislav,
So it looks like you’re doing everything correctly. Going back to the title of the thread SonarClooud skips bugs in HTML that is returned by jsx, I suspect that the problem comes from the fact that the HTML code is not in a file whose extension (.jsx) maps with the HTML analyzer.
A few exceptions aside, currently SonarCloud can only analyze a given file with one language analyzer (the one associate with the extension). If you have files that are are mix of several languages (like JS and HTML) then you cannot analyze both.
Let me know if that is your case.
If confirmed, to be able to analyze the HTML part, you would have to split the HTML and the JS in 2 different files
yes, it’s my case. But react base on this format of code. And… I don’t guess that it’s a right way to divide my code into different files. So i think it will work and i don’t see the way to use sonar. Bcs it can’t