Why does sonarcloud skip bugs in html that is returned by jsx

CI system used: GitLab CI
Languages of the repository: javascript (React)
Reproduce: https://rules.sonarsource.com/html/type/Bug/RSPEC-1097

Hello @11138,
How do you scan your repository ? You run your CI scan yourself or you use SonarCloud autoscan ?
If you run your CI scan yourself, can you send the logs of the scan please.

thanks for the answer, I started deploy. While deploy is running, sonarcloud analyze my code. So after my trying to reproduce bug in html code, The result isn’t good bcs no bugs on the main page.

OK, but can you clarify how this analysis is done ? Do you rely on SonarCloud automatic scan (ie you have no specific step in your pipeline to scan the code) ? I suspect this is the case but would like to be sure…

Also I would like to understand how is your code organized. You mention jsx but you don’t give much details on this and the link to the HTML issue you expect.

Running with gitlab-runner 13.6.0 (8fa89735)

2 on docker-auto-scale ed2dce3a

3Preparing the “docker+machine” executor


4Using Docker executor with image sonarsource/sonar-scanner-cli:latest …

5Pulling docker image sonarsource/sonar-scanner-cli:latest …

6Using docker image sha256:d2689cf15e8424e2ae5114f1477394c22f8dc2283d05c3ba1705f4087043ab84 for sonarsource/sonar-scanner-cli:latest with digest sonarsource/sonar-scanner-cli@sha256:1358151cc4c3bcd9dc9edabe9feff4671812660db8d1abf08bfb2a777f25d2fd …

8Preparing environment


9Running on runner-ed2dce3a-project-22945891-concurrent-0 via runner-ed2dce3a-srm-1607429125-8960cdb5…

11Getting source from Git repository



13Fetching changes…

14Initialized empty Git repository in /builds/test_stanislav_project/react_sonar_test/.git/

15Created fresh repository.

16Checking out 1c94638c as master…

17Skipping Git submodules setup

19Restoring cache


20Checking cache for sonarcloud-check…

21Downloading cache.zip from https://storage.googleapis.com/gitlab-com-runners-cache/project/22945891/sonarcloud-check

22Successfully extracted cache

24Executing “step_script” stage of the job script


25$ sonar-scanner

26INFO: Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties

27INFO: Project root configuration file: /builds/test_stanislav_project/react_sonar_test/sonar-project.properties

28INFO: SonarScanner

29INFO: Java 11.0.6 AdoptOpenJDK (64-bit)

30INFO: Linux 4.19.78-coreos amd64

31INFO: User cache: /builds/test_stanislav_project/react_sonar_test/.sonar/cache

32INFO: Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties

33INFO: Project root configuration file: /builds/test_stanislav_project/react_sonar_test/sonar-project.properties

34INFO: Analyzing on SonarQube server 8.5.0

35INFO: Default locale: “en_US”, source code encoding: “UTF-8” (analysis is platform dependent)

36INFO: Load global settings

37INFO: Load global settings (done) | time=678ms

38INFO: Server id: 1BD809FA-AWHW8ct9-T_TB3XqouNu

39INFO: User cache: /builds/test_stanislav_project/react_sonar_test/.sonar/cache

40INFO: Load/download plugins

41INFO: Load plugins index

42INFO: Load plugins index (done) | time=170ms

43INFO: Load/download plugins (done) | time=532ms

44INFO: Loaded core extensions: developer-scanner

45INFO: JavaScript/TypeScript frontend is enabled

46INFO: Found an active CI vendor: ‘Gitlab CI’

47INFO: Load project settings for component key: ‘22945891’

48INFO: Load project settings for component key: ‘22945891’ (done) | time=127ms

49INFO: Process project properties

50INFO: Execute project builders

51INFO: Execute project builders (done) | time=4ms

52INFO: Project key: 22945891

53INFO: Base dir: /builds/test_stanislav_project/react_sonar_test

54INFO: Working dir: /builds/test_stanislav_project/react_sonar_test/.scannerwork

55INFO: Load project branches

56INFO: Load project branches (done) | time=117ms

57INFO: Check ALM binding of project ‘22945891’

58INFO: Detected project binding: NOT_BOUND

59INFO: Check ALM binding of project ‘22945891’ (done) | time=114ms

60INFO: Load project pull requests

61INFO: Load project pull requests (done) | time=117ms

62INFO: Load branch configuration

63INFO: Auto-configuring branch master

64INFO: Load branch configuration (done) | time=5ms

65INFO: Load quality profiles

66INFO: Load quality profiles (done) | time=178ms

67INFO: Load active rules

68INFO: Load active rules (done) | time=3853ms

69INFO: Organization key: stanislav-andreev-1998

70INFO: Branch name: master, type: long living

71INFO: Indexing files…

72INFO: Project configuration:

73INFO: Load project repositories

74INFO: Load project repositories (done) | time=118ms

75INFO: 18 files indexed

76INFO: 0 files ignored because of scm ignore settings

77INFO: Quality profile for css: Sonar way

78INFO: Quality profile for js: Sonar way

79INFO: Quality profile for web: Sonar way

80INFO: ------------- Run sensors on module 22945891

81INFO: JavaScript/TypeScript frontend is enabled

82INFO: Load metrics repository

83INFO: Load metrics repository (done) | time=122ms

84INFO: Sensor SonarCSS Metrics [cssfamily]

85INFO: Sensor SonarCSS Metrics [cssfamily] (done) | time=92ms

86INFO: Sensor SonarCSS Rules [cssfamily]

87INFO: 3 source files to be analyzed

88INFO: 3/3 source files have been analyzed

89INFO: Sensor SonarCSS Rules [cssfamily] (done) | time=1902ms

90INFO: Sensor C# Properties [csharp]

91INFO: Sensor C# Properties [csharp] (done) | time=1ms

92INFO: Sensor JavaXmlSensor [java]

93INFO: Sensor JavaXmlSensor [java] (done) | time=5ms

94INFO: Sensor HTML [web]

95INFO: Sensor HTML [web] (done) | time=107ms

96INFO: Sensor VB.NET Properties [vbnet]

97INFO: Sensor VB.NET Properties [vbnet] (done) | time=1ms

98INFO: Sensor JaCoCo XML Report Importer [jacoco]

99INFO: ‘sonar.coverage.jacoco.xmlReportPaths’ is not defined. Using default locations: target/site/jacoco/jacoco.xml,target/site/jacoco-it/jacoco.xml,build/reports/jacoco/test/jacocoTestReport.xml

100INFO: No report imported, no coverage information will be imported by JaCoCo XML Report Importer

101INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=6ms

102INFO: Sensor JavaScript analysis [javascript]

103INFO: Deploying custom rules bundle jar:file:/builds/test_stanislav_project/react_sonar_test/.sonar/cache/4158f9352ed99547675b573f57377fda/sonar-securityjsfrontend-plugin.jar!/js-vulnerabilities-rules-1.0.0.tgz to /builds/test_stanislav_project/react_sonar_test/.scannerwork/.sonartmp/901449771535204150

104INFO: 6 source files to be analyzed

105INFO: Version of TypeScript used during analysis: 3.8.3

106INFO: 6/6 source files have been analyzed

107INFO: Java-based frontend sensor [javascript]

108INFO: 6 source files to be analyzed

109INFO: 6/6 source files have been analyzed

110INFO: Java-based frontend sensor [javascript] (done) | time=751ms

111INFO: Sensor JavaScript analysis [javascript] (done) | time=5670ms

112INFO: Sensor ThymeLeaf template sensor [securityjavafrontend]

113INFO: Sensor ThymeLeaf template sensor [securityjavafrontend] (done) | time=2ms

114INFO: Sensor JavaSecuritySensor [security]

115INFO: Reading type hierarchy from: /builds/test_stanislav_project/react_sonar_test/.scannerwork/ucfg2/java

116INFO: Read 0 type definitions

117INFO: Reading UCFGs from: /builds/test_stanislav_project/react_sonar_test/.scannerwork/ucfg2/java

118INFO: No UCFGs have been included for analysis.

119INFO: Sensor JavaSecuritySensor [security] (done) | time=9ms

120INFO: Sensor CSharpSecuritySensor [security]

121INFO: Reading type hierarchy from: /builds/test_stanislav_project/react_sonar_test/ucfg_cs2

122INFO: Read 0 type definitions

123INFO: Reading UCFGs from: /builds/test_stanislav_project/react_sonar_test/ucfg_cs2

124INFO: No UCFGs have been included for analysis.

125INFO: Sensor CSharpSecuritySensor [security] (done) | time=2ms

126INFO: Sensor PhpSecuritySensor [security]

127INFO: Reading type hierarchy from: /builds/test_stanislav_project/react_sonar_test/.scannerwork/ucfg2/php

128INFO: Read 0 type definitions

129INFO: Reading UCFGs from: /builds/test_stanislav_project/react_sonar_test/.scannerwork/ucfg2/php

130INFO: No UCFGs have been included for analysis.

131INFO: Sensor PhpSecuritySensor [security] (done) | time=3ms

132INFO: Sensor PythonSecuritySensor [security]

133INFO: Reading type hierarchy from: /builds/test_stanislav_project/react_sonar_test/.scannerwork/ucfg2/python

134INFO: Read 0 type definitions

135INFO: Reading UCFGs from: /builds/test_stanislav_project/react_sonar_test/.scannerwork/ucfg2/python

136INFO: No UCFGs have been included for analysis.

137INFO: Sensor PythonSecuritySensor [security] (done) | time=2ms

138INFO: Sensor JsSecuritySensor [security]

139INFO: Reading type hierarchy from: /builds/test_stanislav_project/react_sonar_test/.scannerwork/ucfg2/js

140INFO: Read 0 type definitions

141INFO: Reading UCFGs from: /builds/test_stanislav_project/react_sonar_test/.scannerwork/ucfg2/js

142INFO: 12:07:06.742598 Building Type propagation graph

143INFO: 12:07:06.75452 Running Tarjan on 39 nodes

144INFO: 12:07:06.757623 Tarjan found 39 components

145INFO: 12:07:06.766017 Variable type analysis: done

146INFO: 12:07:06.766756 Building Type propagation graph

147INFO: 12:07:06.773987 Running Tarjan on 39 nodes

148INFO: 12:07:06.774811 Tarjan found 39 components

149INFO: 12:07:06.776063 Variable type analysis: done

150INFO: Analyzing 12 ucfgs to detect vulnerabilities.

151INFO: rule: S3649, entrypoints: 6

152INFO: Running symbolic analysis

153INFO: rule: S3649 done

154INFO: Sensor JsSecuritySensor [security] (done) | time=340ms

155INFO: ------------- Run sensors on project

156INFO: Sensor Zero Coverage Sensor

157INFO: Sensor Zero Coverage Sensor (done) | time=17ms

158INFO: SCM Publisher SCM provider for this project is: git

159INFO: SCM Publisher 1 source file to be analyzed

160INFO: SCM Publisher 1/1 source file have been analyzed (done) | time=177ms

161INFO: CPD Executor 2 files had no CPD blocks

162INFO: CPD Executor Calculating CPD for 5 files

163INFO: CPD Executor CPD calculation finished (done) | time=15ms

164INFO: Analysis report generated in 367ms, dir size=171 KB

165INFO: Analysis report compressed in 51ms, zip size=44 KB

166INFO: Analysis report uploaded in 392ms

167INFO: ANALYSIS SUCCESSFUL, you can find the results at: https://sonarcloud.io/dashboard?id=22945891&branch=master

168INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report

169INFO: More about the report processing at https://sonarcloud.io/api/ce/task?id=AXZCP4WxObpShwSmkP7x

170INFO: Analysis total time: 25.116 s

171INFO: ------------------------------------------------------------------------


173INFO: ------------------------------------------------------------------------

174INFO: Total time: 29.033s

175INFO: Final Memory: 28M/92M

176INFO: ------------------------------------------------------------------------

178Saving cache for successful job


179Creating cache sonarcloud-check…

180.sonar/cache: found 149 matching files and directories

181Uploading cache.zip to https://storage.googleapis.com/gitlab-com-runners-cache/project/22945891/sonarcloud-check

182Created cache

184Cleaning up file based variables


186Job succeeded

Thanks Stanislav,

So it looks like you’re doing everything correctly. Going back to the title of the thread SonarClooud skips bugs in HTML that is returned by jsx, I suspect that the problem comes from the fact that the HTML code is not in a file whose extension (.jsx) maps with the HTML analyzer.
A few exceptions aside, currently SonarCloud can only analyze a given file with one language analyzer (the one associate with the extension). If you have files that are are mix of several languages (like JS and HTML) then you cannot analyze both.
Let me know if that is your case.
If confirmed, to be able to analyze the HTML part, you would have to split the HTML and the JS in 2 different files

yes, it’s my case. But react base on this format of code. And… I don’t guess that it’s a right way to divide my code into different files. So i think it will work and i don’t see the way to use sonar. Bcs it can’t