Why is node.js required to run Javascript analysis? (and is it possible to scan without it?)

pacigag · April 6, 2021, 8:09pm

I came across this error today for the first time:

ERROR: Error when running: 'node -v'. Is Node.js available during analysis?

I know how to fix this, but I have a conceptual question. Why is node.js required to scan Javascript files? I always considered Sonarqube to be a static analysis tool, which by definition means that code is not executed during analysis. So I wonder, what is node being used for?

Incidentally, I have some Javascript projects which are being scanned successfully on this same machine, so I was surprised to come across this error today on a new project. This is with server 7.9.1 and scanner 4.4. It does print out the same error in the logs, but the scan still goes through without error, so the error has not been noticed until now. Maybe because there is not a package.json file in the root directory where the scan takes place or something like that? So, as a follow up question, under what conditions is it possible for Sonarqube to scan JS files without a node executable? How is the analysis different?

Colin_SonarSource · April 7, 2021, 9:26am

Hey there!

NodeJS is required because Javascript/Typescript analysis is (as of the latest version of SonarQube) entirely based the ESLint JS front-end (parser)

This means we don’t have to maintain our own frontend, and new language features can be supported quite quickly. It means we can also implement some rules directly from ESLint and its plugins (no need to reinvent the wheel), and in the context of Typescript analysis we have access to type information for better precision.

Overall, lots of benefits for maintainability and the ability to provide good features, and it requires a node runtime (which is why you’re being asked to install NodeJS.

However, it was a gradual migration moving rules from our homegrown frontend to the ESLint frontend over many versions of our Javascript analyzer, which means that in some versions of SonarQube it was still possible to get some analysis results without NodeJS installed

Whatever the case – you should now definitely make sure NodeJS is installed on machines running analysis, and also consider upgrading to the latest version of SonarQube (v8.8) where now, all rules have been migrated to the new frontend.

pacigag · April 7, 2021, 4:31pm

Thanks for that explanation.

It’s unfortunate that I now have to know in advance what language I’m going to be scanning before I check out the code to scan it… previously, our infrastructure was agnostic, and any code could be scanned on any machine. Our build environments are heterogeneous by design. I’m sure we’ll figure it out, but it’s sad to lose that generality.

Do other languages have a similar requirement? JS is the first one I’ve encountered it for, but maybe I’ve just been getting lucky so far.