Why is the Sonar scan looking in ignored directories?

• which versions are you using: Developer Edition v10.6, sonarqube-scanner 4.2.3
• how is SonarQube deployed: Docker

Sonar scan is looking in ignored directories:

ScannerEngine: Found file: /h/bldrtlv/jenkins/git_repo/prod/emweb_PR-1028/frontend/node_modules/.pnpm/any-promise@1.3.0/node_modules/any-promise/package.json
ScannerEngine: Found file: /h/bldrtlv/jenkins/git_repo/prod/emweb_PR-1028/frontend/.nx/cache/10620624721087522902/outputs/dist/libs/shared/proto/package.json
ScannerEngine: Found file: /h/bldrtlv/jenkins/git_repo/prod/emweb_PR-1028/frontend/.sonar-dev/.sonartmp/bridge-bundle/package/node_modules/@babel/helpers/scripts/package.json

The directories (node_modules, .nx, and sonar-dev) are already listed in .gitignore. Why is the Sonar scan still looking in these ignored directories?

Hi,

Welcome to the community!

Which scanner are you using, and how are you ignoring directories?

Unfortunately the SonarScanner for .NET doesn’t honor exclusions directly. So those files will still be analyzed by the results filtered at the server level. All the other scanners do actually ignore excluded files.

 
Ann

I’m using the SonarQube scanner for a web project (TypeScript, HTML, and SCSS) with the following command:

node ./node_modules/sonarqube-scanner/bin/sonar-scanner “-D” “sonar.working.directory=.sonar-dev” “-D”

I’ve also included directories like node_modules, .nx, and sonar-dev in the sonar-project.properties file, in addition to .gitignore.

sonar.sources=libs/,apps/
sonar.inclusions=**/*.ts,**/*.scss,**/*.html
sonar.exclusions=**/node_modules/**,**/.nx/**,**/.sonar-dev/**,**/*.spec.ts
sonar.tests=libs/,apps/
sonar.test.inclusions=**/*.spec.ts
sonar.test.exclusions=**/node_modules/**,**/.nx/**,**/.sonar-dev/**
sonar.cpd.exclusions=**/node_modules/**,**/.nx/**,**/.sonar-dev/**,**/*.spec.ts
sonar.javascript.lcov.reportPaths=apps/**/coverage-test/lcov.info,libs/**/coverage-test/lcov.info

Hi,

Thanks for those details.

It’s not clear to me quite where in the analysis you’re seeing these file accesses, but the scanner works by first indexing all the files that fall under sonar.sources directories, and then applying exclusions to remove files from the set.

So if it’s possible for you to narrow your sonar.sources and sonar.tests definitions, that would be your best first step.

Beyond that, it’s a very rare case indeed where you need to use both inclusions and exclusions together. Without knowing the structure of your project, it’s difficult for me to suggest configuration refinements, but I suspect you can simply omit sonar.inclusions (what other languages are present in your project and why would you not want them analyzed?) and you can certainly remove sonar.cpd.exclusions, since nothing that’s already been excluded by sonar.exclusios would even be considered for duplication detection (which is what sonar.cpd.exclusions relates to).

 
HTH,
Ann

The sonar.sources and sonar.tests settings include only the libs and apps root directories, but the Sonar scan still checks other root directories (node_modules, .nx, and .sonar-dev), as you can see in sonar scan log above.

The project structure is as follows:

• libs
• apps
• node_modules
• .nx
• .sonar-dev

The question is, why does Sonar scan directories outside of sonar.sources and sonar.tests?

Hi,

Can we have the full analysis log, starting from the analysis command itself?

 
Thx,
Ann