philips-software / sonar-scanner-action Goto Github PK
View Code? Open in Web Editor NEWGitHub Sonar Action
License: MIT License
GitHub Sonar Action
License: MIT License
We should keep the scanner up to date.
Update version of the scanner to 4.8.0.2856
https://docs.sonarqube.org/latest/analyzing-source-code/scanners/sonarscanner/
We are in the process of migrating OmniLearn from Gitlab to Github. On Gitlab, we executed the running directly, and passed some parameters per commandline and some using the sonar-project.properties
file. Is there a way to pass parameters using a properties file also with the sonarqube action and how would I set this up?
I tried the snippet https://github.com/philips-software/sonar-scanner-action#invoke-the-scanner-with-pull-request-decoration an getting error in that . second one is https://github.com/philips-software/sonar-scanner-action#create-configuration-for-the-scanner-with-pull-request-decoration
this need docker container ? , can you please give me the steps to integrate with pull request decoration
?
We are in the process of migrating OmniLearn from Gitlab to Github. We tried to use the sonarqube action to activate sonarqube analysis of our project. We did this by adding the following snippet to our Github workflow configuration
- name: Update sonarqube
uses: philips-software/[email protected]
with:
token: ${{ secrets.SONARQUBE_TOKEN }}
projectName: omnilearn
projectKey: prh.omnilearn-linux
url: https://sonarqube.ta.philips.com/
When running the workflow, we currently get the following error:
/root/sonar-scanner-4.3.0.2102-linux/bin/sonar-scanner -Dsonar.login=*** -Dsonar.host.url=https://sonarqube.ta.philips.com/ -Dsonar.projectKey=prh.omnilearn-linux -Dsonar.projectName='omnilearn' -Dsonar.scm.provider=git -Dsonar.sourceEncoding=UTF-8 -Dsonar.qualitygate.wait=false -Dsonar.branch.name=develop
INFO: Scanner configuration file: /root/sonar-scanner-4.3.0.2102-linux/conf/sonar-scanner.properties
INFO: Project root configuration file: /github/workspace/sonar-project.properties
INFO: SonarScanner 4.3.0.2102
INFO: Java 1.8.0_252 Oracle Corporation (64-bit)
INFO: Linux 4.14.243-185.433.amzn2.x86_64 amd64
INFO: User cache: /root/.sonar/cache
INFO: Scanner configuration file: /root/sonar-scanner-4.3.0.2102-linux/conf/sonar-scanner.properties
INFO: Project root configuration file: /github/workspace/sonar-project.properties
INFO: Analyzing on SonarQube server 9.0.1
INFO: Default locale: "en_US", source code encoding: "UTF-8"
INFO: ------------------------------------------------------------------------
INFO: EXECUTION FAILURE
INFO: ------------------------------------------------------------------------
INFO: Total time: 1.666s
INFO: Final Memory: 4M/72M
INFO: ------------------------------------------------------------------------
ERROR: Error during SonarScanner execution
java.lang.UnsupportedClassVersionError: org/sonar/batch/bootstrapper/EnvironmentInformation has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class file versions up to 52.0
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:756)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:468)
at java.net.URLClassLoader.access$100(URLClassLoader.java:74)
at java.net.URLClassLoader$1.run(URLClassLoader.java:369)
at java.net.URLClassLoader$1.run(URLClassLoader.java:363)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:362)
at org.sonarsource.scanner.api.internal.IsolatedClassloader.loadClass(IsolatedClassloader.java:82)
at java.lang.ClassLoader.loadClass(ClassLoader.java:351)
at org.sonarsource.scanner.api.internal.batch.DefaultBatchFactory.createBatch(DefaultBatchFactory.java:32)
at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60)
at com.sun.proxy.$Proxy0.execute(Unknown Source)
at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:189)
at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:138)
at org.sonarsource.scanner.cli.Main.execute(Main.java:112)
at org.sonarsource.scanner.cli.Main.execute(Main.java:75)
at org.sonarsource.scanner.cli.Main.main(Main.java:61)
ERROR:
ERROR: Re-run SonarScanner using the -X switch to enable full debug logging.
Error: The process '/root/sonar-scanner-4.3.0.2102-linux/bin/sonar-scanner' failed with exit code 1
I don't quite understand what the error is and how to fix it. Can you please help with this?
Hi all, are there currently any plans to allow this action to be usable with the Community edition of SonarQube? Due to the -Dsonar.branch.name flag getting set and Community edition not supporting branches our builds fail when using this action. I'm more than willing to take on the work and start a PR if you all want to support Community edition.
When using branches like 'feature/xyz', the Action will push to SonarQube as being branch 'xyz' as branch name.
This seems inconsistent met the actual branch name in git.
IMHO this should be the same, ergo 'feature/xyz' should be send to SonarQube.
https://github.com/philips-software/sonar-scanner-action/blob/master/src/sonarScanner.ts#L6
A few months ago SonarQube created a GitHub Action. I was wondering if it still makes sense to continue developing this repo if Sonar is now supporting Actions out of the box.
See: https://github.com/SonarSource/sonarqube-scan-action and https://docs.sonarqube.org/latest/analysis/github-integration/
I've created a GitHub Actions workflow that follows your instructions. On the first run, it works fine.
However, on the second run, actions/checkout@master
fails because it tries to clean the repository but the ".scannerwork" directory is owned by root (as that is how the Docker container runs) and the clean up fails.
I've tried adding .scannerwork
to the .gitignore
file but that hasn't made any difference.
It would seem that an appropriate solution would be a post run step in the action that removes the ".scannerwork" directory.
If there is an alternative solution, please share/document it.
Thanks.
It is currently not clear from the documentation how to enable pr decoration. When reading the readme.md I have the following questions:
Or
A short guide on how to enable pr decoration
We are migrating from Gitlab to Github. In our old Gitlab config, we used to invoke sonarqube directly from the commandline, which allowed us to read the current version from the Python package's version file and pass it as a parameter to sonarqube like this:
export CI_VERSION=`cat omnilearn/__version__.py | sed 's/__version__ = "\(.*\)"/\1/g'`
sonar-scanner -Dsonar.projectVersion=${CI_VERSION}
How can we achieve something similar with the sonar-scanner-action?
When you change the code or the package.json, you have to build the dist on your own machine and push it to the repository.
This is very inconvenient, especially with dependabot.
Automatically build dist in workflow and push when dist is updated.
https://github.com/philips-software/app-token-action/blob/main/.github/workflows/ci.yml
For sonarcloud.io the sonar.organization
argument is required.
See error:
ERROR: Error during SonarScanner execution ERROR: You must define the following mandatory properties for 'project.key': sonar.organization
Currently running this action inside a ubuntu 18.04 or a ubuntu 20.04 container has a conflict which prevents the repository to be properly identified as a github repository. To reproduce this issue here is a simple example; consider the following yml file that includes this action, running in the container python:3.9:
jobs: build: runs-on: [self-hosted, research] container: python:3.9 steps: - name: Checkout uses: actions/checkout@v2 - name: Sonar analysis configuration uses: philips-software/[email protected] with: token: ${{ secrets.SONARQUBE_TOKEN }} projectName: <projectName> projectKey: <projectKey> url: <sonarqube-server-url>
If you try to run this simplified action in a given C++ Cmake based repository you will get the following failure log:
2021-11-26T13:50:57.0503295Z INFO: ------------------------------------------------------------------------
2021-11-26T13:50:57.0504376Z INFO: EXECUTION FAILURE
2021-11-26T13:50:57.0505626Z INFO: ------------------------------------------------------------------------
2021-11-26T13:50:57.0506152Z INFO: Total time: 1:04.786s
2021-11-26T13:50:57.3103531Z INFO: Final Memory: 98M/337M
2021-11-26T13:50:57.3105121Z INFO: ------------------------------------------------------------------------
2021-11-26T13:50:57.3111631Z ERROR: Error during SonarScanner execution
2021-11-26T13:50:57.3119804Z java.lang.IllegalStateException: java.nio.file.NoSuchFileException: /build-wrapper-dump.json
2021-11-26T13:50:57.3123164Z at com.sonar.cpp.plugin.BuildWrapperJsonReader.readCaptures(BuildWrapperJsonReader.java:90)
2021-11-26T13:50:57.3126348Z at com.sonar.cpp.plugin.CFamilySensor.process(CFamilySensor.java:575)
Which is the expected; since the project has yet to be build and the output of the build-wrapper tool is missing. However, if you change the container to a ubuntu:18.04 or ubuntu:20.04 :
jobs: build: runs-on: [self-hosted, research] container: ubuntu:18.04 steps: - name: Checkout uses: actions/checkout@v2 - name: Sonar analysis configuration uses: philips-software/[email protected] with: token: ${{ secrets.SONARQUBE_TOKEN }} projectName: <projectName> projectKey: <projectKey> url: <sonarqube-server-url>
It fails as follows:
2021-11-26T14:02:01.2433137Z INFO: Project configuration:
2021-11-26T14:02:01.2473405Z INFO: Excluded sources: **/*Test*/**, **/*Tests*/**
2021-11-26T14:02:01.2694317Z INFO: ------------------------------------------------------------------------
2021-11-26T14:02:01.2695221Z INFO: EXECUTION FAILURE
2021-11-26T14:02:01.2696269Z INFO: ------------------------------------------------------------------------
2021-11-26T14:02:01.2697011Z INFO: Total time: 13.658s
2021-11-26T14:02:01.3105547Z INFO: Final Memory: 7M/30M
2021-11-26T14:02:01.3107046Z INFO: ------------------------------------------------------------------------
2021-11-26T14:02:01.3122217Z ERROR: Error during SonarScanner execution
2021-11-26T14:02:01.3123127Z ERROR: Not inside a Git work tree: /github/workspace
It complains of not being inside a repository, which is not the expected behavior.
See title, running into this with any configuration I throw at the Sonar Scanner action.
Version: v1.0.0
When executing it sends apostrophes about the Dsonar.projectName = ''
and it appears like this 'projectName'
Hi,
After experimenting this sonar-scanner-action I got the warning that the scanner used by this action is not valid for .NET / C# code analysis. See below the info collected from the log while executing this scanner:
I looked at #66, but it did not provide a solution as it pointed out to the same documentation as the log above.
As a quick workaround to use the right scanner I'm doing the following:
File: .config/dotnet-tools.json
{
"version": 1,
"isRoot": true,
"tools": {
"dotnet-sonarscanner": {
"version": "5.3.1",
"commands": [
"dotnet-sonarscanner"
]
}
}
}
File: SonarQube.Analysis.sh
#!/bin/bash
# Get the token as the first parameter
token=$1
dotnet dotnet-sonarscanner begin \
/k:"<PROJECT_KEY>" \
/n:"<PROJECT_NAME>" \
/v:"<PROJECT_VERSION>" \
/d:"sonar.host.url=<SONARQUBE_HOST_URL>" \
/d:"sonar.sources=<SOURCE_CODE_PATHS>" \
/d:"sonar.login=$token" \
/d:"sonar.verbose=<VERBOSE_TRUE_FALSE>"
dotnet build <PATH_TO_CSPROJ_OR_SLN>
dotnet dotnet-sonarscanner end \
/d:sonar.login=$token
File: sonarqube.yaml
...
- name: Restore dependencies
run: |
dotnet restore PhOpc/PhOpc.csproj
- name: Build
run: dotnet build PhOpc/PhOpc.csproj
# The GitHub action below is not prepared to use the .NET Core Global Tool scanner and is not appropriate for C# code
# - uses: philips-software/[email protected]
# with:
# token: ${{ secrets.SONARQUBE_TOKEN }}
# projectName: <PROJECT_NAME>
# projectKey: <PROJECT_KEY>
# url: <SONARQUBE_HOST_URL>
# enablePullRequestDecoration: true
- name: Restore .NET locally installed tools
run: dotnet tool restore
- name: Install JRE as it is required by the .NET Core Global Tool (on the "end" step, even though not mentioned on the docs)
run: apt-get update && apt-get -y install default-jre
- name: Run SonarQube analysis using the .NET Core Global Tool
run: ./SonarQube.Analysis.sh ${{ secrets.SONARQUBE_TOKEN }}
With this the appropriate scanner is executed, but it would be better to have this integrated into this GitHub action :)
As a reference this is the format of the settings file once the Bug mentioned above is fixed:
<SonarQubeAnalysisProperties
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://www.sonarsource.com/msbuild/integration/2015/1">
<!-- SonarQube instance -->
<Property Name="sonar.host.url">SONARQUBE_HOST_URL</Property>
<!-- projectKey must be unique in a given SonarQube instance -->
<Property Name="sonar.projectKey">PROJECT_KEY</Property>
<!-- projectName is the project name shown on the SonarQube instance -->
<Property Name="sonar.projectName">PROJECT_NAME</Property>
<!-- projectVersion is the version number shown on the SonarQube instance -->
<Property Name="sonar.projectVersion">PROJECT_VERSION</Property>
<!-- sources is a comma-separated paths to directories containing main source files, if not specified defaults to the root of the project -->
<Property Name="sonar.sources">SOURCE_CODE_PATHS</Property>
</SonarQubeAnalysisProperties>
On the current .sh I'm only specifying a few extra settings using the /d: option, but this file (or the settings once the bug is fixed) need to allow all other possible options.
Any chances to have support for .NET / C# Sonar Scanner integrated into this GitHub action?
The setup with pre-baked build environments in docker containers is not the best approach of handling these kind of services.
We've also seen this for the Black Duck actions, it's cumbersome and does not bring much to the table if you're only using the images in GitHub Actions.
We might consider deprecating this action and write proper instructions how to use the Official SonarQube action.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.