philips-software / sonar-scanner-action Goto Github PK

View Code? Open in Web Editor NEW

12.0 12.0 16.0 1.26 MB

GitHub Sonar Action

License: MIT License

Dockerfile 1.31% TypeScript 97.81% JavaScript 0.88%

hacktoberfest

sonar-scanner-action's People

Contributors

Stargazers

Watchers

Forkers

jeroenknoops ambvdijk vmaggioli pthelusma elviejokike marcofranssen vebr thomashagebols qoala-engineering marcinbalicki davidssl pkumar2philips atilahjr distributed-ops srikanth-philips mescorza

sonar-scanner-action's Issues

Use newer version of scanner. 4.8.0.2856

We should keep the scanner up to date.

Update version of the scanner to 4.8.0.2856

Overview releases

https://docs.sonarqube.org/latest/analyzing-source-code/scanners/sonarscanner/

Building sonar-scanner-action takes very long

We are using the sonar-scaner-action in our CI/CD pipeline and this action is always rebuild as one of the first steps in the pipeline. Currently, this takes quite long (more than 15 minutes; see screenshot), which slows down the entire pipeline by quite a bit. Is there a way to speed things up?

How to specify sonar-project.properties

We are in the process of migrating OmniLearn from Gitlab to Github. On Gitlab, we executed the running directly, and passed some parameters per commandline and some using the sonar-project.properties file. Is there a way to pass parameters using a properties file also with the sonarqube action and how would I set this up?

which code snippet should use ?

I tried the snippet https://github.com/philips-software/sonar-scanner-action#invoke-the-scanner-with-pull-request-decoration an getting error in that . second one is https://github.com/philips-software/sonar-scanner-action#create-configuration-for-the-scanner-with-pull-request-decoration

this need docker container ? , can you please give me the steps to integrate with pull request decoration
?

-Dsonar.exclusions Multiple directory failure

UnsupportedClassVersionError when running sonarqube action

We are in the process of migrating OmniLearn from Gitlab to Github. We tried to use the sonarqube action to activate sonarqube analysis of our project. We did this by adding the following snippet to our Github workflow configuration

- name: Update sonarqube
  uses: philips-software/[email protected]
  with:
      token: ${{ secrets.SONARQUBE_TOKEN }}
      projectName: omnilearn
      projectKey: prh.omnilearn-linux
      url: https://sonarqube.ta.philips.com/

When running the workflow, we currently get the following error:

/root/sonar-scanner-4.3.0.2102-linux/bin/sonar-scanner -Dsonar.login=*** -Dsonar.host.url=https://sonarqube.ta.philips.com/ -Dsonar.projectKey=prh.omnilearn-linux -Dsonar.projectName='omnilearn' -Dsonar.scm.provider=git -Dsonar.sourceEncoding=UTF-8 -Dsonar.qualitygate.wait=false -Dsonar.branch.name=develop
  INFO: Scanner configuration file: /root/sonar-scanner-4.3.0.2102-linux/conf/sonar-scanner.properties
  INFO: Project root configuration file: /github/workspace/sonar-project.properties
  INFO: SonarScanner 4.3.0.2102
  INFO: Java 1.8.0_252 Oracle Corporation (64-bit)
  INFO: Linux 4.14.243-185.433.amzn2.x86_64 amd64
  INFO: User cache: /root/.sonar/cache
  INFO: Scanner configuration file: /root/sonar-scanner-4.3.0.2102-linux/conf/sonar-scanner.properties
  INFO: Project root configuration file: /github/workspace/sonar-project.properties
  INFO: Analyzing on SonarQube server 9.0.1
  INFO: Default locale: "en_US", source code encoding: "UTF-8"
  INFO: ------------------------------------------------------------------------
  INFO: EXECUTION FAILURE
  INFO: ------------------------------------------------------------------------
  INFO: Total time: 1.666s
  INFO: Final Memory: 4M/72M
  INFO: ------------------------------------------------------------------------
  ERROR: Error during SonarScanner execution
  java.lang.UnsupportedClassVersionError: org/sonar/batch/bootstrapper/EnvironmentInformation has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class file versions up to 52.0
  	at java.lang.ClassLoader.defineClass1(Native Method)
  	at java.lang.ClassLoader.defineClass(ClassLoader.java:756)
  	at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
  	at java.net.URLClassLoader.defineClass(URLClassLoader.java:468)
  	at java.net.URLClassLoader.access$100(URLClassLoader.java:74)
  	at java.net.URLClassLoader$1.run(URLClassLoader.java:369)
  	at java.net.URLClassLoader$1.run(URLClassLoader.java:363)
  	at java.security.AccessController.doPrivileged(Native Method)
  	at java.net.URLClassLoader.findClass(URLClassLoader.java:362)
  	at org.sonarsource.scanner.api.internal.IsolatedClassloader.loadClass(IsolatedClassloader.java:82)
  	at java.lang.ClassLoader.loadClass(ClassLoader.java:351)
  	at org.sonarsource.scanner.api.internal.batch.DefaultBatchFactory.createBatch(DefaultBatchFactory.java:32)
  	at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46)
  	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
  	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
  	at java.lang.reflect.Method.invoke(Method.java:498)
  	at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60)
  	at com.sun.proxy.$Proxy0.execute(Unknown Source)
  	at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:189)
  	at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:138)
  	at org.sonarsource.scanner.cli.Main.execute(Main.java:112)
  	at org.sonarsource.scanner.cli.Main.execute(Main.java:75)
  	at org.sonarsource.scanner.cli.Main.main(Main.java:61)
  ERROR: 
  ERROR: Re-run SonarScanner using the -X switch to enable full debug logging.
  Error: The process '/root/sonar-scanner-4.3.0.2102-linux/bin/sonar-scanner' failed with exit code 1

I don't quite understand what the error is and how to fix it. Can you please help with this?

Community edition support

Hi all, are there currently any plans to allow this action to be usable with the Community edition of SonarQube? Due to the -Dsonar.branch.name flag getting set and Community edition not supporting branches our builds fail when using this action. I'm more than willing to take on the work and start a PR if you all want to support Community edition.

Branch reference uses only last part of the branch name

When using branches like 'feature/xyz', the Action will push to SonarQube as being branch 'xyz' as branch name.
This seems inconsistent met the actual branch name in git.
IMHO this should be the same, ergo 'feature/xyz' should be send to SonarQube.

https://github.com/philips-software/sonar-scanner-action/blob/master/src/sonarScanner.ts#L6

Repo status

A few months ago SonarQube created a GitHub Action. I was wondering if it still makes sense to continue developing this repo if Sonar is now supporting Actions out of the box.

See: https://github.com/SonarSource/sonarqube-scan-action and https://docs.sonarqube.org/latest/analysis/github-integration/

Post run cleanup needed

I've created a GitHub Actions workflow that follows your instructions. On the first run, it works fine.

However, on the second run, actions/checkout@master fails because it tries to clean the repository but the ".scannerwork" directory is owned by root (as that is how the Docker container runs) and the clean up fails.

I've tried adding .scannerwork to the .gitignore file but that hasn't made any difference.

It would seem that an appropriate solution would be a post run step in the action that removes the ".scannerwork" directory.

If there is an alternative solution, please share/document it.

Thanks.

Problem

It is currently not clear from the documentation how to enable pr decoration. When reading the readme.md I have the following questions:

Do you only need to use this snippit?

Do you need to configure anything? If so, how do you use this? Should that run once?

Proposal

A short guide on how to enable pr decoration

How to provide sonar.projectVersion?

We are migrating from Gitlab to Github. In our old Gitlab config, we used to invoke sonarqube directly from the commandline, which allowed us to read the current version from the Python package's version file and pass it as a parameter to sonarqube like this:

export CI_VERSION=`cat omnilearn/__version__.py | sed 's/__version__ = "\(.*\)"/\1/g'`
sonar-scanner -Dsonar.projectVersion=${CI_VERSION}

How can we achieve something similar with the sonar-scanner-action?

Automatically update dist when code (or package.json) is updated..

Current situation

When you change the code or the package.json, you have to build the dist on your own machine and push it to the repository.
This is very inconvenient, especially with dependabot.

Proposed situation

Automatically build dist in workflow and push when dist is updated.

Examples

https://github.com/philips-software/app-token-action/blob/main/.github/workflows/ci.yml

Add optional sonar.organization argument

For sonarcloud.io the sonar.organization argument is required.

See error:

ERROR: Error during SonarScanner execution ERROR: You must define the following mandatory properties for 'project.key': sonar.organization

Container conflict when running action inside ubuntu:18.04

Currently running this action inside a ubuntu 18.04 or a ubuntu 20.04 container has a conflict which prevents the repository to be properly identified as a github repository. To reproduce this issue here is a simple example; consider the following yml file that includes this action, running in the container python:3.9:

jobs:
build:
    runs-on: [self-hosted, research]
    container: python:3.9

    steps:
        - name: Checkout
        uses: actions/checkout@v2

    - name: Sonar analysis configuration      
        uses: philips-software/[email protected]
        with:
        token: ${{ secrets.SONARQUBE_TOKEN }}
        projectName: <projectName>
        projectKey: <projectKey>
        url: <sonarqube-server-url>

If you try to run this simplified action in a given C++ Cmake based repository you will get the following failure log:

2021-11-26T13:50:57.0503295Z INFO: ------------------------------------------------------------------------
2021-11-26T13:50:57.0504376Z INFO: EXECUTION FAILURE
2021-11-26T13:50:57.0505626Z INFO: ------------------------------------------------------------------------
2021-11-26T13:50:57.0506152Z INFO: Total time: 1:04.786s
2021-11-26T13:50:57.3103531Z INFO: Final Memory: 98M/337M
2021-11-26T13:50:57.3105121Z INFO: ------------------------------------------------------------------------
2021-11-26T13:50:57.3111631Z ERROR: Error during SonarScanner execution
2021-11-26T13:50:57.3119804Z java.lang.IllegalStateException: java.nio.file.NoSuchFileException: /build-wrapper-dump.json
2021-11-26T13:50:57.3123164Z 	at com.sonar.cpp.plugin.BuildWrapperJsonReader.readCaptures(BuildWrapperJsonReader.java:90)
2021-11-26T13:50:57.3126348Z 	at com.sonar.cpp.plugin.CFamilySensor.process(CFamilySensor.java:575)

Which is the expected; since the project has yet to be build and the output of the build-wrapper tool is missing. However, if you change the container to a ubuntu:18.04 or ubuntu:20.04 :

jobs:
build:
    runs-on: [self-hosted, research]
    container: ubuntu:18.04

    steps:
        - name: Checkout
        uses: actions/checkout@v2

    - name: Sonar analysis configuration      
        uses: philips-software/[email protected]
        with:
        token: ${{ secrets.SONARQUBE_TOKEN }}
        projectName: <projectName>
        projectKey: <projectKey>
        url: <sonarqube-server-url>

It fails as follows:

2021-11-26T14:02:01.2433137Z INFO: Project configuration:
2021-11-26T14:02:01.2473405Z INFO:   Excluded sources: **/*Test*/**, **/*Tests*/**
2021-11-26T14:02:01.2694317Z INFO: ------------------------------------------------------------------------
2021-11-26T14:02:01.2695221Z INFO: EXECUTION FAILURE
2021-11-26T14:02:01.2696269Z INFO: ------------------------------------------------------------------------
2021-11-26T14:02:01.2697011Z INFO: Total time: 13.658s
2021-11-26T14:02:01.3105547Z INFO: Final Memory: 7M/30M
2021-11-26T14:02:01.3107046Z INFO: ------------------------------------------------------------------------
2021-11-26T14:02:01.3122217Z ERROR: Error during SonarScanner execution
2021-11-26T14:02:01.3123127Z ERROR: Not inside a Git work tree: /github/workspace

It complains of not being inside a repository, which is not the expected behavior.

`onlyConfig` is not parsed properly and always skips sonar

See title, running into this with any configuration I throw at the Sonar Scanner action.

Version: v1.0.0

problem with Dsonar.projectName

When executing it sends apostrophes about the Dsonar.projectName = ''

and it appears like this 'projectName'

SonarScanner for .NET

Hi,

After experimenting this sonar-scanner-action I got the warning that the scanner used by this action is not valid for .NET / C# code analysis. See below the info collected from the log while executing this scanner:

Your project contains C# files which cannot be analyzed with the scanner you are using. To analyze C# or VB.NET, you must use the SonarScanner for .NET 5.x or higher, see https://redirect.sonarsource.com/doc/install-configure-scanner-msbuild.html

I looked at #66, but it did not provide a solution as it pointed out to the same documentation as the log above.

As a quick workaround to use the right scanner I'm doing the following:

Install the .NET Global Scanner Tool locally as indicated on the Sonar Scanner for .NET docs (see below sample of the file .config/dotnet-tools.json) and restore the tool on check-out (see file sonarqube.yaml). For .NET Tool instalation see: https://docs.microsoft.com/en-us/dotnet/core/tools/local-tools-how-to-use
Have a bash script to call the 3 required steps by the scanner (see: Sonar Scanner for .NET.) Note: There's a bug on the scanner that doesn't allow providing a settings file, so having an .sh was a quick workaround see Bug
On the sonarqube.yaml:
3.1 Restore the .NET Global Scanner Tool
3.2 Install the JRE as it is needed by the "end" step of the .NET Global Scanner Tool (and not documented)
3.3 Call the .sh script to invoke the scanner steps

File: .config/dotnet-tools.json

{
  "version": 1,
  "isRoot": true,
  "tools": {
    "dotnet-sonarscanner": {
      "version": "5.3.1",
      "commands": [
        "dotnet-sonarscanner"
      ]
    }
  }
}

File: SonarQube.Analysis.sh

#!/bin/bash

# Get the token as the first parameter
token=$1

dotnet dotnet-sonarscanner begin \
  /k:"<PROJECT_KEY>" \
  /n:"<PROJECT_NAME>" \
  /v:"<PROJECT_VERSION>" \
  /d:"sonar.host.url=<SONARQUBE_HOST_URL>" \
  /d:"sonar.sources=<SOURCE_CODE_PATHS>" \
  /d:"sonar.login=$token" \
  /d:"sonar.verbose=<VERBOSE_TRUE_FALSE>"

dotnet build <PATH_TO_CSPROJ_OR_SLN>

dotnet dotnet-sonarscanner end \
  /d:sonar.login=$token

File: sonarqube.yaml

  ...
  - name: Restore dependencies
    run: |
      dotnet restore PhOpc/PhOpc.csproj
  - name: Build
    run: dotnet build PhOpc/PhOpc.csproj
  # The GitHub action below is not prepared to use the .NET Core Global Tool scanner and is not appropriate for C# code
  # - uses: philips-software/[email protected]
  #   with:
  #     token: ${{ secrets.SONARQUBE_TOKEN }}
  #     projectName: <PROJECT_NAME>
  #     projectKey: <PROJECT_KEY>
  #     url: <SONARQUBE_HOST_URL>
  #     enablePullRequestDecoration: true
  - name: Restore .NET locally installed tools
    run: dotnet tool restore
  - name: Install JRE as it is required by the .NET Core Global Tool (on the "end" step, even though not mentioned on the docs)
    run: apt-get update && apt-get -y install default-jre
  - name: Run SonarQube analysis using the .NET Core Global Tool
    run: ./SonarQube.Analysis.sh ${{ secrets.SONARQUBE_TOKEN }}

With this the appropriate scanner is executed, but it would be better to have this integrated into this GitHub action :)

As a reference this is the format of the settings file once the Bug mentioned above is fixed:

<SonarQubeAnalysisProperties  
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns="http://www.sonarsource.com/msbuild/integration/2015/1">
  
  <!-- SonarQube instance -->
  <Property Name="sonar.host.url">SONARQUBE_HOST_URL</Property>
  <!-- projectKey must be unique in a given SonarQube instance -->
  <Property Name="sonar.projectKey">PROJECT_KEY</Property>
  <!-- projectName is the project name shown on the SonarQube instance -->
  <Property Name="sonar.projectName">PROJECT_NAME</Property>
  <!-- projectVersion is the version number shown on the SonarQube instance -->
  <Property Name="sonar.projectVersion">PROJECT_VERSION</Property>
  <!-- sources is a comma-separated paths to directories containing main source files, if not specified defaults to the root of the project -->
  <Property Name="sonar.sources">SOURCE_CODE_PATHS</Property>
</SonarQubeAnalysisProperties>

On the current .sh I'm only specifying a few extra settings using the /d: option, but this file (or the settings once the bug is fixed) need to allow all other possible options.

Any chances to have support for .NET / C# Sonar Scanner integrated into this GitHub action?

Consider moving to the official SonarQube GitHub Action

The setup with pre-baked build environments in docker containers is not the best approach of handling these kind of services.

We've also seen this for the Black Duck actions, it's cumbersome and does not bring much to the table if you're only using the images in GitHub Actions.

We might consider deprecating this action and write proper instructions how to use the Official SonarQube action.