fix(scripts): exclude JS from SonarQube scan#449
Open
TheAuditorTool wants to merge 1 commit intoOWASP-Benchmark:masterfrom
Open
fix(scripts): exclude JS from SonarQube scan#449TheAuditorTool wants to merge 1 commit intoOWASP-Benchmark:masterfrom
TheAuditorTool wants to merge 1 commit intoOWASP-Benchmark:masterfrom
Conversation
The SonarQube scanner's JavaScript/TypeScript sensor activates on vendored JS files in src/main/webapp/js/ (jQuery, js.cookie, testsuiteutils) and attempts to start a Node.js bridge server, which times out in the scanner Docker container -- killing the entire scan. Add **/*.js to sonar.exclusions so the JS sensor never activates. This project benchmarks Java SAST tools only; SonarReport.java already filters to java:* rules, so JS findings were never collected. Closes OWASP-Benchmark#235
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
scripts/runSonarQube.shfails with a 300-second timeout when SonarQube's JavaScript/TypeScript sensor tries to start its Node.js "bridge server" inside thesonarsource/sonar-scanner-cliDocker container. This kills the entire scan, including the Java analysis that actually matters.Root cause: 3 vendored JavaScript files in
src/main/webapp/js/are within the scan scope (sonar.sources="src") but not excluded:src/main/webapp/js/jquery.min.jssrc/main/webapp/js/js.cookie.jssrc/main/webapp/js/testsuiteutils.jsWhen SonarQube detects
.jsfiles, its JS/TS sensor activates and attempts to start a Node.js-based ESLint bridge server. In the scanner Docker container, Node.js is either unavailable or the bridge fails to initialize within the 300s timeout, producing:Fix: Append
,**/*.jsto the existingsonar.exclusionspattern so the JS/TS sensor never activates.Why JS scanning has zero value for this project
Issue filtering:
SonarReport.javafilters rules withrule.ruleId.startsWith("java:")(line 78) -- JavaScript rules are excluded before the issues query is even sent.Query filtering: The
issues/searchAPI call passesrules=<allJavaRules>(lines 43-46), so SonarQube's API never returns JavaScript findings.Hotspot noise prevention: The
hotspots/searchendpoint (line 49) does NOT filter by language. Without the exclusion, JavaScript security hotspots from vendored jQuery could pollute the Java benchmark results.Vendored code: All 3 JS files are third-party libraries or UI utilities, not project code written for the benchmark.
Changes
1 file changed, 1 line modified:
scripts/runSonarQube.sh(line 78):What was NOT changed (and why)
Existing exclusion patterns left intact. The
results/**,scorecard/**,scripts/**,tools/**,VMs/**patterns reference directories outsidesonar.sources="src"and are technically redundant. They were left in place because they are harmless, years old, and removing them is unrelated to this fix..mapfiles not excluded.jquery.min.mapis a source map (JSON file) that does not trigger the JS/TS sensor (sonar.javascript.file.suffixesdefaults to.js,.jsx,.cjs,.mjs). Excluding it would be solving a non-problem.No changes to
SonarReport.java. The Java report class is unaffected.No changes to testcode. Zero files touched in
src/main/java/org/owasp/benchmark/testcode/.Test plan
scripts/runSonarQube.shon a machine with Docker -- the scan should complete without the Node.js bridge server timeoutresults/Benchmark_*-sonarqube-v*.jsoncontains Java vulnerabilities (the JS exclusion should not reduce Java findings).jsfiles appear in the SonarQube project dashboard after the scan