Sonarqube for Ubuntu 成功扫描 .NET 项目,但未分析任何问题
Posted
技术标签:
【中文标题】Sonarqube for Ubuntu 成功扫描 .NET 项目,但未分析任何问题【英文标题】:Sonar Qube for Ubuntu scans .NET project with success but no issues analyzed 【发布时间】:2021-09-11 14:33:25 【问题描述】:我在 Ubuntu 上为 Sonar Scanner 和 Sonar Scanner 本身配置了 MSBuild,在很多天多次将我的头撞在墙上之后产生了一些富有成效的结果,因此我能够在 Ubuntu 上扫描 .NET 项目它没有显示任何错误开始步骤很好,构建也成功,它说它正在收集分析报告并完成......但没有生成报告我确信有问题,因为为了测试我将易受攻击的项目传递给扫描仪。版本信息如下
-
SonarQube-8.6.1.40680
声纳扫描仪 4.6.1.2450
Ubuntu 20.04.2 LTS
.NET Core 5.0.301
用于启动扫描的命令如下
dotnet sonarscanner begin /k:"'myProjectKey'" /d:sonar.host.url="http://localhost:9000"
dotnet build "myProject.sln"
dotnet sonarscanner end
声纳扫描仪的输出如下
SonarScanner for MSBuild 5.2.2
Using the .NET Core version of the Scanner for MSBuild
Post-processing started.
Calling the SonarScanner CLI...
INFO: Scanner configuration file: /home/ubuntu/.dotnet/tools/.store/dotnet-sonarscanner/5.2.2/dotnet-sonarscanner/5.2.2/tools/net5.0/any/sonar-scanner-4.6.1.2450/conf/sonar-scanner.properties
INFO: Project root configuration file: ./.sonarqube/out/sonar-project.properties
INFO: SonarScanner 4.6.1.2450
INFO: Java 11.0.11 Ubuntu (64-bit)
INFO: Linux 5.8.0-1035-aws amd64
INFO: User cache: /root/.sonar/cache
INFO: Scanner configuration file: /home/ubuntu/.dotnet/tools/.store/dotnet-sonarscanner/5.2.2/dotnet-sonarscanner/5.2.2/tools/net5.0/any/sonar-scanner-4.6.1.2450/conf/sonar-scanner.properties
INFO: Project root configuration file: ./.sonarqube/out/sonar-project.properties
INFO: Analyzing on SonarQube server 8.6.1
INFO: Default locale: "en", source code encoding: "UTF-8" (analysis is platform dependent)
INFO: Load global settings
INFO: Load global settings (done) | time=80ms
INFO: Server id: BF41A1F2-AXnr4GgQhOwzgJl08ZuM
INFO: User cache: /root/.sonar/cache
INFO: Load/download plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=47ms
INFO: Load/download plugins (done) | time=123ms
INFO: Process project properties
INFO: Process project properties (done) | time=13ms
INFO: Execute project builders
INFO: Execute project builders (done) | time=32ms
INFO: Project key: VulnerableCoreApp.sln
INFO: Base dir: ./
INFO: Working dir: ./.sonarqube/out/.sonar
INFO: Load project settings for component key: 'VulnerableCoreApp.sln'
INFO: Load project settings for component key: 'VulnerableCoreApp.sln' (done) | time=13ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=35ms
INFO: Load active rules
INFO: Load active rules (done) | time=1017ms
INFO: Indexing files...
INFO: Project configuration:
INFO: Indexing files of module 'VulnerableCoreApp'
INFO: Base dir: ./
INFO: Source paths: Controllers/CrossSiteScriptingController.cs, Controllers/Home...
INFO: Indexing files of module 'VulnerableCoreApp.sln'
INFO: Base dir: ./
INFO: 0 files indexed
INFO: 72 files ignored because of scm ignore settings
INFO: ------------- Run sensors on module VulnerableCoreApp
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=25ms
INFO: Sensor CSS Rules [cssfamily]
INFO: No CSS, php, html or VueJS files are found in the project. CSS analysis is skipped.
INFO: Sensor CSS Rules [cssfamily] (done) | time=1ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: 'sonar.coverage.jacoco.xmlReportPaths' is not defined. Using default locations: target/site/jacoco/jacoco.xml,target/site/jacoco-it/jacoco.xml,build/reports/jacoco/test/jacocoTestReport.xml
INFO: No report imported, no coverage information will be imported by JaCoCo XML Report Importer
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=3ms
INFO: Sensor C# Properties [csharp]
INFO: Sensor C# Properties [csharp] (done) | time=3ms
INFO: Sensor JavaXmlSensor [java]
INFO: Sensor JavaXmlSensor [java] (done) | time=1ms
INFO: Sensor VB.NET Properties [vbnet]
INFO: Sensor VB.NET Properties [vbnet] (done) | time=1ms
INFO: ------------- Run sensors on module VulnerableCoreApp.sln
INFO: Sensor CSS Rules [cssfamily]
INFO: No CSS, PHP, HTML or VueJS files are found in the project. CSS analysis is skipped.
INFO: Sensor CSS Rules [cssfamily] (done) | time=1ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: 'sonar.coverage.jacoco.xmlReportPaths' is not defined. Using default locations: target/site/jacoco/jacoco.xml,target/site/jacoco-it/jacoco.xml,build/reports/jacoco/test/jacocoTestReport.xml
INFO: No report imported, no coverage information will be imported by JaCoCo XML Report Importer
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=1ms
INFO: Sensor C# Properties [csharp]
INFO: Sensor C# Properties [csharp] (done) | time=1ms
INFO: Sensor JavaXmlSensor [java]
INFO: Sensor JavaXmlSensor [java] (done) | time=0ms
INFO: Sensor VB.NET Properties [vbnet]
INFO: Sensor VB.NET Properties [vbnet] (done) | time=0ms
INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=0ms
INFO: CPD Executor Calculating CPD for 0 files
INFO: CPD Executor CPD calculation finished (done) | time=0ms
INFO: Analysis report generated in 116ms, dir size=86 KB
INFO: Analysis report compressed in 9ms, zip size=11 KB
INFO: Analysis report uploaded in 25ms
INFO: ANALYSIS SUCCESSFUL, you can browse http://localhost:9000/dashboard?id=VulnerableCoreApp.sln
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at http://localhost:9000/api/ce/task?id=AXpSC7HGqgJk9aahC7zU
INFO: Analysis total time: 3.296 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 4.402s
INFO: Final Memory: 7M/34M
INFO: ------------------------------------------------------------------------
The SonarScanner CLI has finished
09:55:36.137 Post-processing succeeded.
请注意在命令行中无法访问管理面板,从而提出解决方案,因此请选择一种方式,例如sonar.properties 文件或任何其他配置文件更改将是最好的。
【问题讨论】:
【参考方案1】:经过大量实验和搜索,我终于找到了自己的解决方案,希望对其他人有所帮助,基本上仔细观察日志我注意到以下几行
INFO: Indexing files of module 'VulnerableCoreApp.sln'
INFO: Base dir: ./
INFO: 0 files indexed
INFO: 72 files ignored because of scm ignore settings
这表示 SCM(源代码控制管理)正在排除所有要扫描的文件,在声纳 SCM 中,SCM 用于根据设置中定义的版本控制规则包含或排除要扫描的文件,在我的情况下,我没有兴趣使用SCM 在扫描中,所以我禁用了它,以包含所有要扫描的文件。
命令行开关为我做了这一切,你也可以在声纳项目的属性文件中指定开关
-Dsonar.scm.disabled=True
命令现在变成了
dotnet sonarscanner begin /k:"'myProjectKey'" /d:sonar.host.url="http://localhost:9000" /d:sonar.scm.disabled=True
dotnet build "myProject.sln"
dotnet sonarscanner end
现在所有文件都已编入索引以进行扫描,并且由于 SCM 现在已禁用,因此不会忽略任何文件,如果您确实想使用 SCM,则必须在声纳管理仪表板中更改您的 SCM 设置以解决此问题。
【讨论】:
以上是关于Sonarqube for Ubuntu 成功扫描 .NET 项目,但未分析任何问题的主要内容,如果未能解决你的问题,请参考以下文章
Analyzing .net core application with SonarQube Scanner for MSBuild