Ubuntu 的 Sonarqube 成功扫描 .NET 项目,但未分析任何问题
Sonar Qube for Ubuntu scans .NET project with success but no issues analyzed
我在 Ubuntu 上配置了 Sonar Scanner 的 MSBuild 和 Sonar Scanner 本身,在我的头撞墙很多天后取得了一些丰硕的成果,因此我能够扫描 .NET 项目Ubuntu 它没有显示任何错误开始步骤很好,构建也成功并且它说它正在收集分析报告并完成......但是没有生成报告我确信存在问题因为测试我通过了易受攻击的项目到扫描仪。版本信息如下
- SonarQube-8.6.1.40680
- 声纳扫描仪 4.6.1.2450
- Ubuntu 20.04.2 LTS
- .NET 核心 5.0.301
用于启动扫描的命令如下
dotnet sonarscanner begin /k:"'myProjectKey'" /d:sonar.host.url="http://localhost:9000"
dotnet build "myProject.sln"
dotnet sonarscanner end
声纳扫描仪的输出如下
SonarScanner for MSBuild 5.2.2
Using the .NET Core version of the Scanner for MSBuild
Post-processing started.
Calling the SonarScanner CLI...
INFO: Scanner configuration file: /home/ubuntu/.dotnet/tools/.store/dotnet-sonarscanner/5.2.2/dotnet-sonarscanner/5.2.2/tools/net5.0/any/sonar-scanner-4.6.1.2450/conf/sonar-scanner.properties
INFO: Project root configuration file: ./.sonarqube/out/sonar-project.properties
INFO: SonarScanner 4.6.1.2450
INFO: Java 11.0.11 Ubuntu (64-bit)
INFO: Linux 5.8.0-1035-aws amd64
INFO: User cache: /root/.sonar/cache
INFO: Scanner configuration file: /home/ubuntu/.dotnet/tools/.store/dotnet-sonarscanner/5.2.2/dotnet-sonarscanner/5.2.2/tools/net5.0/any/sonar-scanner-4.6.1.2450/conf/sonar-scanner.properties
INFO: Project root configuration file: ./.sonarqube/out/sonar-project.properties
INFO: Analyzing on SonarQube server 8.6.1
INFO: Default locale: "en", source code encoding: "UTF-8" (analysis is platform dependent)
INFO: Load global settings
INFO: Load global settings (done) | time=80ms
INFO: Server id: BF41A1F2-AXnr4GgQhOwzgJl08ZuM
INFO: User cache: /root/.sonar/cache
INFO: Load/download plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=47ms
INFO: Load/download plugins (done) | time=123ms
INFO: Process project properties
INFO: Process project properties (done) | time=13ms
INFO: Execute project builders
INFO: Execute project builders (done) | time=32ms
INFO: Project key: VulnerableCoreApp.sln
INFO: Base dir: ./
INFO: Working dir: ./.sonarqube/out/.sonar
INFO: Load project settings for component key: 'VulnerableCoreApp.sln'
INFO: Load project settings for component key: 'VulnerableCoreApp.sln' (done) | time=13ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=35ms
INFO: Load active rules
INFO: Load active rules (done) | time=1017ms
INFO: Indexing files...
INFO: Project configuration:
INFO: Indexing files of module 'VulnerableCoreApp'
INFO: Base dir: ./
INFO: Source paths: Controllers/CrossSiteScriptingController.cs, Controllers/Home...
INFO: Indexing files of module 'VulnerableCoreApp.sln'
INFO: Base dir: ./
INFO: 0 files indexed
INFO: 72 files ignored because of scm ignore settings
INFO: ------------- Run sensors on module VulnerableCoreApp
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=25ms
INFO: Sensor CSS Rules [cssfamily]
INFO: No CSS, PHP, HTML or VueJS files are found in the project. CSS analysis is skipped.
INFO: Sensor CSS Rules [cssfamily] (done) | time=1ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: 'sonar.coverage.jacoco.xmlReportPaths' is not defined. Using default locations: target/site/jacoco/jacoco.xml,target/site/jacoco-it/jacoco.xml,build/reports/jacoco/test/jacocoTestReport.xml
INFO: No report imported, no coverage information will be imported by JaCoCo XML Report Importer
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=3ms
INFO: Sensor C# Properties [csharp]
INFO: Sensor C# Properties [csharp] (done) | time=3ms
INFO: Sensor JavaXmlSensor [java]
INFO: Sensor JavaXmlSensor [java] (done) | time=1ms
INFO: Sensor VB.NET Properties [vbnet]
INFO: Sensor VB.NET Properties [vbnet] (done) | time=1ms
INFO: ------------- Run sensors on module VulnerableCoreApp.sln
INFO: Sensor CSS Rules [cssfamily]
INFO: No CSS, PHP, HTML or VueJS files are found in the project. CSS analysis is skipped.
INFO: Sensor CSS Rules [cssfamily] (done) | time=1ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: 'sonar.coverage.jacoco.xmlReportPaths' is not defined. Using default locations: target/site/jacoco/jacoco.xml,target/site/jacoco-it/jacoco.xml,build/reports/jacoco/test/jacocoTestReport.xml
INFO: No report imported, no coverage information will be imported by JaCoCo XML Report Importer
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=1ms
INFO: Sensor C# Properties [csharp]
INFO: Sensor C# Properties [csharp] (done) | time=1ms
INFO: Sensor JavaXmlSensor [java]
INFO: Sensor JavaXmlSensor [java] (done) | time=0ms
INFO: Sensor VB.NET Properties [vbnet]
INFO: Sensor VB.NET Properties [vbnet] (done) | time=0ms
INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=0ms
INFO: CPD Executor Calculating CPD for 0 files
INFO: CPD Executor CPD calculation finished (done) | time=0ms
INFO: Analysis report generated in 116ms, dir size=86 KB
INFO: Analysis report compressed in 9ms, zip size=11 KB
INFO: Analysis report uploaded in 25ms
INFO: ANALYSIS SUCCESSFUL, you can browse http://localhost:9000/dashboard?id=VulnerableCoreApp.sln
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at http://localhost:9000/api/ce/task?id=AXpSC7HGqgJk9aahC7zU
INFO: Analysis total time: 3.296 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 4.402s
INFO: Final Memory: 7M/34M
INFO: ------------------------------------------------------------------------
The SonarScanner CLI has finished
09:55:36.137 Post-processing succeeded.
请考虑到在命令行中无法访问管理面板,请提出解决方案,因此更喜欢一种方式,例如sonar.properties 文件或任何其他配置文件更改最好。
经过大量的实验和搜索,我终于找到了自己的解决方案希望它能帮助别人,基本上仔细观察日志我注意到以下几行
INFO: Indexing files of module 'VulnerableCoreApp.sln'
INFO: Base dir: ./
INFO: 0 files indexed
INFO: 72 files ignored because of scm ignore settings
也就是说,SCM(源代码控制管理)正在排除所有要扫描的文件,在声纳 SCM 中,过去常常根据设置中定义的版本控制规则包含或排除要扫描的文件,就我而言,我不感兴趣在扫描中使用 SCM,所以我禁用了它,以包含所有文件进行扫描。
命令行开关帮我搞定了,你也可以在sonar项目的属性文件中指定开关
-Dsonar.scm.disabled=True
命令现在变成
dotnet sonarscanner begin /k:"'myProjectKey'" /d:sonar.host.url="http://localhost:9000" /d:sonar.scm.disabled=True
dotnet build "myProject.sln"
dotnet sonarscanner end
现在所有文件都已编制索引以供扫描,并且 none 文件将被忽略,因为 SCM 现在已禁用,如果您确实想使用 SCM,则必须在声纳管理仪表板中更改 SCM 设置以解决这个问题。
我在 Ubuntu 上配置了 Sonar Scanner 的 MSBuild 和 Sonar Scanner 本身,在我的头撞墙很多天后取得了一些丰硕的成果,因此我能够扫描 .NET 项目Ubuntu 它没有显示任何错误开始步骤很好,构建也成功并且它说它正在收集分析报告并完成......但是没有生成报告我确信存在问题因为测试我通过了易受攻击的项目到扫描仪。版本信息如下
- SonarQube-8.6.1.40680
- 声纳扫描仪 4.6.1.2450
- Ubuntu 20.04.2 LTS
- .NET 核心 5.0.301
用于启动扫描的命令如下
dotnet sonarscanner begin /k:"'myProjectKey'" /d:sonar.host.url="http://localhost:9000"
dotnet build "myProject.sln"
dotnet sonarscanner end
声纳扫描仪的输出如下
SonarScanner for MSBuild 5.2.2
Using the .NET Core version of the Scanner for MSBuild
Post-processing started.
Calling the SonarScanner CLI...
INFO: Scanner configuration file: /home/ubuntu/.dotnet/tools/.store/dotnet-sonarscanner/5.2.2/dotnet-sonarscanner/5.2.2/tools/net5.0/any/sonar-scanner-4.6.1.2450/conf/sonar-scanner.properties
INFO: Project root configuration file: ./.sonarqube/out/sonar-project.properties
INFO: SonarScanner 4.6.1.2450
INFO: Java 11.0.11 Ubuntu (64-bit)
INFO: Linux 5.8.0-1035-aws amd64
INFO: User cache: /root/.sonar/cache
INFO: Scanner configuration file: /home/ubuntu/.dotnet/tools/.store/dotnet-sonarscanner/5.2.2/dotnet-sonarscanner/5.2.2/tools/net5.0/any/sonar-scanner-4.6.1.2450/conf/sonar-scanner.properties
INFO: Project root configuration file: ./.sonarqube/out/sonar-project.properties
INFO: Analyzing on SonarQube server 8.6.1
INFO: Default locale: "en", source code encoding: "UTF-8" (analysis is platform dependent)
INFO: Load global settings
INFO: Load global settings (done) | time=80ms
INFO: Server id: BF41A1F2-AXnr4GgQhOwzgJl08ZuM
INFO: User cache: /root/.sonar/cache
INFO: Load/download plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=47ms
INFO: Load/download plugins (done) | time=123ms
INFO: Process project properties
INFO: Process project properties (done) | time=13ms
INFO: Execute project builders
INFO: Execute project builders (done) | time=32ms
INFO: Project key: VulnerableCoreApp.sln
INFO: Base dir: ./
INFO: Working dir: ./.sonarqube/out/.sonar
INFO: Load project settings for component key: 'VulnerableCoreApp.sln'
INFO: Load project settings for component key: 'VulnerableCoreApp.sln' (done) | time=13ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=35ms
INFO: Load active rules
INFO: Load active rules (done) | time=1017ms
INFO: Indexing files...
INFO: Project configuration:
INFO: Indexing files of module 'VulnerableCoreApp'
INFO: Base dir: ./
INFO: Source paths: Controllers/CrossSiteScriptingController.cs, Controllers/Home...
INFO: Indexing files of module 'VulnerableCoreApp.sln'
INFO: Base dir: ./
INFO: 0 files indexed
INFO: 72 files ignored because of scm ignore settings
INFO: ------------- Run sensors on module VulnerableCoreApp
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=25ms
INFO: Sensor CSS Rules [cssfamily]
INFO: No CSS, PHP, HTML or VueJS files are found in the project. CSS analysis is skipped.
INFO: Sensor CSS Rules [cssfamily] (done) | time=1ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: 'sonar.coverage.jacoco.xmlReportPaths' is not defined. Using default locations: target/site/jacoco/jacoco.xml,target/site/jacoco-it/jacoco.xml,build/reports/jacoco/test/jacocoTestReport.xml
INFO: No report imported, no coverage information will be imported by JaCoCo XML Report Importer
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=3ms
INFO: Sensor C# Properties [csharp]
INFO: Sensor C# Properties [csharp] (done) | time=3ms
INFO: Sensor JavaXmlSensor [java]
INFO: Sensor JavaXmlSensor [java] (done) | time=1ms
INFO: Sensor VB.NET Properties [vbnet]
INFO: Sensor VB.NET Properties [vbnet] (done) | time=1ms
INFO: ------------- Run sensors on module VulnerableCoreApp.sln
INFO: Sensor CSS Rules [cssfamily]
INFO: No CSS, PHP, HTML or VueJS files are found in the project. CSS analysis is skipped.
INFO: Sensor CSS Rules [cssfamily] (done) | time=1ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: 'sonar.coverage.jacoco.xmlReportPaths' is not defined. Using default locations: target/site/jacoco/jacoco.xml,target/site/jacoco-it/jacoco.xml,build/reports/jacoco/test/jacocoTestReport.xml
INFO: No report imported, no coverage information will be imported by JaCoCo XML Report Importer
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=1ms
INFO: Sensor C# Properties [csharp]
INFO: Sensor C# Properties [csharp] (done) | time=1ms
INFO: Sensor JavaXmlSensor [java]
INFO: Sensor JavaXmlSensor [java] (done) | time=0ms
INFO: Sensor VB.NET Properties [vbnet]
INFO: Sensor VB.NET Properties [vbnet] (done) | time=0ms
INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=0ms
INFO: CPD Executor Calculating CPD for 0 files
INFO: CPD Executor CPD calculation finished (done) | time=0ms
INFO: Analysis report generated in 116ms, dir size=86 KB
INFO: Analysis report compressed in 9ms, zip size=11 KB
INFO: Analysis report uploaded in 25ms
INFO: ANALYSIS SUCCESSFUL, you can browse http://localhost:9000/dashboard?id=VulnerableCoreApp.sln
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at http://localhost:9000/api/ce/task?id=AXpSC7HGqgJk9aahC7zU
INFO: Analysis total time: 3.296 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 4.402s
INFO: Final Memory: 7M/34M
INFO: ------------------------------------------------------------------------
The SonarScanner CLI has finished
09:55:36.137 Post-processing succeeded.
请考虑到在命令行中无法访问管理面板,请提出解决方案,因此更喜欢一种方式,例如sonar.properties 文件或任何其他配置文件更改最好。
经过大量的实验和搜索,我终于找到了自己的解决方案希望它能帮助别人,基本上仔细观察日志我注意到以下几行
INFO: Indexing files of module 'VulnerableCoreApp.sln'
INFO: Base dir: ./
INFO: 0 files indexed
INFO: 72 files ignored because of scm ignore settings
也就是说,SCM(源代码控制管理)正在排除所有要扫描的文件,在声纳 SCM 中,过去常常根据设置中定义的版本控制规则包含或排除要扫描的文件,就我而言,我不感兴趣在扫描中使用 SCM,所以我禁用了它,以包含所有文件进行扫描。
命令行开关帮我搞定了,你也可以在sonar项目的属性文件中指定开关
-Dsonar.scm.disabled=True
命令现在变成
dotnet sonarscanner begin /k:"'myProjectKey'" /d:sonar.host.url="http://localhost:9000" /d:sonar.scm.disabled=True
dotnet build "myProject.sln"
dotnet sonarscanner end
现在所有文件都已编制索引以供扫描,并且 none 文件将被忽略,因为 SCM 现在已禁用,如果您确实想使用 SCM,则必须在声纳管理仪表板中更改 SCM 设置以解决这个问题。