Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
sonarqube-scanner
Advanced tools
The sonarqube-scanner npm package is a tool that allows you to perform static code analysis using SonarQube from within your Node.js projects. It helps in identifying bugs, vulnerabilities, and code smells in your codebase by integrating with the SonarQube server.
Basic Scan
This feature allows you to perform a basic scan of your project by specifying the SonarQube server URL and project options such as the project key and source directory.
const scanner = require('sonarqube-scanner');
scanner(
{
serverUrl: 'http://localhost:9000',
options: {
'sonar.projectKey': 'my-project',
'sonar.sources': 'src',
},
},
() => process.exit()
);
Custom Configuration
This feature allows you to customize the scan configuration by including or excluding specific files and directories.
const scanner = require('sonarqube-scanner');
scanner(
{
serverUrl: 'http://localhost:9000',
options: {
'sonar.projectKey': 'my-project',
'sonar.sources': 'src',
'sonar.inclusions': '**/*.js',
'sonar.exclusions': 'node_modules/**',
},
},
() => process.exit()
);
Authentication
This feature allows you to authenticate with the SonarQube server using a token, which is useful for secure environments.
const scanner = require('sonarqube-scanner');
scanner(
{
serverUrl: 'http://localhost:9000',
token: 'your-sonarqube-token',
options: {
'sonar.projectKey': 'my-project',
'sonar.sources': 'src',
},
},
() => process.exit()
);
ESLint is a widely-used tool for identifying and reporting on patterns found in ECMAScript/JavaScript code. It is highly configurable and can be extended with custom rules. Unlike sonarqube-scanner, ESLint focuses solely on linting JavaScript code and does not provide the comprehensive static analysis features of SonarQube.
JSHint is another popular static code analysis tool for JavaScript. It helps detect errors and potential problems in your JavaScript code. While it is similar to ESLint, JSHint is less configurable and has fewer features compared to ESLint and sonarqube-scanner.
TSLint is a linter for TypeScript code, providing static analysis and code quality checks. It is similar to ESLint but specifically designed for TypeScript. TSLint is now deprecated in favor of ESLint with TypeScript support, and it does not offer the extensive analysis capabilities of sonarqube-scanner.
sonarqube-scanner
makes it very easy to trigger SonarQube Server
and Cloud analyses on a JavaScript code base, without needing
to install any specific tool or (Java) runtime.
This module is analyzed on SonarQube Cloud.
This is the documentation for v4. If you are using v3, refer to the v3 documentation.
Prerequisite: Node v18+ (for v4 and above)
Prerequisite: Node v16+ (for v3, otherwise use sonarqube-scanner v2.9.1)
This package is available on npm as: sonarqube-scanner
To add code analysis to your build files, simply add the package to your project dev dependencies:
npm install -D sonarqube-scanner
To install the scanner globally and be able to run analyses on the command line:
npm install -g sonarqube-scanner
Prerequisite: you've installed the package as a dev dependency.
The following example shows how to run an analysis on a JavaScript project, and pushing the results to a SonarQube instance:
const scanner = require('sonarqube-scanner').default;
scanner(
{
serverUrl: 'https://sonarqube.mycompany.com',
token: '019d1e2e04eefdcd0caee1468f39a45e69d33d3f',
options: {
'sonar.projectName': 'My App',
'sonar.projectDescription': 'Description for "My App" project...',
'sonar.sources': 'src',
'sonar.tests': 'test',
},
},
error => {
if (error) {
console.error(error);
}
process.exit();
},
);
Syntax: sonarqube-scanner ( parameters
, [callback
] )
Arguments
parameters
Map
serverUrl
String (optional) The URL of the SonarQube Server or Cloud host. Defaults to https://sonarcloud.iotoken
String (optional) The token used to connect to the SonarQube Server v10+ or SonarQube Cloud. Empty by default.options
Map (optional) Used to pass extra parameters for the analysis. See the official documentation for more details.callback
Function (optional)
Callback (the execution of the analysis is asynchronous).Prerequisite: you've installed the package globally.
If you want to run an analysis without having to configure anything in the first place, simply run the sonar-scanner
command. The following
example assumes that you have installed SonarQube Server locally:
cd my-project
sonar-scanner
Specifying properties/settings
If there's a package.json
file in the folder, it will be read to feed the analysis with basic information (like project name or version)
If there's a sonar-project.properties
file in the folder, it will behave like the original SonarScanner
Additional analysis parameters can be passed on the command line using the standard -Dsonar.xxx=yyy
syntax
Example:
sonar-scanner -Dsonar.host.url=https://myserver.com -Dsonar.token=019d1e2e04e
To run analyses without explicitly installing the scanner, run the following command instead:
npx sonarqube-scanner
Similar to the above, you can specify analysis properties and settings using either a package.json
file, a sonar-project.properties
file, or command line arguments.
You can install manually the standard SonarScanner, which requires to have a Java Runtime Environment available too (Java 8+).
It is important to make sure that the SonarScanner $install_directory/bin
location is added to the system $PATH
environment variable. This will ensure that sonar-scanner
command will be resolved by the customScanner, and prevent the error:
Error: Local install of SonarScanner not found.
at getLocalSonarScannerExecutable (<project_dir>/node_modules/sonarqube-scanner/src/sonar-scanner-executable.js:153:11)
at scanUsingCustomScanner (<project_dir>/node_modules/sonarqube-scanner/src/index.js:52:3)
...
Once local installation is done, you can replace the 2nd line of the example:
var scanner = require('sonarqube-scanner').customScanner;
You are probably relying on Alpine for your Docker image, and Alpine does not include glibc by default. It needs to be installed manually.
Thanks to Philipp Eschenbach for troubleshooting this on issue #59.
By default, the scanner binaries are downloaded from https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/
.
To use a custom mirror, set $SONAR_SCANNER_MIRROR
. Or download precise version with $SONAR_SCANNER_VERSION
Example:
export SONAR_SCANNER_MIRROR=https://npm.taobao.org/mirrors/sonar-scanner/
export SONAR_SCANNER_VERSION=3.2.0.1227
or alternatively set variable in .npmrc
sonar_scanner_mirror=https://npm.taobao.org/mirrors/sonar-scanner/
sonar_scanner_version=3.2.0.1227
For mirrors using Basic HTTP authentication (e.g. Sonatype Nexus 3 raw-proxy
, Artifactory with artifactory-cache-proxy
), simply specify the username and password
as part of the URL:
export SONAR_SCANNER_MIRROR=https://username:password@repo.example.com/mirrors/sonar-scanner/
Proxy authentication is supported as well, see below.
By default, the scanner binaries are cached into $HOME/.sonar/native-sonar-scanner
folder.
To use a custom cache folder instead of $HOME
, set $SONAR_BINARY_CACHE
.
Example:
export SONAR_BINARY_CACHE=/Users/myaccount/cache
or alternatively set variable in .npmrc
sonar_binary_cache=/Users/myaccount/cache
In order to be able to download binaries when you're behind a proxy it will be enough to set the http_proxy
or https_proxy
environment variable. Both support proxies using plain HTTP or HTTPS.
Example:
export http_proxy=http://mycompanyproxy.com:PORT
export https_proxy=http://mycompanyproxy.com:PORT
export http_proxy=https://encryptedcompanyproxy.com:PORT
export https_proxy=https://encryptedcompanyproxy.com:PORT
Behind authenticated proxy:
export http_proxy=http://user:password@mycompanyproxy.com:PORT
export https_proxy=http://user:password@mycompanyproxy.com:PORT
export http_proxy=https://user:password@encryptedcompanyproxy.com:PORT
export https_proxy=https://user:password@encryptedcompanyproxy.com:PORT
sonarqube-scanner
is licensed under the LGPL v3 License.
FAQs
SonarQube/SonarCloud Scanner for the JavaScript world
The npm package sonarqube-scanner receives a total of 372,870 weekly downloads. As such, sonarqube-scanner popularity was classified as popular.
We found that sonarqube-scanner demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 17 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.