scanner-cli | A project security/vulnerability/risk scanning tool | Security Testing library

The issue cause is found after doing some more digging.

Issue cause: The default quality profile corresponding to the C++ (Community) had their all rules disabled by default, and there was no option to enable them as well.

Fix: Created a new quality profile extending the default one, then enabled rules for that, and finally made it as the default quality profile for C++ (Community) solves the issue.

Update (16-Feb-'21): Got a clarification from sonar-cxx team that this is intentional as well, and the same is documented in https://github.com/SonarOpenCommunity/sonar-cxx/wiki/Manage-Quality-Profiles

Since the cxx plugin contains a large number of sensors with over 4000 rules, all rules are initially deactivated in the default profile Sonar way for the programming language CXX. Enabling all rules would have a negative impact on the analysis performance and mostly only a subset is needed.

Therefore, after installation, no sensor issues are displayed. To display issues, the corresponding rules must first be enabled in the Quality Profile being used by the project.

I found the solution to this, myself.

Required to add

"- cd /build/rmesi/test-repo ; sonar-scanner"

in the script section in the job of the 'sonarscanner.gitlab-ci.yml' file.

That way, the runner maps directly to desired directory and execute the 'sonar-scanner' command there.

Here's how one can modify container commands without building another image.

1. Pull the image

For anyone finding this later, I found the solution.

According to https://docs.sonarqube.org/7.9/analysis/scan/sonarscanner/ only sonar-scanner version 4.0 is compatible.

The docker image with version 4.1 (https://hub.docker.com/layers/sonarsource/sonar-scanner-cli) works fine though.

• \$ docker pull sonarqube:7.9.4-community
• \$ docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:7.9.4-community
• Log in to http://localhost:9000 (login=admin, password=admin)
• (make sure - sonarqube server is running at localhost:9000)

• \$ docker pull newtmitch/sonar-scanner:4-alpine
• Goto your root directory of the Project
• \$ docker run -it -v $(pwd):/usr/src --link sonarqube:7.9.4-community newtmitch/sonar-scanner:4-alpine
  -D sonar.host.url=http://sonarqube:9000
  -D sonar.scm.provider=git
  -D sonar.projectBaseDir=./src
  -D sonar.sources=.
  -D sonar.projectName='Test-Project'
• (NOTE: Above I assume that your source code is inside- src folder, if not please change accordingly)
• Go to http://localhost:9000 You will now see a new project - "Test-Project" which has completely analyzed the source code that you ran from your root directory.
• Documentation click

• \$ npm i -D sonarqube-scanner

• In package.json add a new script: "sonar": "node sonar-project.js"

• add a file in your root-directory: sonar-project.js

• Copy following code in sonar-project.js:

Your last URL contains special chars which are interpreted by the shell. The downloaded URL is bogus, and you don't notice because curl is set to run silently. The resulting file is corrupt. Solution : quote (or escape) your URL.

bzip2 is also missing in your image : you want to add it to your yum install command.

With these changes, your Dockerfile builds successfully:

You probably need to do what the error message suggest: add a property

Solved my problem. In dockerfile :

Since your Jenkins is running the build in a docker container as mentioned in the comments, the solution is to use the IP address or a local DNS name to access sonarqube from within the build script, since localhost does not resolve to the host machine inside a docker container.