Shellcheck job chokes on some parameter usages

[jrnail23]

Using v9.1.1 of the orb, I added the shellcheck job to my workflow, and it seems to be having trouble parsing some of my commands that use command parameters. Also, FWIW, shellcheck is incorrectly complaining (warning) about variables not being used, but perhaps that's a side-effect of the parsing failure.

Here's a (private) link to my failed job: https://app.circleci.com/pipelines/github/socialtables/sonarcloud-orb/71/workflows/e389ee3f-d3e1-4733-a42b-87bfa3d7e81c/jobs/177/parallel-runs/0/steps/0-104

Here's the relevant output from the failing shellcheck job:

Scanning ./src/commands/scan.yml 
---
In - line 4: 
SONAR_PROJECT_KEY="<<parameters.project-key>>" 
^-- SC2034: SONAR_PROJECT_KEY appears unused. Verify it or export it.

In - line 5: 
SONAR_ORGANIZATION="<<parameters.organization>>" 
^-- SC2034: SONAR_ORGANIZATION appears unused. Verify it or export it.

In - line 6:
SONAR_HOST_URL="<<parameters.host-url>>"
^-- SC2034: SONAR_HOST_URL appears unused. Verify it or export it.

In - line 7:
SONAR_SCM_REVISION="${<<parameters.scm-revision>>}"
^-- SC2034: SONAR_SCM_REVISION appears unused. Verify it or export it.

In - line 8:
SONAR_BUILD_STRING="${<<parameters.build-string>>}"
^-- SC2034: SONAR_BUILD_STRING appears unused. Verify it or export it.

In - line 9:
SONAR_LOGIN="${<<parameters.sonar-login>>}"
^-- SC2034: SONAR_LOGIN appears unused. Verify it or export it.

In - line 10:
GITHUB_PROJECT_SLUG="<<parameters.github-project-slug>>"
^-- SC2034: GITHUB_PROJECT_SLUG appears unused. Verify it or export it.

In - line 11:
GITHUB_API_TOKEN="${<<parameters.github-api-token>>}"
^-- SC2034: GITHUB_API_TOKEN appears unused. Verify it or export it.

In - line 12:
LCOV_FILES=(<<parameters.coverage-paths>>) 
           ^-- SC1036: '(' is invalid here. Did you forget to escape it?
           ^-- SC1088: Parsing stopped here. Invalid use of parentheses?

Error discovered in ./src/commands/scan.yml at step 2 
---
----- 
Scanning ./src/commands/install-cli.yml
---
unless: condition: <<parameters.no-cache>> steps: - restore_cache: name: restoring cached sonar-scanner CLI key: &cache-key sonar-scanner-v<<parameters.cli-version>>-{{arch}}-<<parameters.cache-version>> when: always

Unable to shellcheck this command. Skipping.
---

In - line 23:
sonar-scanner --version \
^-- SC1009: The mentioned parser error was in this simple command.

In - line 24:
  <<#parameters.output-file>>| tee <<parameters.output-file>><</parameters.output-file>>;
  ^-- SC1073: Couldn't parse this here document.

Error discovered in ./src/commands/install-cli.yml at step 2
---

And here's the actual source of the above commands:

from scan.yml

shopt -s nullglob globstar
GLOBIGNORE="**/node_modules/**:node_modules/**:**/node_modules"

SONAR_PROJECT_KEY="<<parameters.project-key>>"
SONAR_ORGANIZATION="<<parameters.organization>>"
SONAR_HOST_URL="<<parameters.host-url>>"
SONAR_SCM_REVISION="${<<parameters.scm-revision>>}"
SONAR_BUILD_STRING="${<<parameters.build-string>>}"
SONAR_LOGIN="${<<parameters.sonar-login>>}"
GITHUB_PROJECT_SLUG="<<parameters.github-project-slug>>"
GITHUB_API_TOKEN="${<<parameters.github-api-token>>}"
LCOV_FILES=(<<parameters.coverage-paths>>)
TEST_RESULTS_FILES=(<<parameters.test-report-paths>>)
ESLINT_RESULTS_FILES=(<<parameters.eslint-report-paths>>)
STYLELINT_RESULTS_FILES=(<<parameters.stylelint-report-paths>>)
SONAR_COVERAGE_PLUGIN="<<parameters.covered-code-language>>"
SCM_BRANCH_NAME="${<<parameters.scm-branch-name>>}"
GITHUB_PR_URL="${<<parameters.github-pr-url>>}"
PROJECT_VERSION_PARAM="<<parameters.project-version>>"
RAW_SCANNER_ARGS=(<<parameters.raw-scanner-args>>)

GITHUB_API_AUTH_HEADER="Authorization: Bearer ${GITHUB_API_TOKEN}"
SONAR_PROJECT_VERSION="${PROJECT_VERSION_PARAM:-$(cat package.json | jq -r '.version')}"

declare -A SONAR_ARGS

if [ "$GITHUB_PR_URL" ]; then
  echo "USING PR: $GITHUB_PR_URL"
  SONAR_PR_KEY=$(basename $GITHUB_PR_URL)

  echo "SONAR_PR_KEY: $SONAR_PR_KEY"
  PR_BASE_BRANCH=$( \
    curl \
      -H "$GITHUB_API_AUTH_HEADER" \
      "https://api.github.com/repos/$GITHUB_PROJECT_SLUG/pulls/$SONAR_PR_KEY" | \
      jq -r '.base.ref' \
  )
  echo "PR_BASE_BRANCH: $PR_BASE_BRANCH"

  SONAR_ARGS+=(
    ["sonar.pullrequest.base"]=${PR_BASE_BRANCH} \
    ["sonar.pullrequest.branch"]=${SCM_BRANCH_NAME} \
    ["sonar.pullrequest.key"]=${SONAR_PR_KEY} \
  )

  git branch -f $PR_BASE_BRANCH origin/$PR_BASE_BRANCH

else
  if [ "$SCM_BRANCH_NAME" ]; then
    GITHUB_DEFAULT_BRANCH=$( \
      curl \
        -H "$GITHUB_API_AUTH_HEADER" \
        https://api.github.com/repos/$GITHUB_PROJECT_SLUG | \
        jq -r '.default_branch' \
    )
    echo "GITHUB_DEFAULT_BRANCH: $GITHUB_DEFAULT_BRANCH"

    SONAR_ARGS["sonar.branch.name"]=$SCM_BRANCH_NAME

    if [ "$SCM_BRANCH_NAME" != "$GITHUB_DEFAULT_BRANCH" ]; then
      SONAR_ARGS["sonar.branch.target"]=${GITHUB_DEFAULT_BRANCH}

      git branch -f $GITHUB_DEFAULT_BRANCH origin/$GITHUB_DEFAULT_BRANCH
    fi
  fi
fi

function toCSV { local IFS=","; echo "$*"; }
function splitRawParam {
  local IFS="="; read -ra PARAM \<<< "$1"
  echo ${PARAM[*]}
}

if [ ${#LCOV_FILES[@]} -gt 0 ]; then
  SONAR_ARGS["sonar.$SONAR_COVERAGE_PLUGIN.lcov.reportPaths"]="$(toCSV ${LCOV_FILES[@]})"
fi

if [ ${#TEST_RESULTS_FILES[@]} -gt 0 ]; then
  SONAR_ARGS["sonar.testExecutionReportPaths"]="$(toCSV $TEST_RESULTS_FILES)"
fi

if [ ${#ESLINT_RESULTS_FILES[@]} -gt 0 ]; then
  SONAR_ARGS["sonar.eslint.reportPaths"]="$(toCSV $ESLINT_RESULTS_FILES)"
fi

if [ ${#STYLELINT_RESULTS_FILES[@]} -gt 0 ]; then
  SONAR_ARGS["sonar.css.stylelint.reportPaths"]="$(toCSV $STYLELINT_RESULTS_FILES)"
fi

SONAR_ARGS+=( \
  ["sonar.host.url"]="$SONAR_HOST_URL" \
  ["sonar.organization"]="$SONAR_ORGANIZATION" \
  ["sonar.buildString"]="$SONAR_BUILD_STRING" \
  ["sonar.scm.revision"]="$SONAR_SCM_REVISION" \
  ["sonar.projectKey"]="$SONAR_PROJECT_KEY" \
  ["sonar.projectVersion"]="$SONAR_PROJECT_VERSION" \
  ["sonar.login"]="$SONAR_LOGIN" \
)

if [ ${#RAW_SCANNER_ARGS[@]} -gt 0 ]; then
  for param in "${RAW_SCANNER_ARGS[@]}";
  do
    param_parts=($(splitRawParam $param))
    SONAR_ARGS["${param_parts[0]}"]="${param_parts[1]}"
  done
fi

CLI_ARGS=()
echo "SONAR_ARGS:"
for key in "${!SONAR_ARGS[@]}";
do
  ARG="-D$key=${SONAR_ARGS[$key]}"
  CLI_ARGS+=($ARG)
  # exclude login here for security reasons
  if [ "$key" != "sonar.login" ]; then
    echo "$ARG";
  fi
done

export SONAR_SCANNER_OPTS="-server"
sonar-scanner ${CLI_ARGS[*]}

From install-cli.yml

CLI_VERSION="<<parameters.cli-version>>"
CLI_OS="<<parameters.os>>"
DOWNLOAD_URL="<<parameters.download-path>>sonar-scanner-cli-$CLI_VERSION-$CLI_OS.zip"

export UTILS_TO_INSTALL=""
hash jq 2>/dev/null || { UTILS_TO_INSTALL="${UTILS_TO_INSTALL} jq"; }
hash unzip 2>/dev/null || { UTILS_TO_INSTALL="${UTILS_TO_INSTALL} unzip"; }

if [ "$UTILS_TO_INSTALL" ]; then
  apt-get update -y
  apt-get install -y --no-install-recommends $UTILS_TO_INSTALL
fi

if test ! -d /tmp/sonar-scanner; then
  wget $DOWNLOAD_URL -O /tmp/sonar-scanner.zip
  unzip /tmp/sonar-scanner.zip -d /tmp
  rm /tmp/sonar-scanner.zip
  mv /tmp/sonar-scanner-$CLI_VERSION-$CLI_OS /tmp/sonar-scanner
fi
echo "export PATH=/tmp/sonar-scanner/bin:$PATH" >> $BASH_ENV
source $BASH_ENV

sonar-scanner --version \
  <<#parameters.output-file>>| tee <<parameters.output-file>><</parameters.output-file>>;

[gmemstr]

Hi @jrnail23 - we are working to remove the shellcheck components from this orb in favour of the dedicated shellcheck orb, coupled with our new orb pack command for inluding scripts within orbs (which you can read a bit more about here - https://discuss.circleci.com/t/circleci-cli-orb-pack-beta/36598. We have since moved this out of beta). https://github.com/CircleCI-Public/shellcheck-orb.

In this case, it may be worth simple adding SC2034 to the exclusion list.

[gmemstr]

Closing as shellcheck is no longer present as of v10 (961db4c50395f42ba8b7f71bdc1fc7aa7cc776d0).