search

Hack23 / sonar-cloudformation-plugin

Sonarqube cloudformation plugin, IaC security supports cfn-nag/checkov
https://hack23.github.io/sonar-cloudformation-plugin/
GNU Lesser General Public License v3.0
24 stars 9 forks source link

Plugin is missing .nag report #227

Closed malferov closed 3 years ago

malferov commented 3 years ago

Hi there,

If sonar-scanner runs as a docker container, it can't find generated report.

jenkins@859f9f94dc19:~/workspace/app$ pwd
/var/jenkins_home/workspace/app
jenkins@859f9f94dc19:~/workspace/app$ ls -l
total 8
-rw-r--r-- 1 jenkins jenkins 112 Dec  6 18:59 template.json
-rw-r--r-- 1 jenkins jenkins 397 Dec  6 18:59 template.json.nag

While running scanner, the sonar-cloudformation-plugin complains about missing report

Processing:template.json.nag missing or do not end with .nag or .nagscan

Full scanner log

jenkins@859f9f94dc19:~/workspace/app$ sonar-scanner -Dsonar.host.url=http://sonar:9000 -Dsonar.projectKey=app -Dsonar.cfn.nag.reportFiles=template.json.nag
INFO: Scanner configuration file: /var/jenkins_home/tools/hudson.plugins.sonar.SonarRunnerInstallation/scanner/conf/sonar-scanner.properties
INFO: Project root configuration file: NONE
INFO: SonarScanner 4.5.0.2216
INFO: Java 1.8.0_242 Oracle Corporation (64-bit)
INFO: Linux 5.4.0-56-generic amd64
INFO: User cache: /var/jenkins_home/.sonar/cache
INFO: Scanner configuration file: /var/jenkins_home/tools/hudson.plugins.sonar.SonarRunnerInstallation/scanner/conf/sonar-scanner.properties
INFO: Project root configuration file: NONE
INFO: Analyzing on SonarQube server 7.9.5
INFO: Default locale: "en", source code encoding: "UTF-8" (analysis is platform dependent)
WARN: SonarScanner will require Java 11 to run starting in SonarQube 8.x
INFO: Load global settings
INFO: Load global settings (done) | time=205ms
INFO: Server id: BF41A1F2-AXYzS_xwqkpYAjvo9ndy
INFO: User cache: /var/jenkins_home/.sonar/cache
INFO: Load/download plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=129ms
INFO: Load/download plugins (done) | time=209ms
INFO: Process project properties
INFO: Execute project builders
INFO: Execute project builders (done) | time=38ms
INFO: Project key: app
INFO: Base dir: /var/jenkins_home/workspace/app
INFO: Working dir: /var/jenkins_home/workspace/app/.scannerwork
INFO: Load project settings for component key: 'app'
INFO: Load project settings for component key: 'app' (done) | time=64ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=192ms
INFO: Load active rules
INFO: Load active rules (done) | time=4532ms
INFO: Indexing files...
INFO: Project configuration:
INFO: 2 files indexed
INFO: 0 files ignored because of scm ignore settings
INFO: ------------- Run sensors on module app
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=112ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=17ms
INFO: Sensor JavaXmlSensor [java]
INFO: Sensor JavaXmlSensor [java] (done) | time=5ms
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=47ms
INFO: Sensor Cloudformation Check [cloudformation]
INFO: Process cfn-nag reports
INFO: sonar.cfn.nag.reportFiles=template.json.nag
INFO: Processing:template.json.nag
WARN: Processing:template.json.nag missing or do not end with .nag or .nagscan
INFO: Process cfn-nag reports (done) | time=69ms
INFO: Sensor Cloudformation Check [cloudformation] (done) | time=69ms
INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=14ms
INFO: Calculating CPD for 0 files
INFO: CPD calculation finished
INFO: Analysis report generated in 314ms, dir size=74 KB
INFO: Analysis report compressed in 39ms, zip size=10 KB
INFO: Analysis report uploaded in 104ms
INFO: ANALYSIS SUCCESSFUL, you can browse http://sonar:9000/dashboard?id=app
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at http://sonar:9000/api/ce/task?id=AXY5d1P7VvK5T4nIqYQX
INFO: Analysis total time: 13.041 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 15.697s
INFO: Final Memory: 15M/150M
INFO: ------------------------------------------------------------------------
pethers commented 3 years ago

Not sure exactly how you run docker, but normally you can mount volumes in docker to share data between host and docker instance.

Used with zap, to be able to export reports docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py \ -t https://www.example.com -g gen.conf -r testreport.html

malferov commented 3 years ago

Thanks @pethers for your swift response. My nag report is commited to the source for the sake of this example. The ls is being called from inside of the scanner container

jenkins@859f9f94dc19:~/workspace/app$ ls -l
-rw-r--r-- 1 jenkins jenkins 112 Dec  6 18:59 template.json
-rw-r--r-- 1 jenkins jenkins 397 Dec  6 18:59 template.json.nag

If scanner is called from the same shell the warning is rised

jenkins@859f9f94dc19:~/workspace/app$ sonar-scanner -Dsonar.host.url=http://sonar:9000 -Dsonar.projectKey=app -Dsonar.cfn.nag.reportFiles=template.json.nag
...
WARN: Processing:template.json.nag missing or do not end with .nag or .nagscan

It seems pathResolver.relativeFile(fileSystem.baseDir(), report).exists() https://github.com/Hack23/sonar-cloudformation-plugin/blob/master/src/main/java/com/hack23/sonar/cloudformation/CloudformationSensor.java#L126 doesn't work as expected in docker environment.

pethers commented 3 years ago

Did you try using volume mount in docker ? Otherwise maybe as you say "Resolver.relativeFile(fileSystem.baseDir(), report).exists() doesn't work as expected in docker environment.", but not sure how to solve it.

malferov commented 3 years ago

@pethers it is not related to containers eventually. Plugin does work with .nagscan files but wont to process .nag one. Regardless docker or vm. My environment

SonarScanner 4.5.0.2216
SonarQube Community Edition Version 8.5.1 (build 38104)
pethers commented 3 years ago

Thanks for figuring this out.

Think I may have found the issue. Initially the nag scan did have a different format, to support both I added a check to check if new or old format was used. But fallback to nagscan content in .nag file had an extra check for filename extension.

Workaround that you found, to name file .nagscan make sense.

No immediate release plan since a workaround exists.