SonarQube doesn't scan FE-related code

[cschweikert]

When running SonarQube in ODS pipelines the scan results don't contain anything about JavaScript, TypeScript or CSS files.

When running SonarQube within the pipeline it seems to run through without any warnings. When looking at the logs it seems to detect and count the relevant source files (e.g. TypeScript or CSS files). Also the code coverage analysis data can correctly be uploaded and is available within SonarQube's UI. Things like code smells, security issues, etc. seem to be not handled at all.

Also the SonarQube UI presents the following warnings for the respective pipeline runs:

CSS rules were not executed. Error when running: 'node -v'. Is Node.js available during analysis?

and

JavaScript and/or TypeScript rules were not executed. Error when running: 'node -v'. Is Node.js available during analysis?

The SonarQube Scanner CLI seems to need NodeJS to be available during the pipeline run for doing the FE-related scans. It seems that NodeJS is not part of the container that runs the SonarQube Scanner CLI (see also https://github.com/opendevstack/ods-pipeline/blob/master/build/package/Dockerfile.sonar).

A potential fix could be to change the base image (https://github.com/opendevstack/ods-pipeline/blob/master/build/package/Dockerfile.sonar#L34) from

...
FROM registry.access.redhat.com/ubi8/ubi-minimal:8.4
...

to something like

...
FROM registry.access.redhat.com/ubi8/nodejs-18:1

ENV NPM_CONFIG_PREFIX=$HOME/.npm-global \
    LANG=en_US.UTF-8 \
    LC_ALL=en_US.UTF-8

RUN echo node version: $(node --version) && \
    echo npm version: $(npm --version) && \
    echo npx version: $(npx --version)
...

[michaelsauter]

FYI here's the base image from SQ: https://github.com/SonarSource/sonar-scanner-cli-docker/blob/master/4/Dockerfile. They install Node as well ...

[michaelsauter]

Fixed by #726.