Hi @Sancretor ,

Since there are no jar releases for this package (as of right now), the following instruction is quite unclear:

Install sonar-hadolint-plugin-*.jar in <SONARQUBE_HOME>/extensions/plugins/.

and requires manual building of the jar.

Maybe provide some instructions for this?
Not all sonarqube maintainers may be smart enough to know how to build a maven project.

Kind regards,

J.

SonarQube Tags are useful to quickly find what kind of issues need to be resolved.

Describe what you need to know

How do I achieve PR decoration related to issues found on Dockerfiles using this plugin and Developer Edition of Sonarqube?
This does not seem to be working following the instructions. Perhaps there's an additional step/configuration.
I see the Dockerfiles that hadolint inspected are decorated in Sonarqube itself. But the issues found were not found as part of the PR analysis and thus the PR decoration wasn't present.

Screenshots & log

User environment

Please complete the following information.

• OS: Linux, Docker environment
• SonarQube version: 8.8
• Java version: 11
• Hadolint version: 2.26
• Plugin version: 1.0.0

Additional context

Describe what you need to know

I use this plugin in an Azure DevOps pipeline. Before I run SQ I import the hadolint.xml report as a pipeline artifact.

Structure:
Base directory (build.sourcesdirectory) is /home/vsts/work/1/s

/home/vsts/work/1/s
total 16
-rw-r--r-- 1 vsts docker   59 Aug 24 14:43 Dockerfile
-rw-r--r-- 1 vsts docker  985 Aug 24 14:43 README.md
-rw-r--r-- 1 vsts docker 2873 Aug 24 14:43 azure-pipelines.yml
-rw-r--r-- 1 vsts docker  379 Aug 24 14:43 sonar-project.properties

Artifact is by default imported in: /home/vsts/work/1

/home/vsts/work/1
total 20
drwxr-xr-x 2 vsts docker 4096 Aug 24 14:43 a
drwxr-xr-x 2 vsts docker 4096 Aug 24 14:43 b
drwxr-xr-x 2 vsts docker 4096 Aug 24 14:43 hadolint_results
drwxr-xr-x 3 vsts docker 4096 Aug 24 14:43 s

For sonar.hadolint.reports.path I specified the absolute path /home/vsts/work/1/hadolint_results/hadolint.xml However this doesn't work, it only accepts ../hadolint_results/hadolint.xml

For other plugins report paths I specify the absolute path without an issue. Is this working as intended?

User environment

• SonarQube version 8.9.0.43852
• Hadolint version: v2.6.1

Describe the bug

When deployed inside SonarQube, some warnings show up regarding the plugin :

2020.07.30 15:14:35 INFO  web[][o.s.s.q.BuiltInQProfileRepositoryImpl] Load quality profiles
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.thoughtworks.xstream.core.util.Fields (file:/opt/sonarqube/data/web/deploy/plugins/hadolint/META-INF/lib/xstream-1.4.11.1.jar) to field java.lang.reflect.Proxy.h
WARNING: Please consider reporting this to the maintainers of com.thoughtworks.xstream.core.util.Fields
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Security framework of XStream not initialized, XStream is probably vulnerable.

To reproduce

1. Deploy plugin in your SonarQube server
2. Start/Restart the SonarQUbe server
3. Look at the logs during startup

Expected behavior

No warnings should be generated by the plugin.

Screenshots & log

None.

User environment

• OS: Debian 10
• SonarQube version: 7.9.3
• Java version: 1.11
• Hadolint version: 1.18.0
• Plugin version: dev

Additional context

None.

Intro

For some developers, Containerfile is just an alternative name for Dockerfile.
For some others, Containerfile and Dockerfile are used in order to explicitly inform the format (oci vs `docker) of the container.

And there are projects (including some of mine) using Containerfile names. However this plugin doesn't detect the files due to the naming difference.

Differences between OCI and Docker

For the sake of brevity, I won't go fully deep into the topic as this is not the place for discussing it. But there are actually some differences between OCI and Docker specifications, but Docker specification is essentially an extension of OCI specification.

• docker format allows HEALTHCHECK and SHELL instructions while oci doesn't
• Docker only builds docker format containers
• Podman and Buildah build oci and docker containers
• Docker is happy to run oci containers as well

Hadolint

Hadolint is able to lint both formats without any problem.

$ hadolint path/to/Containerfile # Works like a charm

Feature request

My request is about detecting Containerfile as an alternative name to Dockerfile and linting them just like it would with Dockerfiles. As Hadolint does that out-of-the-box, this should not require any change to Hadolint.

Extra info

Containerfile spec: https://www.mankier.com/5/Containerfile
Buildah on Containerfile vs Dockerfile and preferring Containerfile: containers/buildah#3170

Describe the bug

The keyword AS is not recognized as a Dockerfile keyword in the highlighting.

To reproduce

1. Analyze a projet containing a Dockerfile with hadolint
2. Analyze this project using the sonar-hadolint-plugin
3. Open the "Code" tab to see the Dockerfile content
4. The keyword AS is not colored in blue like other keywords

Expected behavior

The keyword AS should be highlighted like other Dockerfile keywords.

Describe the bug

When you run an analysis with SonarScanner, the Dockerfiles in the project can be seen in the "code" menu on SonarQube, but they are linked to the "Unknown" language instead of the Dockerfile one.
This is due to Dockerfile not having standardized file extension, and SonarQube only working with file extension to identify files.

To reproduce

1. Have a project with a Dockerfile
2. Configure the analysis as described on the README
3. Analyze your project with SonarScanner or else
4. Go to SonarQube web interface, into your project "code" page

Expected behavior

SonarQube should identify the Dockerfiles are being linked to the Dockerfile language.

Screenshots & log

None.

User environment

• OS: Debian 10
• SonarQube version : 7.9.3
• Java version: 1.11
• Hadolint version: 1.18.0
• Plugin version: dev

Additional context

None.

Before posting a new question, please read the documentation](https://github.com/lequal/sonar-hadolint-plugin) and check existing issues

Describe what you need to know

A clear and concise description of what your question is.
No report found - See log excerpt.

Screenshots & log

If applicable, add screenshots to help explain your problem. Then, append SonarQube or Hadolint logs and do not forget to obfuscate them.

User environment

Please complete the following information.

• OS: [e.g. Windows 10] Linux
• SonarQube version [e.g. 7.9.3] 8.9.7
• Java version: [e.g. 1.11] 11
• Hadolint version: [e.g. 1.18.0] 2.10.0
• Plugin version: [e.g. 1.0.0] 1.1.0

Additional context

Add any other context about the problem here.

Hadolint Run:

--> hadolint  --no-color --format checkstyle /home/jenkins/agent/workspace/us-dgames-dev_cs-nodejs-eks_main/Dockerfile  >hadolint-report.xml|| true
 + set +x
 + set +x
 + cat /home/jenkins/agent/workspace/us-dgames-dev_cs-nodejs-eks_main/hadolint-report.xml
 <?xml version='1.0' encoding='UTF-8'?><checkstyle version='4.3'><file name='/home/jenkins/agent/workspace/us&#45;dgames&#45;dev&#95;cs&#45;nodejs&#45;eks&#95;main/Dockerfile' ><error line='5' column='1' severity='error' message='Use COPY instead of ADD for files and folders' source='DL3020' /><error line='7' column='1' severity='warning' message='Do not use apt as it is meant to be a end&#45;user tool&#44; use apt&#45;get or apt&#45;cache instead' source='DL3027' /><error line='15' column='1' severity='warning' message='&#96;COPY&#96; to a relative destination without &#96;WORKDIR&#96; set.' source='DL3045' /><error line='16' column='1' severity='warning' message='&#96;COPY&#96; to a relative destination without &#96;WORKDIR&#96; set.' source='DL3045' /><error line='17' column='1' severity='warning' message='&#96;COPY&#96; to a relative destination without &#96;WORKDIR&#96; set.' source='DL3045' /><error line='18' column='1' severity='warning' message='&#96;COPY&#96; to a relative destination without &#96;WORKDIR&#96; set.' source='DL3045' /><error line='19' column='1' severity='warning' message='&#96;COPY&#96; to a relative destination without &#96;WORKDIR&#96; set.' source='DL3045' /></file></checkstyle>

Sonar args:

/home/jenkins/agent/tools/hudson.plugins.sonar.SonarRunnerInstallation/sonarscanner-4/bin/sonar-scanner -Dsonar.projectKey=cs-nodejs-eks -Dsonar.projectName=cs-nodejs-rest-api -Dsonar.sources=. -Dsonar.sourceEncoding=UTF-8 -Dsonar.analysis.mode=publish -Dsonar.projectVersion=1.0.310 -Dsonar.links.ci=https://***/jenkins/ '-Dsonar.exclusions=node_modules/**,bower_components/**,**/bower_components/**,docker-compose*.yml,src/reports/**' -Dsonar.verbose=true -Dsonar.log.level=trace -Dsonar.lang.patterns.dockerfile=Dockerfile -Dsonar.hadolint.reports.path=hadolint-report.xml -Dsonar.externalIssuesReportPaths=/home/jenkins/agent/workspace/us-dgames-dev_cs-nodejs-eks_main/src/reports/sonarqube-trivy-report-fs.json,/home/jenkins/agent/workspace/us-dgames-dev_cs-nodejs-eks_main/src/reports/sonarqube-trivy-report-config.json,/home/jenkins/agent/workspace/us-dgames-dev_cs-nodejs-eks_main/src/reports/sonarqube-trivy-report-image.json -Dsonar.issuesReport.json.enable=true -Dsonar.scm.disabled=true
 INFO: Scanner configuration file: /home/jenkins/agent/tools/hudson.plugins.sonar.SonarRunnerInstallation/sonarscanner-4/conf/sonar-scanner.properties

Sonar output:

 16:50:32.194 INFO: Sensor fr.cnes.sonar.plugins.hadolint.check.HadolintSensor [hadolint]
 16:50:32.194 WARN: Access to the multi-values/property set property 'sonar.hadolint.reports.path' should be made using 'getStringArray' method. The SonarQube plugin using this property should be updated.
 16:50:32.201 WARN: No report was found using pattern hadolint-report.xml
 16:50:32.201 INFO: Sensor fr.cnes.sonar.plugins.hadolint.check.HadolintSensor [hadolint] (done) | time=7ms
 16:50:32.201 INFO: Sensor fr.cnes.sonar.plugins.hadolint.check.MetricSensor [hadolint]
 16:50:32.202 DEBUG: 'Dockerfile' generated metadata with charset 'UTF-8'
 16:50:32.220 INFO: Sensor fr.cnes.sonar.plugins.hadolint.check.MetricSensor [hadolint] (done) | time=18ms

Hello,

In the first step, I run Hadolint:
docker run --rm -i -e HADOLINT_FORMAT='checkstyle' hadolint/hadolint < Dockerfile.txt > hadolint_report.xml

This creates an output files containing 2 detected issues:

<?xml version='1.0' encoding='UTF-8'?>
<checkstyle version='4.3'>
	<file name='&#45;'>
		<error line='12' column='1' severity='warning' message='&#96;COPY&#96; to a relative destination without &#96;WORKDIR&#96; set.' source='DL3045'/>
		<error line='24' column='1' severity='error' message='Use COPY instead of ADD for files and folders' source='DL3020'/>
	</file>
</checkstyle>

In the second step, I run sonarscanner:
sonarscanner -Dsonar.host.url=http://localhost:9000 -Dsonar.login=XXX -Dsonar.password=YYY -Dsonar.projectKey=ZZZ -Dsonar.lang.patterns.dockerfile=Dockerfile.txt -Dsonar.hadolint.reports.path=hadolint_report.xml

My trouble is: in SonarQube, I cannot see any issue displayed. Actually, this is no wonder: the association between the found issues (in file hadolint_report.xml) and the source file (Dockerfile.txt) is not set anywhere. The sonarscanner step above displays:

ERROR: The source file '-' mentionned in Hadolint report was not found

Can you please help? Many thanks in advance,

Yves

hadolint/hadolint:latest (digest=174f005a1fed)
sonar-scanner-4.6.1.2450-windows
SonarQube 9.3

Is your feature request related to a problem? Please describe.**

Since last release, Hadolint & ShellCheck may have evolved with new rules which are not included inside the plugin.

Describe the solution you'd like

Update the plugin rules to match the last available version of Hadolint & Shellcheck.

Is your feature request related to a problem? Please describe.**

If you use the sonar hadolint plugin without setting the sonar.lang.patterns.dockerfile property, nothing will be analysed as the property is needed. Projects might want to set a default value for this property to avoid setting it everytime.

Describe the solution you'd like

Add this property as a proper plugin property, and define a default value, so that it could be used or redefined inside the UI.

Is this project going to be updated soon to release a new version of the plugin?
I notice two PRs not yet merged.

Is your feature request related to a problem? Please describe.**

The plugin only implements one hadolint rule, and we need all of them to be integrated.

Describe the solution you'd like

Add all the remaining rules inside the XML file that describes them.

Describe alternatives you've considered

No alternatives.

Additional context

Only one rule was implemented for testing purposes during first development phase. now that the plugin is working, we should add them all.

Describe the bug

The Strings highlighting is only working if the string begins and ends on the same line.

To reproduce

1. Have a Dockerfile with a string (with quotes ") that starts in one line, and end in the next one.
2. Analyze your project with SonarScanner or else
3. On SonarQube web interface, go to your project "code" menu
4. Open your Dockerfile in this interface, and you'll see that in the second line, the highlighting is inverted

Expected behavior

Strings should be correctly highlighted whether they are written on multiple line or not.

Screenshots & log

None.

User environment

Please complete the following information.

• OS: Debian 10
• SonarQube version : 7.9.3
• Java version: 1.11
• Hadolint version: 1.18.0
• Plugin version: dev

Additional context

None.

I am not able to publish results of Docker lint along with regular results for maven multimodule project. Sonar only publishes scan results for java modules and not the lint results for dockerfiles kept as docker/Dockerfile.*

i am trying following which does not work
mvn sonar:sonar -Dsonar.host.url=http://localhost:4950/ -Dsonar.lang.patterns.dockerfile=docker/Dockerfile.jdk11 -Dsonar.hadolint.reports.path=./hadolint/hadoscan_test-jdk11.xml

Describe what you need to know

I have installed the Sonarqube Hadolint plugin using the Marketplace in Sonarqube UI web interface.
I have a Bitbucket repository with many Dockerfiles scattered throughout in various directories. I run hadolint on each file and generate the hadolint-report.xml using hadolint -f checkstyle < Dockerfile > hadolint-report.xml and this file gets written in the same directory where the Dockerfile resides.
Then I run sonar-scanner using the Sonarqube Docker container in my repository with the following sonar-project.properties:
sonar.lang.patterns.dockerfile=Dockerfile
sonar.hadolint.reports.path=hadolint-report.xml

The sonar-scanner does the scans and uploads the data to my sonarqube instance but nothing from hadolint appears nor do I see output during the sonar-scanner run that indicates it detects any hadolint-report.xml files or Dockerfiles.

User environment

• OS: Mac OSX and Linux
• SonarQube version: 8.8.0
• Java version: 11
• Hadolint version: 2.6
• Plugin version: 1.0.0

Is your feature request related to a problem? Please describe.**

SonarQube 8.9 is out so it's time refresh a bit our dependencies.

Describe the solution you'd like

Update the SonarQube API version we use, as well as all other dependencies.

Is your feature request related to a problem? Please describe.**

See cnescatlab/sonar-cnes-report#264

Describe the solution you'd like

See cnescatlab/sonar-cnes-report#264