I am trying to use SoanrQube to scan a vulnerable Angular web app called “Juice Shop”. I do the npm install and npm build steps, but at SonarQube - run Code analysis step, i got an error " ##[error]ERROR: Unable to parse xml file: D:\a\1\s\frontend\node_modules\sax\examples\big-not-pretty.xml" .
I believe the big-not-pretty.xml file in NPM’s sax library may not have correct XML syntax, which is causing the scanning issue. I could ignore SonarQube to scan .xml file, but would be good if we don’t do that.
Any suggestion/information is appreciated!
Juice shop app source code:
https://github.com/bkimminich/juice-shop
SonarQube server: 7.1
SonarQube Scanner: 3.2.0.1227
SonarXML:1.5 (build 1373)
Error log:
019-01-28T18:25:49.3830634Z INFO: Quality profile for xml: Sonar way
2019-01-28T18:25:50.7182282Z INFO: Sensor C# Properties [csharp]
2019-01-28T18:25:50.7248062Z ##[error]WARN: Property missing: ‘sonar.cs.analyzer.projectOutPaths’. No protobuf files will be loaded for this project.
2019-01-28T18:25:50.7260636Z
2019-01-28T18:25:50.7260943Z ##[error]WARN: No roslyn issues report not found for this project.
2019-01-28T18:25:50.7261449Z
2019-01-28T18:25:50.7261608Z INFO: Sensor C# Properties [csharp] (done) | time=0ms
2019-01-28T18:25:50.7261785Z INFO: Sensor Python Squid Sensor [python]
2019-01-28T18:26:00.8794049Z INFO: Sensor Python Squid Sensor [python] (done) | time=10188ms
2019-01-28T18:26:00.8794949Z INFO: Sensor PythonXUnitSensor [python]
2019-01-28T18:26:01.8716357Z INFO: Sensor PythonXUnitSensor [python] (done) | time=987ms
2019-01-28T18:26:01.8944803Z INFO: Sensor SonarJavaXmlFileSensor [java]
2019-01-28T18:26:02.0836673Z INFO: 26 source files to be analyzed
2019-01-28T18:26:03.3512254Z
##[error]ERROR: Unable to parse xml file: D:\a\1\s\frontend\node_modules\sax\examples\big-not-pretty.xml
2019-01-28T18:26:03.3513548Z
2019-01-28T18:26:03.3513937Z
##[error]ERROR: Unable to parse xml file: D:\a\1\s\frontend\node_modules\sax\examples\not-pretty.xml
2019-01-28T18:26:03.3514980Z
2019-01-28T18:26:03.3988455Z
##[error]ERROR: Unable to parse xml file: D:\a\1\s\frontend\node_modules\sax\examples\test.xml
2019-01-28T18:26:03.3989863Z
2019-01-28T18:26:03.4510636Z
##[error]ERROR: Unable to parse xml file: D:\a\1\s\node_modules\libxmljs\test\fixtures\errors\comment.xml
2019-01-28T18:26:03.4511782Z
2019-01-28T18:26:04.0478502Z
##[error]ERROR: Unable to parse xml file: D:\a\1\s\node_modules\libxmljs\test\fixtures\sax_parser.xml
2019-01-28T18:26:04.0490774Z ERROR: Unable to parse xml file: D:\a\1\s\node_modules\libxmljs\test\fixtures\sax_parser.xml
2019-01-28T18:26:04.0496363Z ##[error]ERROR: Unable to parse xml file: D:\a\1\s\test\files\xxeBillionLaughs.xml
2019-01-28T18:26:04.0500529Z ERROR: Unable to parse xml file: D:\a\1\s\test\files\xxeBillionLaughs.xml
2019-01-28T18:26:04.0502666Z INFO: Sensor SonarJavaXmlFileSensor [java] (done) | time=2028ms
2019-01-28T18:26:04.0503190Z INFO: Sensor XML Sensor [xml]
2019-01-28T18:26:04.0503472Z INFO: 26/26 source files have been analyzed
2019-01-28T18:26:04.8751860Z ##[error]WARN: Unable to parse file D:/a/1/s/frontend/node_modules/sax/examples/big-not-pretty.xml
2019-01-28T18:26:04.8752550Z
2019-01-28T18:26:04.8752717Z ##[error]WARN: Cause: org.xml.sax.SAXParseException; lineNumber: 7; columnNumber: 19; The element type “slurm” must be terminated by the matching end-tag “”.
2019-01-28T18:26:04.8753037Z
2019-01-28T18:26:04.8753181Z ##[error]WARN: Unable to parse file D:/a/1/s/frontend/node_modules/sax/examples/not-pretty.xml
2019-01-28T18:26:04.8753503Z
2019-01-28T18:26:04.8753658Z ##[error]WARN: Cause: org.xml.sax.SAXParseException; lineNumber: 6; columnNumber: 19; The element type “slurm” must be terminated by the matching end-tag “”.
2019-01-28T18:26:04.8754006Z
2019-01-28T18:26:05.0403789Z ##[error]WARN: Unable to parse file D:/a/1/s/frontend/node_modules/sax/examples/test.xml
2019-01-28T18:26:05.0902937Z
2019-01-28T18:26:05.0903184Z ##[error]WARN: Cause: org.xml.sax.SAXParseException; lineNumber: 10; columnNumber: 30; The string “–” is not permitted within comments.
2019-01-28T18:26:05.0903603Z
2019-01-28T18:26:05.1854190Z ##[error]WARN: Unable to parse file D:/a/1/s/node_modules/libxmljs/test/fixtures/errors/comment.xml
2019-01-28T18:26:05.1856149Z
2019-01-28T18:26:05.1856460Z ##[error]WARN: Cause: org.xml.sax.SAXParseException; lineNumber: 5; columnNumber: 10; An invalid XML character (Unicode: 0xe) was found in the comment.
2019-01-28T18:26:05.1857058Z
2019-01-28T18:26:05.3726787Z ##[error]WARN: Unable to parse file D:/a/1/s/node_modules/libxmljs/test/fixtures/sax_parser.xml
2019-01-28T18:26:05.3728908Z
2019-01-28T18:26:05.3729342Z ##[error]WARN: Cause: org.xml.sax.SAXParseException; lineNumber: 15; columnNumber: 1; XML document structures must start and end within the same entity.
2019-01-28T18:26:05.3731402Z
2019-01-28T18:36:12.1323273Z ##[error]WARN: [JOURNAL_FLUSHER] WARNING Journal flush operation took 3,896ms last 8 cycles average is 487ms
2019-01-28T18:36:12.1325091Z WARN: [JOURNAL_FLUSHER] WARNING Journal flush operation took 3,896ms last 8 cycles average is 487ms
2019-01-28T18:37:50.9737823Z ##[error]WARN: [JOURNAL_FLUSHER] WARNING Journal flush operation took 6,486ms last 8 cycles average is 1,297ms
2019-01-28T18:37:50.9740703Z
At a minimum, please consider upgrading SonarXML. The current version is 2.0.1. (You might also consider upgrading SonarQube itself. Its current version is 7.6.) If your problem persists after upgrade, please come back with fresh error details.
Your parsing error comes from SonarJava (which also analyzes XML), you should upgrade both SonarJava and SonarXML. Also, these parsing errors are not failing analysis as far as I understand, so not a blocker problem for you.
P.S. If after upgrade these files are still not parsed, run analysis with debug option (-X) to see full logs.
