plugin hangs when scanning scripts that contain a specific source expression
Closed this issue · 6 comments
Summary
Shellcheck plugin 2.4.0 hangs when scanning files that contain:
source /dev/stdin <<<"$(curl -s <apiBasePath>/this/is/a/shell/script)"
this alternative works:
source <(curl -s "<apiBasePath>/this/is/a/shell/script")
Reproduce
Tested
- SonarQube: 9.0.1.46107 (via Docker image, instructions below)
- SonarQube: 8.9.2 (build 46101) Enterprise.
- Sonar scanner: 4.6.2.2472 (via Docker image, instructions below)
- Docker: 3.5.2 (66501) on MacOS 11.5.2
- Docker: 18.06.1-ce on Ubuntu 18.04.4 LTS (TravisCI worker)
Steps
echo 'source /dev/stdin <<<"$(curl -s <apiBasePath>/this/does/not/exist)"' > test.sh
curl --create-dirs -sLo extensions/plugins/sonar-shellcheck-plugin-2.4.0.jar https://github.com/sbaudoin/sonar-shellcheck/releases/download/v2.4.0/sonar-shellcheck-plugin-2.4.0.jar
docker run -d -v "$(pwd)/extensions:/opt/sonarqube/extensions" --rm --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest -Dsonar.forceAuthentication=false
sleep 120
docker run --network host --rm -v "$(pwd):/usr/src" sonarsource/sonar-scanner-cli -Dsonar.projectKey=test-shell-project -Dsonar.sourceEncoding="UTF-8" -X
# Ctrl-c will stop the scan and proceed to the next line
docker stop sonarqube
Logs
Hello,
Thanks for reporting this issue. Can you specify the version of ShellCheck you use, please? From the log you uploaded it seems that the issue relates to ShellCheck, not the plugin, so have you considered raising the issue on ShellCheck instead?
Hi, thank you! It's the plugin, version 2.4.0. My apologies, I'll update the description.
Why not but the last entry in the log file is:
17:29:25.125 DEBUG: Executing command: [shellcheck, -x, -f, json, /usr/src/test.sh]
If the command had completed there should be another log entry Output from shellcheck:
followed by the output from the command. As this is not the case, my guess is that the shellcheck
command does not terminate. So my suspect is ShellCheck (thus my suggestion to raise the issue on ShellCheck side instead), possibly having difficulties handling your script /usr/src/test.sh
.
sure, that's reasonable. Thank you.
Before going to ShellCheck, you should execute shellcheck -x -f json /usr/src/test.sh
manually and see what happens: if ti hangs you may raise the issue on ShellCheck side, but if it does not, the issue is mine but I'll ask for some more information.
Yep, I ran it locally before closing. It appears that shellcheck is attempting to source /dev/stdin
and hanging (-x allows non-FILE sources).
This passes, confirming the suspicion:
echo . | shellcheck -x test.sh
Thanks again.