How can we get SAST point using sonarcloud ?

[sbernard31]

I activated sonarcloud on my project.

And I still get 0 point concerning SAST score.

Currently, I have only 1 PR merged which was analyze by sonar.
And I read at documentation :

SonarCloud in the recent (~30) merged PRs

So maybe :

1. I have no point because I haven't enough PR.
2. but also I didn't setup sonarcloud in the expected way by scorecard.

Could you give me some hint about that ?
Maybe 1 PR should give me at least 1 point so I see that something changed ?

[spencerschrock]

It may just be a matter of Sonar changing their GitHub app slug (ID).

If I make this change, I see it score your most recent 3 PRs:

diff --git a/checks/raw/sast.go b/checks/raw/sast.go
index 0d654c2c..20d70389 100644
--- a/checks/raw/sast.go
+++ b/checks/raw/sast.go
@@ -42,6 +42,7 @@ var sastTools = map[string]bool{
        "github-code-scanning":     true,
        "lgtm-com":                 true,
        "sonarcloud":               true,
+       "sonarqubecloud":           true,
 }

      "details": [
       "Debug: tool detected: sonarqubecloud",
       "Debug: tool detected: sonarqubecloud",
       "Debug: tool detected: sonarqubecloud",
       "Warn: 3 commits out of 23 are checked with a SAST tool"
     ],
     "score": 1,
     "reason": "SAST tool is not run on all commits -- score normalized to 1",
     "name": "SAST",

[spencerschrock]

Submitted the change for review at #4541

It will unfortunately take a while to trickle to our GitHub action, as our normal release cadence will take a while.

[sbernard31]

I see : "SAST tool is not run on all commits -- score normalized to 1"

But I think that sonarcloud way is to check each PR, not all commits of each PR.
And I think this is a pretty good practice to separate PR in several understandable commit. (or at least it is not so bad 🤔)

[spencerschrock]

But I think that sonarcloud way is to check each PR, not all commits of each PR.

This is compatible with what scorecard is doing: checking that the last commit (pr.HeadSHA) of each PR was analyzed. (and should work whether you squash or not when merging). Scorecard checks what PR each commit came from, so the multiple commits from each PR get mapped back to the same PR, and they all check that the same last commit was analyzed.

scorecard/checks/raw/sast.go

Lines 104 to 113 in cb565cd

	for i := range commits {
	pr := commits[i].AssociatedMergeRequest
	// TODO(#575): We ignore associated PRs if Scorecard is being run on a fork
	// but the PR was created in the original repo.
	if pr.MergedAt.IsZero() {
	continue
	}
	checked := false
	crs, err := c.RepoClient.ListCheckRunsForRef(pr.HeadSHA)

The 20 commits it's detecting without SAST were either committed directly to master, or before you enabled Sonar Cloud

[sbernard31]

I understand now. Thx a lot for clarification and also for the fix 🙏!

It will unfortunately take a while to trickle to our GitHub action, as our normal release cadence will take a while.

No problem, thx for letting me know that.
Just by curiosity, what means approximately "a while" ? (hours ? days ? weeks? month ? )

[spencerschrock]

On the order of month. While it may be merged this week or next, we're trying to target a 2 month release cadence.