Do not generate UCFGs for JavaScript code inside HTML

[yassin-kammoun-sonarsource]

We are wrongly generating UCFGs for JavaScript code embedded inside HTML files. This is due to the fact that the analysis of JavaScript code inside HTML is reusing the same logic as the analysis of JavaScript code inside YAML. Since we haven't implemented yet the support for analyzing injection vulnerabilities of JavaScript code inside HTML, we are needlessly generating UCFGs which not only waste resources on the security analyzer but also fill the JavaScript analyzer's cache for nothing.

Incidentally, these useless generated UCFGs for JS inside HTML cause failures when reading back these UCFGs from the analyzer's cache. The root cause of these failures is a separate issue to be investigated further.

https://community.sonarsource.com/t/getting-error-failure-when-reading-cache-entry-with-github-actions-but-scan-completes-as-success/95769/3

[facusantillo]

What is the status of this ticket? Is there any workaround? We are running into this issue in every PR in Azure Pipelines.

[yassin-kammoun-sonarsource]

Hey @facusantillo,

For now, the only workaround would be to exclude HTML files from analysis. We are not comfortable tackling this ticket yet because we still don't understand the root cause of the problem. Implementing the fix described in this issue would be sweeping the dust under the rug, or in other words, just hiding the actual issue. Currently, we are not able to reproduce the problem. We need a reproducer from users [1][2] to help us investigate, but we got none so far.

We welcome any feedback to help us in that regard on Sonar Community!

• [1] https://community.sonarsource.com/t/getting-error-failure-when-reading-cache-entry-with-github-actions-but-scan-completes-as-success/95769/8
• [2] https://community.sonarsource.com/t/error-failure-when-reading-cache-entry-java-io-ioexception-the-cache-stream-is-too-big/91823/7