phpunitbitbucketsonarcloud

SonarCloud Code Coverage always showing as zero


I can't figure out why my coverage report says 0% on SonarCloud. Here is all the information I have:

phpunit.xml

    <coverage>
        <report>
            <clover outputFile="./coverage.xml"/>
        </report>
    </coverage>

SonarScanner Context:

SonarCloud plugins:
  - JaCoCo 1.3.0.1538 (jacoco)
  - License for SonarLint 8.0.0.56801 (license)
  - IaC Code Quality and Security 1.36.0.12431 (iac)
  - Text Code Quality and Security 2.15.0.3845 (text)
  - XML Code Quality and Security 2.10.0.4108 (xml)
Project server settings:
  - sonar.abap.file.suffixes=.abap,.ab4,.flow,.asprog
  - sonar.apex.file.suffixes=.cls,.trigger
  - sonar.autoscan.enabled=false
  - sonar.azureresourcemanager.file.suffixes=.bicep
  - sonar.c.file.suffixes=.c,.h
  - sonar.coverage.exclusions=**/vendor/**,**/tests/**,**/config/**,**/lang/**,**/resources/**,**/vendor/**,**/*.xml
  - sonar.cpd.exclusions=**/Seeders/**,**/tests/**,**/config/**,**/lang/**,**/resources/**,**/vendor/**,**/*.xml,**/stubs/**,**/storage/**,**/resources/**,**/public/**,**/database/**
  - sonar.cpp.file.suffixes=.cc,.cpp,.cxx,.c++,.hh,.hpp,.hxx,.h++,.ipp,.ixx,.mxx,.cppm,.ccm,.cxxm,.c++m
  - sonar.cs.file.suffixes=.cs,.razor
  - sonar.css.file.suffixes=.css,.less,.scss,.sass
  - sonar.dart.file.suffixes=.dart
  - sonar.docker.file.patterns=Dockerfile,*.dockerfile
  - sonar.exclusions=**/Seeders/**,**/tests/**,**/config/**,**/lang/**,**/resources/**,**/vendor/**,**/stubs/**,**/storage/**,**/resources/**,**/public/**,**/database/**,**/*.xml
  - sonar.flex.file.suffixes=as
  - sonar.go.file.suffixes=.go
  - sonar.html.file.suffixes=.html,.xhtml,.cshtml,.vbhtml,.aspx,.ascx,.rhtml,.erb,.shtm,.shtml,.cmp,.twig
  - sonar.ipynb.file.suffixes=ipynb
  - sonar.java.file.suffixes=.java,.jav
  - sonar.java.jvmframeworkconfig.file.patterns=**/src/main/resources/**/application*.properties,**/src/main/resources/**/application*.yaml,**/src/main/resources/**/application*.yml
  - sonar.javascript.file.suffixes=.js,.jsx,.cjs,.mjs,.vue
  - sonar.jcl.file.suffixes=.jcl
  - sonar.json.file.suffixes=.json
  - sonar.jsp.file.suffixes=.jsp,.jspf,.jspx
  - sonar.kotlin.file.suffixes=.kt,.kts
  - sonar.objc.file.suffixes=.m
  - sonar.php.coverage.reportPaths=coverage.xml
  - sonar.php.file.suffixes=php,php3,php4,phtml,inc,php5
  - sonar.pli.file.suffixes=.pli
  - sonar.plsql.file.suffixes=sql,tab,pkb
  - sonar.pullrequest.provider=BitbucketCloud
  - sonar.python.file.suffixes=py
  - sonar.rpg.file.suffixes=.rpg,.rpgle,.sqlrpgle,.RPG,.RPGLE,.SQLRPGLE
  - sonar.ruby.file.suffixes=.rb
  - sonar.scala.file.suffixes=.scala
  - sonar.scm.disabled=true
  - sonar.swift.file.suffixes=.swift
  - sonar.terraform.file.suffixes=.tf
  - sonar.tsql.file.suffixes=.tsql
  - sonar.typescript.file.suffixes=.ts,.tsx,.cts,.mts
  - sonar.vb.file.suffixes=.bas,.frm,.ctl
  - sonar.vbnet.file.suffixes=.vb
  - sonar.xml.file.suffixes=.xml,.xsd,.xsl,.config
  - sonar.yaml.file.suffixes=.yaml,.yml
Project scanner properties:
  - sonar.host.url=https://sonarcloud.io
  - sonar.organization=*********
  - sonar.projectBaseDir=/opt/atlassian/pipelines/agent/build/src
  - sonar.projectKey=*********
  - sonar.scanner.app=ScannerCLI
  - sonar.scanner.appVersion=5.0.1.3006
  - sonar.scanner.home=/opt/sonar-scanner
  - sonar.scanner.opts=-Xmx3072m
  - sonar.sourceEncoding=UTF-8
  - sonar.working.directory=/opt/atlassian/pipelines/agent/build/src/.scannerwork

My artifacts: enter image description here

Coverage ignore patterns: enter image description here

Duplication ignore patterns: enter image description here

Files to ignore patterns: enter image description here

If I remove **/*.xml the coverage.xml file will show up in the SonarCloud code view below. enter image description here

However, it analyzes the file and that impacts the quality gate. I have tried both ignoring and allowing .xml but it didn't make a difference.

BitBucket SonarCloud Analysis Log (as much of the log as I can include):

Status: Downloaded newer image for sonarsource/sonarcloud-scan:2.0.0
INFO: Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties
INFO: Project root configuration file: NONE
INFO: SonarScanner 5.0.1.3006
INFO: Java 17.0.8 Amazon.com Inc. (64-bit)
INFO: Linux 5.15.0-1069-aws amd64
INFO: SONAR_SCANNER_OPTS=-Xmx3072m
INFO: Bitbucket Cloud Pipelines detected, no host variable set. Defaulting to sonarcloud.io.
INFO: User cache: /root/.sonar/cache
INFO: Analyzing on SonarQube server 11.3.0.200
INFO: Default locale: "en", source code encoding: "UTF-8"
INFO: Load global settings
INFO: Load global settings (done) | time=247ms
INFO: Server id: ****************************
INFO: Loading required plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=161ms
INFO: Load/download plugins
INFO: Load/download plugins (done) | time=419ms
INFO: Found an active CI vendor: 'Bitbucket Pipelines'
INFO: Detected project key '*************' from 'Bitbucket Cloud Pipelines'
INFO: Detected organization key '*************' from 'Bitbucket Cloud Pipelines'
INFO: Load project settings for component key: '*************'
INFO: Load project settings for component key: '*************' (done) | time=353ms
INFO: Process project properties
INFO: Project key: *************
INFO: Base dir: /opt/atlassian/pipelines/agent/build/src
INFO: Working dir: /opt/atlassian/pipelines/agent/build/src/.scannerwork
INFO: Load project branches
INFO: Load project branches (done) | time=367ms
INFO: Check ALM binding of project '*************'
INFO: Detected project binding: BOUND
INFO: Check ALM binding of project '*************' (done) | time=133ms
INFO: Load project pull requests
INFO: Load project pull requests (done) | time=424ms
INFO: Load branch configuration
INFO: Detected analysis for branch '*******'
INFO: Auto-configuring branch '*******'
INFO: Load branch configuration (done) | time=2ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=649ms
INFO: Load active rules
INFO: Load active rules (done) | time=12221ms
INFO: Organization key: *************
INFO: Branch name: '*******', type: long-lived
INFO: Preprocessing files...
INFO: 2 languages detected in 2912 preprocessed files
INFO: 16326 files ignored because of inclusion/exclusion patterns
INFO: Loading plugins for detected languages
INFO: Load/download plugins
INFO: Load/download plugins (done) | time=212ms
INFO: Load project repositories
INFO: Load project repositories (done) | time=1292ms
INFO: Indexing files...
INFO: Project configuration:
INFO:   Excluded sources: **/build-wrapper-dump.json, **/Seeders/**, **/tests/**, **/config/**, **/lang/**, **/resources/**, **/vendor/**, **/stubs/**, **/storage/**, **/resources/**, **/public/**, **/database/**, **/*.xml
INFO:   Excluded sources for coverage: **/vendor/**, **/tests/**, **/config/**, **/lang/**, **/resources/**, **/vendor/**, **/*.xml
INFO:   Excluded sources for duplication: **/Seeders/**, **/tests/**, **/config/**, **/lang/**, **/resources/**, **/vendor/**, **/*.xml, **/stubs/**, **/storage/**, **/resources/**, **/public/**, **/database/**
INFO: 2912 files indexed
INFO: Quality profile for json: Sonar way
INFO: Quality profile for php: SP quality php
INFO: ------------- Run sensors on module *************
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=140ms
INFO: Sensor cache enabled
INFO: Load sensor cache
INFO: Load sensor cache (6 MB) | time=2452ms
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=974ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: Sensor Analyzer for "php.ini" files [php]
INFO: Sensor Analyzer for "php.ini" files [php] (done) | time=10ms
INFO: Sensor PHPUnit report sensor [php]
INFO: No PHPUnit tests reports provided (see 'sonar.php.tests.reportPath' property)
INFO: Importing /opt/atlassian/pipelines/agent/build/src/coverage.xml
INFO: Sensor PHPUnit report sensor [php] (done) | time=495ms
INFO: Sensor IaC CloudFormation Sensor [iac]
INFO: 0 source files to be analyzed
INFO: 0/0 source files have been analyzed
INFO: Sensor IaC CloudFormation Sensor [iac] (done) | time=10ms
INFO: Sensor IaC AzureResourceManager Sensor [iac]
INFO: 0 source files to be analyzed
INFO: 0/0 source files have been analyzed
INFO: Sensor IaC AzureResourceManager Sensor [iac] (done) | time=59ms
INFO: Sensor Java Config Sensor [iac]
INFO: 0 source files to be analyzed
INFO: 0/0 source files have been analyzed
INFO: Sensor Java Config Sensor [iac] (done) | time=24ms
INFO: Sensor IaC Docker Sensor [iac]
INFO: 0 source files to be analyzed
INFO: 0/0 source files have been analyzed
INFO: Sensor IaC Docker Sensor [iac] (done) | time=39ms
INFO: Sensor Serverless configuration file sensor [security]
INFO: 0 Serverless function entries were found in the project
INFO: 0 Serverless function handlers were kept as entrypoints
INFO: Sensor Serverless configuration file sensor [security] (done) | time=5ms
INFO: Sensor AWS SAM template file sensor [security]
INFO: Sensor AWS SAM template file sensor [security] (done) | time=2ms
INFO: Sensor AWS SAM Inline template file sensor [security]
INFO: Sensor AWS SAM Inline template file sensor [security] (done) | time=2ms
INFO: Sensor TextAndSecretsSensor [text]
INFO: Available processors: 8
INFO: Using 8 threads for analysis.
INFO: The property "sonar.tests" is not set. To improve the analysis accuracy, we categorize a file as a test file if any of the following is true:
  * The filename starts with "test"
  * The filename contains "test." or "tests."
  * Any directory in the file path is named: "doc", "docs", "test" or "tests"
  * Any directory in the file path has a name ending in "test" or "tests"
INFO: Using git CLI to retrieve untracked files
WARN: Analyzing only language associated files, make sure to run the analysis inside a git repository to make use of inclusions specified via "sonar.text.inclusions"
INFO: 2901 source files to be analyzed
INFO: 2901/2901 source files have been analyzed
INFO: Sensor TextAndSecretsSensor [text] (done) | time=6157ms
INFO: Sensor JavaSecuritySensor [security]
INFO: Enabled taint analysis rules: S2076, S2078, S2083, S2091, S2631, S3649, S5131, S5135, S5144, S5145, S5146, S5147, S5334, S5496, S5883, S6096, S6173, S6287, S6350, S6384, S6390, S6398, S6399, S6547, S6549, S7044
INFO: Load type hierarchy and UCFGs: Starting
INFO: Load type hierarchy: Starting
INFO: Reading type hierarchy from: /opt/atlassian/pipelines/agent/build/src/.scannerwork/ucfg2/java
INFO: Read 0 type definitions
INFO: Load type hierarchy: Time spent was 00:00:00.002
INFO: Load UCFGs: Starting
INFO: Load UCFGs: Time spent was 00:00:00.000
INFO: Load type hierarchy and UCFGs: Time spent was 00:00:00.002
INFO: No UCFGs have been included for analysis.
INFO: java security sensor: Time spent was 00:00:00.019
INFO: java security sensor: Begin: 2024-09-28T12:23:03.194267165Z, End: 2024-09-28T12:23:03.213475016Z, Duration: 00:00:00.019
  Load type hierarchy and UCFGs: Begin: 2024-09-28T12:23:03.200692670Z, End: 2024-09-28T12:23:03.203622198Z, Duration: 00:00:00.002
    Load type hierarchy: Begin: 2024-09-28T12:23:03.200796478Z, End: 2024-09-28T12:23:03.203062748Z, Duration: 00:00:00.002
    Load UCFGs: Begin: 2024-09-28T12:23:03.203452160Z, End: 2024-09-28T12:23:03.203510736Z, Duration: 00:00:00.000
INFO: java security sensor peak memory: 347 MB
INFO: Sensor JavaSecuritySensor [security] (done) | time=24ms
INFO: Sensor CSharpSecuritySensor [security]
INFO: Enabled taint analysis rules: S2076, S2078, S2083, S2091, S2631, S3649, S5131, S5135, S5144, S5145, S5146, S5147, S5334, S5883, S6096, S6173, S6287, S6350, S6399, S6547, S6549, S6639, S6641, S6680, S6776, S7044
INFO: Load type hierarchy and UCFGs: Starting
INFO: Load type hierarchy: Starting
INFO: Reading type hierarchy from: /opt/atlassian/pipelines/agent/build/src/ucfg2/cs
INFO: Read 0 type definitions
INFO: Load type hierarchy: Time spent was 00:00:00.000
INFO: Load UCFGs: Starting
INFO: Load UCFGs: Time spent was 00:00:00.000
INFO: Load type hierarchy and UCFGs: Time spent was 00:00:00.001
INFO: No UCFGs have been included for analysis.
INFO: csharp security sensor: Time spent was 00:00:00.003
INFO: csharp security sensor: Begin: 2024-09-28T12:23:03.217346739Z, End: 2024-09-28T12:23:03.220356657Z, Duration: 00:00:00.003
  Load type hierarchy and UCFGs: Begin: 2024-09-28T12:23:03.217730145Z, End: 2024-09-28T12:23:03.219508029Z, Duration: 00:00:00.001
    Load type hierarchy: Begin: 2024-09-28T12:23:03.217805409Z, End: 2024-09-28T12:23:03.218666720Z, Duration: 00:00:00.000
    Load UCFGs: Begin: 2024-09-28T12:23:03.218849025Z, End: 2024-09-28T12:23:03.219233042Z, Duration: 00:00:00.000
INFO: csharp security sensor peak memory: 347 MB
INFO: Sensor CSharpSecuritySensor [security] (done) | time=3ms
INFO: Sensor PhpSecuritySensor [security]
INFO: Enabled taint analysis rules: S2076, S2078, S2083, S2091, S2631, S3649, S5131, S5135, S5144, S5145, S5146, S5334, S5335, S5883, S6173, S6287, S6350, S7044
INFO: Load type hierarchy and UCFGs: Starting
INFO: Load type hierarchy: Starting
INFO: Reading type hierarchy from: /opt/atlassian/pipelines/agent/build/src/.scannerwork/ucfg2/php
INFO: Read 3086 type definitions
INFO: Load type hierarchy: Time spent was 00:00:00.326
INFO: Load UCFGs: Starting
INFO: Reading UCFGs from: /opt/atlassian/pipelines/agent/build/src/.scannerwork/ucfg2/php
INFO: Load UCFGs: Time spent was 00:00:02.981
INFO: Load type hierarchy and UCFGs: Time spent was 00:00:03.308
INFO: Analyzing 11640 UCFGs to detect vulnerabilities.
INFO: Check cache: Starting
INFO: Load cache: Starting
INFO: Load cache: Time spent was 00:00:00.000
INFO: Check cache: Time spent was 00:00:00.000
INFO: Create runtime call graph: Starting
INFO: Create declared type propagation graph: Starting
INFO: Create declared type propagation graph: Time spent was 00:00:00.289
INFO: Run SCC (Tarjan) on 42284 nodes: Starting
INFO: Run SCC (Tarjan) on 42284 nodes: Time spent was 00:00:00.071
INFO: Tarjan found 41902 strongly connected components
INFO: Propagate runtime types to strongly connected components: Starting
INFO: Propagate runtime types to strongly connected components: Time spent was 00:00:00.110
INFO: Variable Type Analysis #1: Starting
INFO: Create runtime type propagation graph: Starting
INFO: Create runtime type propagation graph: Time spent was 00:00:00.538
INFO: Run SCC (Tarjan) on 54600 nodes: Starting
INFO: Run SCC (Tarjan) on 54600 nodes: Time spent was 00:00:00.059
INFO: Tarjan found 54146 strongly connected components
INFO: Propagate runtime types to strongly connected components: Starting
INFO: Propagate runtime types to strongly connected components: Time spent was 00:00:00.213
INFO: Variable Type Analysis #1: Time spent was 00:00:00.811
INFO: Variable Type Analysis #2: Starting
INFO: Create runtime type propagation graph: Starting
INFO: Create runtime type propagation graph: Time spent was 00:00:00.372
INFO: Run SCC (Tarjan) on 53565 nodes: Starting
INFO: Create runtime call graph: Time spent was 00:00:01.962
INFO: Load config: Starting
INFO: Load config: Time spent was 00:00:00.180
INFO: Compute entry points: Starting
INFO: Compute entry points: Time spent was 00:00:01.906
INFO: All rules entry points : 45
INFO: Slice call graph: Starting
INFO: Retained UCFGs : 1107
INFO: Slice call graph: Time spent was 00:00:00.016
INFO: Live variable analysis: Starting
INFO: Live variable analysis: Time spent was 00:00:00.109
INFO: Taint analysis for php: Starting
INFO: 0 / 1107 UCFGs simulated, memory usage: 566 MB
INFO: 211 / 1107 UCFGs simulated, memory usage: 602 MB
INFO: Taint analysis for php: Time spent was 00:00:00.352
INFO: Report issues: Starting
INFO: Report issues: Time spent was 00:00:00.007
INFO: Store cache: Starting
INFO: Store cache: Time spent was 00:00:00.022
INFO: php security sensor: Time spent was 00:00:07.871
INFO: php security sensor: Begin: 2024-09-28T12:23:03.221365357Z, End: 2024-09-28T12:23:11.092394705Z, Duration: 00:00:07.871
  Load type hierarchy and UCFGs: Begin: 2024-09-28T12:23:03.221527710Z, End: 2024-09-28T12:23:06.529545549Z, Duration: 00:00:03.308
    Load type hierarchy: Begin: 2024-09-28T12:23:03.221558095Z, End: 2024-09-28T12:23:03.547655197Z, Duration: 00:00:00.326
    Load UCFGs: Begin: 2024-09-28T12:23:03.547909242Z, End: 2024-09-28T12:23:06.529267878Z, Duration: 00:00:02.981
  Check cache: Begin: 2024-09-28T12:23:06.529740237Z, End: 2024-09-28T12:23:06.530367391Z, Duration: 00:00:00.000
    Load cache: Begin: 2024-09-28T12:23:06.529800591Z, End: 2024-09-28T12:23:06.529877887Z, Duration: 00:00:00.000
  Create runtime call graph: Begin: 2024-09-28T12:23:06.530504574Z, End: 2024-09-28T12:23:08.493009172Z, Duration: 00:00:01.962
    Create declared type propagation graph: Begin: 2024-09-28T12:23:06.535446193Z, End: 2024-09-28T12:23:06.824966390Z, Duration: 00:00:00.289
    Run SCC (Tarjan) on 42284 nodes: Begin: 2024-09-28T12:23:06.828478883Z, End: 2024-09-28T12:23:06.899906937Z, Duration: 00:00:00.071
    Propagate runtime types to strongly connected components: Begin: 2024-09-28T12:23:06.900403916Z, End: 2024-09-28T12:23:07.010933428Z, Duration: 00:00:00.110
    Variable Type Analysis #1: Begin: 2024-09-28T12:23:07.013301578Z, End: 2024-09-28T12:23:07.825267875Z, Duration: 00:00:00.811
      Create runtime type propagation graph: Begin: 2024-09-28T12:23:07.013647829Z, End: 2024-09-28T12:23:07.552000811Z, Duration: 00:00:00.538
      Run SCC (Tarjan) on 54600 nodes: Begin: 2024-09-28T12:23:07.552249542Z, End: 2024-09-28T12:23:07.611739107Z, Duration: 00:00:00.059
      Propagate runtime types to strongly connected components: Begin: 2024-09-28T12:23:07.611942373Z, End: 2024-09-28T12:23:07.825068508Z, Duration: 00:00:00.213
    Variable Type Analysis #2: Begin: 2024-09-28T12:23:07.825806527Z, End: 2024-09-28T12:23:08.482370893Z, Duration: 00:00:00.656
      Create runtime type propagation graph: Begin: 2024-09-28T12:23:07.825892317Z, End: 2024-09-28T12:23:08.198098806Z, Duration: 00:00:00.372
      Run SCC (Tarjan) on 53565 nodes: Begin: 2024-09-28T12:23:08.198360211Z, End: 2024-09-28T12:23:08.257628056Z, Duration: 00:00:00.059
      Propagate runtime types to strongly connected components: Begin: 2024-09-28T12:23:08.257850324Z, End: 2024-09-28T12:23:08.482143751Z, Duration: 00:00:00.224
  Load config: Begin: 2024-09-28T12:23:08.493223977Z, End: 2024-09-28T12:23:08.673397972Z, Duration: 00:00:00.180
  Compute entry points: Begin: 2024-09-28T12:23:08.674405616Z, End: 2024-09-28T12:23:10.581273701Z, Duration: 00:00:01.906
  Slice call graph: Begin: 2024-09-28T12:23:10.581471077Z, End: 2024-09-28T12:23:10.597786193Z, Duration: 00:00:00.016
  Live variable analysis: Begin: 2024-09-28T12:23:10.597954169Z, End: 2024-09-28T12:23:10.707840645Z, Duration: 00:00:00.109
  Taint analysis for php: Begin: 2024-09-28T12:23:10.708148961Z, End: 2024-09-28T12:23:11.060951902Z, Duration: 00:00:00.352
  Report issues: Begin: 2024-09-28T12:23:11.061070284Z, End: 2024-09-28T12:23:11.068542423Z, Duration: 00:00:00.007
  Store cache: Begin: 2024-09-28T12:23:11.068680339Z, End: 2024-09-28T12:23:11.091166686Z, Duration: 00:00:00.022
INFO: php security sensor peak memory: 763 MB
INFO: Sensor PhpSecuritySensor [security] (done) | time=7872ms
INFO: Sensor PythonSecuritySensor [security]
INFO: Enabled taint analysis rules: S2076, S2078, S2083, S2091, S2631, S3649, S5131, S5135, S5144, S5145, S5146, S5147, S5334, S5496, S6287, S6350, S6639, S6680, S6776, S6839, S7044
INFO: Load type hierarchy and UCFGs: Starting
INFO: Load type hierarchy: Starting
INFO: Reading type hierarchy from: /opt/atlassian/pipelines/agent/build/src/.scannerwork/ucfg2/python
INFO: Read 0 type definitions
INFO: Load type hierarchy: Time spent was 00:00:00.000
INFO: Load UCFGs: Starting
INFO: Load UCFGs: Time spent was 00:00:00.000
INFO: Load type hierarchy and UCFGs: Time spent was 00:00:00.000
INFO: No UCFGs have been included for analysis.
INFO: python security sensor: Time spent was 00:00:00.001
INFO: python security sensor: Begin: 2024-09-28T12:23:11.093958543Z, End: 2024-09-28T12:23:11.095044172Z, Duration: 00:00:00.001
  Load type hierarchy and UCFGs: Begin: 2024-09-28T12:23:11.094269841Z, End: 2024-09-28T12:23:11.094733260Z, Duration: 00:00:00.000
    Load type hierarchy: Begin: 2024-09-28T12:23:11.094322851Z, End: 2024-09-28T12:23:11.094525346Z, Duration: 00:00:00.000
    Load UCFGs: Begin: 2024-09-28T12:23:11.094598281Z, End: 2024-09-28T12:23:11.094642172Z, Duration: 00:00:00.000
INFO: python security sensor peak memory: 763 MB
INFO: Sensor PythonSecuritySensor [security] (done) | time=2ms
INFO: Sensor JsSecuritySensor [security]
INFO: Enabled taint analysis rules: S2083, S2631, S2076, S5696, S5334, S3649, S6096, S6105, S6350, S5144, S5146, S5147, S5883, S5131, S6287
INFO: Load type hierarchy and UCFGs: Starting
INFO: Load type hierarchy: Starting
INFO: Reading type hierarchy from: /opt/atlassian/pipelines/agent/build/src/.scannerwork/ucfg2/js
INFO: Read 0 type definitions
INFO: Load type hierarchy: Time spent was 00:00:00.000
INFO: Load UCFGs: Starting
INFO: Load UCFGs: Time spent was 00:00:00.000
INFO: Load type hierarchy and UCFGs: Time spent was 00:00:00.000
INFO: No UCFGs have been included for analysis.
INFO: js security sensor: Time spent was 00:00:00.000
INFO: js security sensor: Begin: 2024-09-28T12:23:11.095764756Z, End: 2024-09-28T12:23:11.096653277Z, Duration: 00:00:00.000
  Load type hierarchy and UCFGs: Begin: 2024-09-28T12:23:11.095947883Z, End: 2024-09-28T12:23:11.096360364Z, Duration: 00:00:00.000
    Load type hierarchy: Begin: 2024-09-28T12:23:11.095991244Z, End: 2024-09-28T12:23:11.096148725Z, Duration: 00:00:00.000
    Load UCFGs: Begin: 2024-09-28T12:23:11.096222024Z, End: 2024-09-28T12:23:11.096288728Z, Duration: 00:00:00.000
INFO: js security sensor peak memory: 763 MB
INFO: Sensor JsSecuritySensor [security] (done) | time=2ms
INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=14ms
INFO: SCM Publisher is disabled
INFO: CPD Executor 413 files had no CPD blocks
INFO: CPD Executor Calculating CPD for 2485 files
INFO: CPD Executor CPD calculation finished (done) | time=682ms
INFO: Analysis report generated in 449ms, dir size=8 MB
INFO: Analysis report compressed in 5194ms, zip size=6 MB
INFO: Analysis report uploaded in 2343ms
INFO: ANALYSIS SUCCESSFUL, you can find the results at: https://sonarcloud.io/dashboard?

INFO: Propagate runtime types to strongly connected components: Starting
INFO: Propagate runtime types to strongly connected components: Time spent was 00:00:00.110
INFO: Variable Type Analysis #1: Starting
INFO: Create runtime type propagation graph: Starting
INFO: Create runtime type propagation graph: Time spent was 00:00:00.538
INFO: Run SCC (Tarjan) on 54600 nodes: Starting
INFO: Run SCC (Tarjan) on 54600 nodes: Time spent was 00:00:00.059
INFO: Tarjan found 54146 strongly connected components
INFO: Propagate runtime types to strongly connected components: Starting
INFO: Propagate runtime types to strongly connected components: Time spent was 00:00:00.213
INFO: Variable Type Analysis #1: Time spent was 00:00:00.811
INFO: Variable Type Analysis #2: Starting
INFO: Create runtime type propagation graph: Starting
INFO: Create runtime type propagation graph: Time spent was 00:00:00.372
INFO: Run SCC (Tarjan) on 53565 nodes: Starting
INFO: Run SCC (Tarjan) on 53565 nodes: Time spent was 00:00:00.059
INFO: Tarjan found 53178 strongly connected components
INFO: Propagate runtime types to strongly connected components: Starting
INFO: Propagate runtime types to strongly connected components: Time spent was 00:00:00.224
INFO: Variable Type Analysis #2: Time spent was 00:00:00.656
INFO: Create runtime call graph: Time spent was 00:00:01.962
INFO: Load config: Starting
INFO: Load config: Time spent was 00:00:00.180
INFO: Compute entry points: Starting
INFO: Compute entry points: Time spent was 00:00:01.906
INFO: All rules entry points : 45
INFO: Slice call graph: Starting
INFO: Retained UCFGs : 1107
INFO: Slice call graph: Time spent was 00:00:00.016
INFO: Live variable analysis: Starting
INFO: Live variable analysis: Time spent was 00:00:00.109
INFO: Taint analysis for php: Starting
INFO: 0 / 1107 UCFGs simulated, memory usage: 566 MB
INFO: 211 / 1107 UCFGs simulated, memory usage: 602 MB
INFO: Taint analysis for php: Time spent was 00:00:00.352
INFO: Report issues: Starting
INFO: Report issues: Time spent was 00:00:00.007
INFO: Store cache: Starting
INFO: Store cache: Time spent was 00:00:00.022
INFO: php security sensor: Time spent was 00:00:07.871
INFO: php security sensor: Begin: 2024-09-28T12:23:03.221365357Z, End: 2024-09-28T12:23:11.092394705Z, Duration: 00:00:07.871
  Load type hierarchy and UCFGs: Begin: 2024-09-28T12:23:03.221527710Z, End: 2024-09-28T12:23:06.529545549Z, Duration: 00:00:03.308
    Load type hierarchy: Begin: 2024-09-28T12:23:03.221558095Z, End: 2024-09-28T12:23:03.547655197Z, Duration: 00:00:00.326
    Load UCFGs: Begin: 2024-09-28T12:23:03.547909242Z, End: 2024-09-28T12:23:06.529267878Z, Duration: 00:00:02.981
  Check cache: Begin: 2024-09-28T12:23:06.529740237Z, End: 2024-09-28T12:23:06.530367391Z, Duration: 00:00:00.000
    Load cache: Begin: 2024-09-28T12:23:06.529800591Z, End: 2024-09-28T12:23:06.529877887Z, Duration: 00:00:00.000
  Create runtime call graph: Begin: 2024-09-28T12:23:06.530504574Z, End: 2024-09-28T12:23:08.493009172Z, Duration: 00:00:01.962
    Create declared type propagation graph: Begin: 2024-09-28T12:23:06.535446193Z, End: 2024-09-28T12:23:06.824966390Z, Duration: 00:00:00.289
    Run SCC (Tarjan) on 42284 nodes: Begin: 2024-09-28T12:23:06.828478883Z, End: 2024-09-28T12:23:06.899906937Z, Duration: 00:00:00.071
    Propagate runtime types to strongly connected components: Begin: 2024-09-28T12:23:06.900403916Z, End: 2024-09-28T12:23:07.010933428Z, Duration: 00:00:00.110
    Variable Type Analysis #1: Begin: 2024-09-28T12:23:07.013301578Z, End: 2024-09-28T12:23:07.825267875Z, Duration: 00:00:00.811
      Create runtime type propagation graph: Begin: 2024-09-28T12:23:07.013647829Z, End: 2024-09-28T12:23:07.552000811Z, Duration: 00:00:00.538
      Run SCC (Tarjan) on 54600 nodes: Begin: 2024-09-28T12:23:07.552249542Z, End: 2024-09-28T12:23:07.611739107Z, Duration: 00:00:00.059
      Propagate runtime types to strongly connected components: Begin: 2024-09-28T12:23:07.611942373Z, End: 2024-09-28T12:23:07.825068508Z, Duration: 00:00:00.213
    Variable Type Analysis #2: Begin: 2024-09-28T12:23:07.825806527Z, End: 2024-09-28T12:23:08.482370893Z, Duration: 00:00:00.656
      Create runtime type propagation graph: Begin: 2024-09-28T12:23:07.825892317Z, End: 2024-09-28T12:23:08.198098806Z, Duration: 00:00:00.372
      Run SCC (Tarjan) on 53565 nodes: Begin: 2024-09-28T12:23:08.198360211Z, End: 2024-09-28T12:23:08.257628056Z, Duration: 00:00:00.059
      Propagate runtime types to strongly connected components: Begin: 2024-09-28T12:23:08.257850324Z, End: 2024-09-28T12:23:08.482143751Z, Duration: 00:00:00.224
  Load config: Begin: 2024-09-28T12:23:08.493223977Z, End: 2024-09-28T12:23:08.673397972Z, Duration: 00:00:00.180
  Compute entry points: Begin: 2024-09-28T12:23:08.674405616Z, End: 2024-09-28T12:23:10.581273701Z, Duration: 00:00:01.906
  Slice call graph: Begin: 2024-09-28T12:23:10.581471077Z, End: 2024-09-28T12:23:10.597786193Z, Duration: 00:00:00.016
  Live variable analysis: Begin: 2024-09-28T12:23:10.597954169Z, End: 2024-09-28T12:23:10.707840645Z, Duration: 00:00:00.109
  Taint analysis for php: Begin: 2024-09-28T12:23:10.708148961Z, End: 2024-09-28T12:23:11.060951902Z, Duration: 00:00:00.352
  Report issues: Begin: 2024-09-28T12:23:11.061070284Z, End: 2024-09-28T12:23:11.068542423Z, Duration: 00:00:00.007
  Store cache: Begin: 2024-09-28T12:23:11.068680339Z, End: 2024-09-28T12:23:11.091166686Z, Duration: 00:00:00.022
INFO: php security sensor peak memory: 763 MB
INFO: Sensor PhpSecuritySensor [security] (done) | time=7872ms
INFO: Sensor PythonSecuritySensor [security]
INFO: Enabled taint analysis rules: S2076, S2078, S2083, S2091, S2631, S3649, S5131, S5135, S5144, S5145, S5146, S5147, S5334, S5496, S6287, S6350, S6639, S6680, S6776, S6839, S7044
INFO: Load type hierarchy and UCFGs: Starting
INFO: Load type hierarchy: Starting

Solution

  • I was able to resolve this issue by modifying the path in my php.ini file. As it turns out it was working locally because my pcov.directory was correct for local development but did not match when the pipeline ran, and so the coverage.xml file was being output with count="0" for every line of code. I failed to notice this because I inspected my local coverage.xml file which was correctly configured and counting covered lines. Thank you Bademeister for being a huge help on this.

    I changed:

    pcov.directory=/var/www/html/app
    

    to

    pcov.directory=/opt/atlassian/pipelines/agent/build/src/app
    

    I'll be looking for a more dynamic way to configure this but this was essentially the problem.