Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Analyzing a Maven project consists of running a Maven goal: sonar:sonar in the directory where the pom.xml file sits. If possible, an install goal should be performed prior to the sonar:sonar one.

Recommended Way

...

Code Block
languageperl
# The sonar:sonar goal must be executed in a dedicated mvn command
mvn clean install
mvn sonar:sonar

Use skipTests=true to not run unit tests twice: once during the install goal and again during the sonar:sonar goal. You can also deactivate the integration test execution. Please refer to the Maven documentation.

 

Note
titleUsing Eclipse

Make sure you're not using the Eclipse plugin Maven Embedder (m2eclipse). Define a new Maven runtime pointing to your local Maven install, use the latest Maven Eclipse plugin, m2e, and uncheck "resolve workspace artifacts" in the Maven project launch window.
Have a look at the first comment of this ticket: http://jira.codehaus.org/browse/SONAR-929

Note
titleAdvanced Reactor Options

Note that Advanced Reactor Options (such as "--projects" and "--resume-from") are not supported by SonarQube and should not be used.

Alternative Method

When the above configuration is not possible, you can run an analysis in one command, but unit tests will run twice: once in the install goal and once in the sonar:sonar goal. Do not use the -DskipTests=true parameter, otherwise the unit tests will not be executed at all.

Code Block
mvn clean install sonar:sonar - 
# The following command may lead to unexpected issues
mvn clean install sonar:sonar
Note
titleCode Coverage

Since Java ecosystem 2.2, to get coverage information you have to generate the coverage report. If you are not generating it during your build you can use the following command:

mvn clean org.jacoco:jacoco-maven-plugin:prepare-agent install -Dmaven.test.failure.ignore=true

The -Dmaven.test.failure.ignore=true is there to make sure that even if some unit tests fail, the SonarQube analysis will be performed.

mvn sonar:sonar

Please check the JaCoCo plugin page for more advanced information

 

Configuring the SonarQube Analysis

...

Additional analysis parameters are listed on the Analysis Parameters page.

Security

SonarQube 3.7+

Any user who's granted Execute Analysis permission can run an analysis.

If the Anyone group is not granted Execute Analysis permission or if the SonarQube instance is secured (the sonar.forceAuthentication property is set to true), the credentials of a user having been granted Execute Analysis permission have to be provided through the sonar.login and sonar.password properties. Example: sonar-runner -Dsonar.login=myLogin -Dsonar.password=myPassword

SonarQube 3.4 to 3.6.3

If a project cannot be accessed anonymously, the sonar.login and sonar.password properties are required to run an analysis on this project. These properties have to be set to the credentials of a user having the User role on this project. You can set them either:

  • directly on the command line by adding -Dsonar.login=myLogin -Dsonar.password=myPassword
  • or in the build.xml file

A project cannot be anonymously accessed when either:

Prior to SonarQube 3.4

There is no security restriction.

Include Page
Include - Analysis - Security
Include - Analysis - Security

Excluding a module from SonarQube analysis

You can either:

  • use build profiles to exclude some module (like for integration tests)
  • use Advanced Reactor Options (such as "-pl"). For example mvn sonar:sonar -pl !module2

Sample Projects

To help you get started, a simple project sample is available on github that can be browsed or downloadedprojects/languages/java/maven/java-maven-simple

How to Fix Version of Maven Plugin

...

No Format
<build>
  <pluginManagement>
    <plugins>
      <plugin>
        <groupId>org.codehaus.mojo</groupId>
        <artifactId>sonar-maven-plugin</artifactId>
        <version>${sonarVersion}</version>
      </plugin>
    <plugins>
  </pluginManagement>
</build>
<profile>
  <id>maven-2</id>
  <activation>
    <file>
      <!-- basedir expression is only recognized by Maven 3.x (see MNG-2363) -->
      <missing>${basedir}</missing>
    </file>
  </activation>
  <properties>
    <sonarVersion>1.0</sonarVersion>
  </properties>
</profile>
<profile>
  <id>maven-3</id>
  <activation>
    <file>
      <!-- basedir expression is only recognized by Maven 3.x (see MNG-2363) -->
      <exists>${basedir}</exists>
    </file>
  </activation>
  <properties>
    <sonarVersion>2.1</sonarVersion>
  </properties>
</profile>

Analyzing a Multi-

...

language Project

Since SonarQube 34.32, it is possible to run an analysis on a multi-module project whose modules contains source code from different languages.language project. To do so, just add the sonar.language property just has to be removed. Conversely, if for some reason you want to perform a single language-only analysis, make sure sonar.language is specified. By default the sonar.languagesources property is set to the pom of each module.value of the Maven sourceDirectory property (by default it is src/main/java). Therefore, for a multi-language project, the property usually has to be overridden to: sonar.sources=src.

To help you get started, a multi-language project sample is available on github that can be browsed or downloaded from githubprojects/languages/multi-language/multi-language-java-javascript-maven

Include Page
Include - Converting a Mono-language Project to a Multi-language Project
Include - Converting a Mono-language Project to a Multi-language Project