SonarScanner for Maven
The SonarScanner for Maven is recommended as the default scanner for Maven projects.
The ability to execute the SonarQube Server analysis via a regular Maven goal makes it available anywhere Maven is available (developer build, CI server, etc.), without the need to manually download, set up, and maintain a scanner installation. The Maven build already has much of the information needed for SonarQube Server to successfully analyze a project. By preconfiguring the analysis based on that information, the need for manual configuration is reduced significantly.
Prerequisites
- Maven 3.2.5+
- At least the minimal version of Java supported by your SonarQube Server instance
Analyzing
Analyzing a Maven project consists of running a Maven goal: sonar:sonar
from the directory that holds the main project pom.xml
. You need to pass an authentication token using one of the following options:
- Use the
sonar.token
property. For example, to set it through the command line, Executemaven sonar:sonar -Dsonar.token=yourAuthenticationToken
and wait until the build has completed, then open the web page indicated at the bottom of the console output. You should now be able to browse the analysis results. - Create the
SONAR_TOKEN
environment variable and set the token as its value.
In some situations you may want to run the sonar:sonar
goal as a dedicated step. Be sure to use install
as first step for multi-module projects
To specify the version of sonar-maven-plugin instead of using the latest:
If sonar-maven-plugin is not defined by the project’s pom.xml
file, we recommend specifying the version instead of using the latest to avoid breaking changes at an unwanted time.
To get coverage information, you'll need to generate the coverage report before the analysis and specify the location of the resulting report in an analysis parameter. See test coverage for details.
The SonarScanners run on code that is checked out. See Verifying the code checkout step of your build.
Configuring analysis
Most analysis properties will be read from your project. If you would like to override the default values of specific additional parameters, configure the parameter names found on the analysis parameters page in the <properties>
section of your pom.xml
like this:
Sample project
To help you get started, a simple project sample is available here: https://github.com/SonarSource/sonar-scanning-examples/tree/master/sonar-scanner-maven/maven-basic
Adjusting the analysis scope
The analysis scope of a project determines the source and test files to be analyzed.
An initial analysis scope is set by default. With the SonarScanner for Maven, the initial analysis scope is:
- For source files: all the files stored under
src/main/java
(in the root or module directories). - For test files: all the files stored under
src/test/java
(in the root or module directories).
To adjust the analysis scope, you can:
- Adjust the initial scope: see below.
- Exclude specific files from the initial scope: see Analysis scope.
- Exclude specific modules from the analysis: see below.
Adjusting the initial scope
The initial scope is set through the sonar.sources
property (for source files) and the sonar.tests
property (for test files). See Analysis parameters for more information.
To adjust the initial scope, you can:
- Either override these properties by setting them explicitly in your build like any other relevant maven property: see Analysis scope.
- Or use the scanAll option to extend the initial scope to non-JVM-related files. See below.
Using the scanAll option to include non-JVM-related files
You may want to analyze not only the JVM main files but also files related to configuration, infrastructure, etc. An easy way to do that is to enable the scanAll option (By default, this option is disabled.).
If the scanAll option is enabled then the initial analysis scope of source files will be:
- The files stored in
src/main/java.
- The non-JVM-related files stored in the root directory of your project.
The scanAll option is disabled if the sonar.sources
property is overridden.
To enable the scanAll option:
- Set the
sonar.maven.scanAll
property totrue
.
Excluding a module from the analysis
To exclude a module from the analysis, you may:
- In the
pom.xml
of the module you want to exclude, define the<sonar.skip>true</sonar.skip>
property. - Use build profiles to exclude some modules (like for integration tests).
- Use Advanced Reactor Options (such as
-pl
). For examplemvn sonar:sonar -pl !module2
Other settings
Locking down the version of the Maven plugin
It is recommended to lock down versions of Maven plugins:
If your instance of SonarQube Server is secured
If your SonarQube Server instance is configured with HTTPS and a self-signed certificate, you must add the self-signed certificate to the trusted CA certificates of the SonarScanner. In addition, if mutual TLS is used, you must define the access to the client certificate at the SonarScanner level.
See Managing the TLS certificates on the client side.
Troubleshooting
If you get a java.lang.OutOfMemoryError
With SonarScanner for Maven version 5.0 or later
Set the SONAR_SCANNER_JAVA_OPTS
environment variable, like this in Unix environments.
In Windows environments, avoid the double quotes, since they get misinterpreted.
With SonarScanner for Maven version 4.0 or earlier
Set the MAVEN_OPTS
environment variable, like this in Unix environments:
In Windows environments, avoid the double quotes, since they get misinterpreted:
Was this page helpful?