Am I supposed to make my own pom.xml or what am I missing?

Must-share information (formatted with Markdown):

• which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension) SonarQube 10.6 Community, Maven 3.9.6 (via Chocolatey), Java Extension Pack for VSCode, JDK17 (was already on the environment)
• how is SonarQube deployed: zip
• what are you trying to achieve: Scanning some project files that contain .java files for the most part
• what have you tried so far to achieve this: Installed SQ, VSCode, Maven, pulled down a .zip file of the code I’m told to scan, tried to run a bunch of commands against the extracted code files in its folder and got told there was no pom.xml file. I kind of expected this because the tutorial I’m following showed it being configured with the SQ host info, token, etc. but what I don’t know is where I’m supposed to get this POM.XML file anyway.

Note I am not a developer, just the guy who has to run this against the code. It looks like I need to run a few commands against the project and its pom.xml file to generate some more files which in turn let me run the scanner and get some code scanned.

Is the pom.xml generated when a project is built as a Maven project in an IDE? From what the developers have told me, it is currently written in Eclipse and is actually an ANT project when they build it. Is there a way for me to take their code and make it a Maven project on my own? I have VSCode and Maven installed but this is my first time doing such a thing. Am I supposed to hack one together myself (which I guess I could do reading off the screen, so long as I know where it’s supposed to sit I guess). Was I just supposed to yank it out of the sample project I saw floating around? Should I just start bugging the developers about this because it’s supposed to be in their wheelhouse?

Any orientation so I know which way to work would be much appreciated!

Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!

Hi,

A couple things jump out at me here:

I understand you’ve been put in an awkward spot here. To get out of it, you’re ideally going to work with the project devs to get this set up.

So first, you should be checking the code out of the SCM rather than downloading a zip bundle of code. Among other things, that gives analysis access to the SCM “blame” data it needs to properly attribute issues to their authors and understand which code is “new”.

That will (should) also give you access to the Ant file the developers use to build the project. And then you’ll work with those developers to understand how to properly build the project. This is required for Java projects because analysis needs both the raw source files, as well as the compiled .class files (and the libraries required for the build).

From there, you can finally run the analysis. Now, normally for a Java project you would do that with the SonarScanner for Gradle or the SonarScanner for Maven. That latter is where you came in - trying to figure out where to get the pom file so you can use the SonarScanner for Maven.

The reason those scanners are strongly recommended for Java projects is that they handle most of the analysis configuration for you by reading the values analysis needs out of the build environment.

Unfortunately, that’s not available to you for this Ant project. So you’ll use the SonarScanner CLI and manually provide the values Java analysis needs. (Note that the sonar.java.test.* values aren’t absolutely required, just recommended.)

Once you’ve got the sequence and details of the commands right (checkout, build, analyze), then you’ll ideally automate this in a CI environment. Given that we’re talking about an Ant project, I’m going to guess that your company hasn’t gotten very far with DevOps automation & recommend you start by taking a look at Jenkins for that.

I know there’s a lot here. I can’t help you get started with Jenkins. But if you have questions about the other things I’ve mentioned here, don’t hesitate!

 
HTH,
Ann

Ann,

Thanks for the lead! You are correct, this is a tough spot. I’ve started to reach out to some developers on the team but this is a pretty old and mature product so they’re mostly only part time on it. I might get lucky in that another department seems to have hosted SonarQube and we might be able to leverage it, but I need to hedge my bets against it. Additionally, I think it’s probably wise I learn how this stuff works because I know it’s a useful product and I might end up needing the knowledge anyway.

As for the whole Ant/Maven thing, you are right in that it is a pretty old project and it doesn’t have any pipeline stuff at all. I am passingly familiar with the concept from a previous project (which also used Azure DevOps like my current one, where my involvement was limited mostly to setting up a few endpoints following directions as again that was assigned to the developer side of things) but from what I can tell it isn’t set up at all with my current group.

Is it possible to convert from Ant to Maven? Or is it that because this thing started out Ant, I’m basically required to manually craft a test run every time? Somehow it seems like my predecessor found a way to get a successful run against the desired target files about a year ago, but I couldn’t find any evidence of hand built files (I’d found a document saying you could manually write the names out in a particular config file) and near as I can tell he just had the CLI. Might be that he started to clean it up and then abandoned it on his way out the door, though.

I’m not sure the “blame” or “new” distinctions are required but I’ll bring it up when my group next meets - there’s basically only one developer who does a certain collection of things so it’s clear who gets tasked with fixing what. Not a large team at this point. And since Ant isn’t supported in SonarQube, I guess that’s also out.

Also side question - I installed Maven on the SQ host, but it seems like if I were to somehow have a correctly configured Maven build passed down to me, I would still need the Maven scanner, right? Out of the box 10.6 doesn’t even seem to have the sonar-scanner.bat file that the 10.0 I inherited did, but when I follow the link in the Maven scanner article I just get this without any clear direction on what I need to do from there: Central Repository: org/sonarsource/scanner/maven/sonar-maven-plugin/4.0.0.4121

Either way this is Monday guy’s problem now so have a good weekend!

Hello Monday Guy ,

Good news! You can easily set up analysis in ADO, and the docs will get you started.

Ehm… Yes. Just like it’s possible to convert from Catholicism to Judaism: not easy and potentially painful (for dudes). And this really isn’t your decision to make. It’s a programming philosophy decision that should be made by the folks on the team. Given that they’re all part-time (easing into retirement?) I’m guessing they won’t want to bother.

I wouldn’t say that. You’ll manually craft a pipeline for it and then set ADO to automatically run it on each commit.

Just to be clear, you don’t need Ant support. You can do this adequately using the SonarScanner CLI.

Ideally, your SonarQube host is not where you run analysis.

You would, but you wouldn’t need to install it. Through the “magic of Maven” you only need to install Maven itself and then Maven downloads the Internet to your machine.

The scanners are separate downloads. (I lobbied once to have them bundled, but gave up on that long ago.)

 
HTH,
Ann

Ann,

Thanks for getting back to me - it sounds like my project leads want to lean more into the scanning solution our company already hosts internally (which we didn’t know about prior to me going down this road, and presumably my predecessor didn’t know about either). However, in the event that falls through I’ll need to fall back on our self-hosting.

I will take a look into ADO integration, though as far as I am currently aware this requires the whole build pipeline to be set up (which is its own project I’d have to learn).

If I’m reading you right, if Maven is installed on the SQ host, I don’t necessarily need the Maven scanner and can use the CLI scanner to get in on .java files? That doesn’t seem to match up with what I’ve come across so I suspect I am misreading you. Regardless I’m planning on pulling down the CLI scanner to toy with a bit, to at least see if I’ve set up 10.6 correctly enough that it returns something. I couldn’t for the life of me figure out which of the files in the maven scanner repository I’d need, though.

I do suspect this whole project is getting aged into “maintain” and the developers will become even less than part time before long, so any major structural changes are probably not going to happen (hence my interest in figuring out how to get a stand-alone scanner without any kind of integration working).

As for the host doing the scanning I think long term this wouldn’t be the case, but I’m in a weird situation where that one host is really the only place I can experiment with these (which happens to be the Azure DevOps host as well).

Thanks!

Hi,

To be clear, you’d have to go through all the steps in the pipeline to get a manually-run analysis. This way, you just enshrine them in a replayable way.

The SQ host isn’t part of the equation & there’s no reason to install Maven there.

Normally, the advice is to use the SonarScanner for Maven or the SonarScanner for Gradle. I’m advising you to use the CLI scanner because the project is built with Ant & so you’re not able to use either of those scanners.

None of them.

Okay, for a one-off analysis just to see how good or bad it is, I suppose you could work from the zip of code you got. You’ll still need to run the build tho, which involves installing Ant wherever you’re doing this and getting the build command and the libraries from the devs. Once you have Ant installed it should be as simple as cd-ing into the project root directory and running the build command.

You’ll have also installed the SonarScanner CLI on this same machine, so from the same directory, you can kick off analysis. Analysis will use the sonar-project.properties you’ve crafted, which includes the Java-specific analysis properties that you’ll (unfortunately) have to specify by hand.

 
Good luck
Ann

Ann,

Coming back to this after some other ongoings are settled - looks like my primary path from leadership is to try and figure out how to integrate with their setup. That’s a bit of a run-about right now but I’ll get it.

That said, from what little info I have gleaned it sounds like the one team I know that uses their setup has the whole pipeline integration thing going on so I will probably still have to be up and up on how to do this stand alone if need be. I don’t anticipate that we’ll do this often and setting up a pipeline in ADevOps is probably drifting from shore enough that leadership will say don’t bother.

To make sure I’m understanding you:

• I can use Ant-developed Java but it’s more manual than if they used Maven or Grabel from the start.
• To do this, I need to either have the developers issue me a compiled build, rather than me just taking some source code off of our source control system. Alternatively, I could take the source code, install an Ant builder on some machine somewhere, and build it myself (making it the first code I’d have compiled since…2008 probably, so I’d need to sort that out). The former seems wiser. In any case they’ll be .class files and not .java files anymore.
• With the build in hand, I will build some entries in the properties file - I believe I remember seeing a properties file in the directories of Sonarqube I had kicking about without me creating it myself, so I assume it’s that one. These entries will spell out the path of where all the .class files in the build are (so if on my desktop c:\users\m_the_user\desktop\projectfiles\subfolder\file1.class, c:\users\m_the_user\desktop\projectfiles\subfolder\file2.class, c:\users\m_the_user\desktop\projectfiles\subfolder\file3.class etc PLUS the third party libraries I assume would also be in the build (developers would have to tell me I’d imagine). Don’t suppose there’s a more blatant example than the tidbits on the help wiki around is there?
• THEN with the properties file in place, I can use the CLI scanner just like I had been messing with previously to get it scanned, wherein it will see the properties file pointing out all these targets and get to task on them. This will give me something in the console other than the results against the .xml files I saw from my predecessors attempts.

Does it sound like I’m reading you correctly? Alas have not had much time to dedicate to reading further in for that long-awaited eureka moment.

Thanks!

Hi,

Yes

No

This.

Analysis needs both. That’s why I’m telling you to check out the code - the .java files - and run the build - to get the .class files.

No. Per the docs (emphasis mine)

Key	Value
sonar.java.binaries (required)	Comma-separated paths to directories containing the compiled bytecode files corresponding to your source files.

Yes, you’ll need the libs to do the build. And yes, the devs will have to tell you were to get them from. And yes, you’ll want to point to them in the analysis configuration (altho that part’s only recommended, not required).

Yes!

 
HTH,
Ann

Ann,

Thanks for the clarifications! It definitely looks like I will need to figure out to pull the developers together and work through the finer details with them, but I think I get the general process now. Ideally I’d have them put together the code/build/lib package while I observe, then I can do the scans (as administratively it looks like it would become a deliverable expected of me). Watching them go through that a few times should get me comfortable enough to take over that eventually if needed I think.

I will probably drop back by here again to sort out more things but in the mean time I’ve got something actionable - get the CLI component set up in my latest rebuild and figure out how we’ll build the scanning package.

Thanks!