Automatic creation of projects

mosesontheweb · November 24, 2020, 3:34pm

Sonarqube Version: 7.9 LTS

I’ve taken over the responsibiltiy of our SQ installation and currently I try to get familiar with it. One thing I recognized is, that someone (don’t know who) has given the right “Create project” to “Anyone”. Bad idea, because I have lots of projects being created right out of Maven. Most of them have the same source, the same name and description, but different key. I tried to get behind the mechanism, but since I’m not really familiar with Java, I’d ask for your appreciated help.

All of those projects have the same groupId, artifactId, name and description. The only difference is the revision. What I’m not able to understand is the generation of the project key. I haven’t found any hint in the pom.xml, however, all of those similar looking projects have a different project key.

Could someone explain me how this works?

A sample pom.xml looks like (relevant lines):

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns=...>
<modelVersion>4.0.0</modelVersion>
<parent>
	<groupId>some.master</groupId>
	<artifactId>somemaster</artifactId>
	<version>1.0</version>
</parent>
<groupId>this.groupid.is.always.used</groupId>
<artifactId>project-parent</artifactId>
<version>${revision}</version>
<packaging>pom</packaging>
<name>VIProject</name>
<description>Most important project ever written</description>
    ...
<properties>
	<revision>version</revision>
   ....

Many thanks in advance to anyone reading my lines. Regards, Thomas

Jeff_Zapotoczny · November 24, 2020, 9:01pm

Hi Thomas,

If the projects are analyzed using the SonarScanner for Maven, the project key is usually generated using the group and artifact id values from the pom. In your example, I’d expect the key to come out as some.master:somemaster. What kind of project key values are you seeing get created?

If the sonar-scanner CLI is being used or if users are passing a custom project key via -Dsonar.projectKey=foo to the maven scanner, this could account for strange values.

Many customers restrict project creation to admins and a CI system user account, FYI.

mosesontheweb · November 25, 2020, 9:16am

Hi Jeff,

thanks for your answer, really appreciated! Yes, you’re right, we use SonarScanner for Maven, and according that I’d expect values like “:” as the project key, however, those automatically created projects have keys I never found again in any file. So it seems, that they use the method with custom values.

Well, I’ll try to change that, not so easy with developers who are already used with this setup. Thanks again for your explanation.

Regards, Thomas