Code Smells Count Differs Between Sonar Maven Plugin and Sonar Scanner CLI

SonarQube Server / Community Build
, ,
1

Hi Team,

We are in the process of replacing the Sonar Maven plugin with the Sonar Scanner CLI but have encountered discrepancies in the code smells count between the two approaches.

SonarQube Setup Details:

  • SonarQube Server Version: [9.9.2.77730]
  • SonarQube Deployment Method: [k8s deployment]
  • Sonar Scanner CLI Version: sonar-scanner-cli-4.8.0.2856-linux.zip
  • Sonar Maven Plugin Version: 3.7.0.1746

Problem Statement:

After migrating from the Sonar Maven Plugin to the Sonar Scanner CLI, the coverage percentage, bug count, and duplication rate remain the same, but the reported code smells count differs.

Existing Setup (Sonar Maven Plugin):

pom.xml Configuration:

<sonar-maven-plugin.version>3.7.0.1746</sonar-maven-plugin.version>
<plugin>
    <groupId>org.sonarsource.scanner.maven</groupId>
    <artifactId>sonar-maven-plugin</artifactId>
    <version>3.7.0.1746</version>
</plugin>
<profiles>
    <profile>
        <id>sonar</id>
        <activation>
            <activeByDefault>true</activeByDefault>
        </activation>
        <properties>
            <sonar.host.url>https://localhost:9000</sonar.host.url>
        </properties>
    </profile>
</profiles>

gitlab-ci.yml Configuration:

test:
    image: registry.xxx.net/xxxx/ci/maven-eclipse-temurin-21:1.0.1
    stage: test
    script:
        - mvn --batch-mode clean verify sonar:sonar -Ddetail=true -DskipDocker=true

New Setup (Sonar Scanner CLI):

Migration Steps:

  • Removed all Sonar-related configurations from pom.xml .
  • Integrated Sonar Scanner CLI as a GitLab CI component.
  • Modified the test job in the GitLab pipeline.

gitlab-ci.yml Configuration:

# Sonar Scanner Component Inclusion
include:
    - component: $CI_SERVER_FQDN/xxx/operations/dev/ci-components/sonar-scanner/sonar-scanner@v1.0.22
      inputs:
        sources: "pom.xml,src/main,src/test"
        additional_properties: "-D sonar.java.binaries=target/classes -D sonar.java.test.binaries=target/test-classes -D sonar.exclusions=**/*.js,**/*.css,**/*.scss,**/*.html"
        needs:
            - job: test


# Test Job
 test:
  image: registry.xxx.net/xx/ci/maven-eclipse-temurin-21:1.0.1
  stage: test
  artifacts:
    paths:
      - target/*
  script:
    - mvn --batch-mode clean verify -Ddetail=true -DskipDocker=true

Investigation & Debugging:

  • Quality Profiles: Checked in SonarQube UI, both configurations use the same profile.
  • Version Differences: The Sonar Scanner CLI and Sonar Maven Plugin have different versioning histories.
  • Artifacts Verification: The target/ directory is correctly created and includes classes .
  • Test Binaries: Tried adding test binaries explicitly but saw no change in results.
  • Source & Exclusion Matching: Verified that sources and exclusions match in both configurations.

Request for Help:

If anyone has insights into why the code smells count differs between these two methods, please let me know. Also, let me know if you need any additional information from my side.

Thanks in advance!

2

Hey there.

We generally recommend using the scanner built for your build tool (like the Scanner for Maven, Scanner for Gradle) to handle some of the complexity of Java projects like modules.

That being said, it might help you to look at the Scanner Context of your background tasks before/after you made the change.

image
image1920×575 41.1 KB

This might expose some non-obvious configuration – like the Scanner for Maven probably set sonar.java.jdkHome and sonar.java.source, which you may not have set yourself when using the SonarScanner CLI.