Correct value for sonar.java.libraries when libraries are bundled with Spring B Application in 1 jar

s1m00n · December 23, 2022, 11:43am

Hello community,

I’m fairly new to Sonarqube and probably this is an absolute easy question.

In all our projects we have these warnings:

Dependencies/libraries were not provided for analysis of SOURCE files. The ‘sonar.java.libraries’ property is empty. Verify your configuration, as you might end up with less precise results.

We have mainly spring boot applications which are build in our pipelines with gradle to one big jar file, which contains all libraries inside of the inner folder \BOOT-INF\lib\ .

To suppress the message, I’m just setting sonar.java.libraries to the artifact folder where the jar-file of the project lies. But is this a correct setup or does that prevent our libraries from getting scanned by Sonarqube? How to find the right value?

KR Simon

Colin · December 23, 2022, 8:12pm

Hey there.

Ideally, you shouldn’t have to set these manually at all! You’ll use a scanner like the SonarScanner for Maven or SonarScanner for Gradle.

Have you tried using one of these scanners?

s1m00n · January 12, 2023, 1:11pm

Hi Colin,

thanks for your answer. Yes, we are using SonarScanner for Gradle and it is configured exactly like it is advised in the link no. 2.

KR Simon