regarding documentation sonar-java/CUSTOM_RULES_101.md at master · SonarSource/sonar-java · GitHub
and explained in topic Unable to use JUtils in Java custom urles - #7 by HAYOUNGCHOI
we can’t add external maven dependency.
Another solution is to reimplement or copy-paste the external library code in the custom plugin
But, for example, I want to use the class “com.google.re2j.Pattern” instead of “java.util.regex.Pattern” because of a security error raised in our SonarCloud instance ( error “Make sure the regex used here, which is vulnerable to polynomial runtime due to backtracking, cannot lead to denial of service.” when “java.util.regex.Pattern.compile(…)”).
I can’t copy-paste the “com.google.re2j.Pattern.compile(…)” code because it’s too big and usgin a lot of internal classes.
I want to add “com.google.re2j:re2j” maven dependency to use it at runtime but if done it, I have a ClassNotFoundError when SonarQube started. Thus, SonarQube start crashes and it stops.
thank you for answer … but I’m not sure to understand.
This problem is raised on our SonarCloud.io instance (please see attached file).
One way to correct this problem is to use an external library instead of native Pattern class.
anyway, my problem is an example among others.
Is there a solution to use external libraries when developing one plugin for SonarQube ?
yes, why not to use a “fat jar” including all JAR files : it’s an idea.
But I’m quite surprised I have to do it. I don’t undertand why a “dependencies common way” is not possible for SonarQube plugin development. Do you have pointers to SonarQube plugin development documentation telling that external dependencies are not allowed and the technical reason ?
Hi @ganncamp
thank you, I already know this doc and unfortunately, no additionnal information about my problem
I will try “maven-shade-plugin” like mentionned in doc … I think it should be ok with that.
I give you a feedback when I will finish to try this option.