Difference between "sonarscanner" and "scanner for maven"

Hi all,

I have a Java project named like “Advertisement” and has 227K LoC. With same branch, when i scan this project with sonarscanner i get 71 Bugs and 3917 Code Smell. And i get different number of Bug and Code Smell when i scan witn mvn, 76 Bug and 3906 Code Smell. What is the difference?

For example I have java script named TestDataMapper.java, it has zero Bug, 2 Code Smell when i use mvn. And the same java script has 4 Bugs and 8 Code Smell when i use sonarscanner. 4 bugs are related with the rule (Math operands should be cast before assignment - squid:S2184), but it is shown only with sonarscanner not mvn. Code Smells are mostly (6/8) related with the rule (Generic exceptions should never be thrown squid:S00112), same thing with bugs, not showing with mvn.

I do mvn like below at path where parent-pom.xml is:
mvn clean compile sonar:sonar -Dmaven.test.skip=true -Dsonar.projectKey=advertisement -Dsonar.branch.name={branch_name_1} -Dsonar.host.url={url_to_sonar} -Dsonar.login={login_credential}

I do sonarscanner like below at root path of project file:
/opt/data/sonar-scanner- -Dsonar.projectKey=advertisement -Dsonar.branch.name={branch_name_1} -Dsonar.java.binaries={project_binaries}

Linux Debian 4.9.189-3
SonarQube Developer Edition
Postgresql 11.6
Apache Maven 3.6.3
SonarJava 5.14 (build 18788)
SonarJS 6.1 (build 11503)


Welcome to the community

The difference here is probably the libraries. Your project is evidently built with Maven, so the Maven analysis is able to read your pom file to understand where the relevant libraries are & include those references in the analysis. This leads to a deeper, more accurate analysis with fewer false positives and false negatives. Without looking deeply into it, I suspect all the differences you’re seeing can be chalked up to that.


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.