Differences sonar-scanner-cli container and Maven plugin

Stefan42 · August 2, 2023, 5:38am

Hi,
we changed sonar scanner execution from maven plugin:

<plugin>
  <groupId>org.sonarsource.scanner.maven</groupId>
  <artifactId>sonar-maven-plugin</artifactId>
  <version>3.9.1.2184</version>
</plugin>

to container sonarsource/sonar-scanner-cli:5
Container and plugin runs make use of our custom quality-gates and rules, but differ in results. In details:

‘Remove usage of generic wildcard type. [java:S1452]’
’ Make the enclosing method “static” or remove this set. [java:2696]

are not found by the container run. There are also some other differences. Both runs were executed with the same properties.
Sonarlint intelliJ plugin has the same results as the maven plugin run. Both runs analyze all files (other smells where found by both analyzers).

Does anybody else face that inconsistencies?

Colin · August 3, 2023, 8:25am

Hey there.

What version of SonarQube are you using?

And, you should always prefer using the Scanner for Maven for more accurate results.

Stefan42 · August 4, 2023, 8:56am

Hello Colin,
thanks for your reply. We use SonarQube 10.1.0.73491.
Companies in medical device sector do not like phrases like ‘more accurate’
Does scanner included in maven plugin deliver correct results?

Colin · August 7, 2023, 7:54am

All analysis tools will come with false-positives / false-negatives. No analysis tool is perfect.

The Scanner for Maven configures your analysis in a way that minimizes the chance of inaccurate results as the result of error-prone manual configuration.

system · August 14, 2023, 7:55am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.