Does analysing using "sonar scanner for maven" give better results than running the "sonarscanner"?

Setup details:
SonarQube version: 9.9
SonarScanner version: 4.8.0.2856
SonarQube deployment: Helm

What am I trying to achieve ?
We are creating a CI pipeline using GitHub Actions. This pipeline has SonarQube integrated into it and performs scans using SonarScanner on various projects(Java, .NET etc). It is not possible to make changes to the project code every time to integrate SonarScanner into the build configuration such as pom.xml or settings.xml for a Maven project and similarly for a .NET project.

Instead of using the SonarScanner for Maven or SonarScanner for .NET we want to simply run SonarScanner in GitHub Action from the root directory of any project being built and use a configuration file to point to the SonarQube instance running.

It has been recommended in the Sonar docs that we use SonarScanner for maven and .NET by configuring the project build files.

What have I tried ?

  • Setup independent SonarScanner locally and compared analysis with SonarScanner for maven.
  • Found that we can overwrite build configuration for projects using a custom configuration file to enable using maven and .NET specific SonarScanners. Workaround but not the ideal way we would like to do this.

The marked thread is from May 2020. Not sure if it is still relevant. And if it is, then is there a way to improve false positive and false negative detection by providing configuration that is available to the maven sonarscanner ?

Hi,

For .NET analysis, you must use the SonarScanner for .NET. For Maven analysis, you should use the SoanrScanner for Maven.

But don’t worry, generally speaking, neither should require you to alter project files. Just add the analysis commands to your pipelines. If you really must override values detected automatically from the environment by either of these scanners, then you can do it on the analysis command lines. The docs^ give the details.

 
HTH,
Ann