When running Maven with the sonar scanner plugin, does it have to be actively building (compiling) in order to get correct interprocedural analysis?
I did an analysis with the command line
mvn clean package sonar:sonar '-Dsonar.projectKey= …
using a new key to get a clean start. This is with Maven 3.6 using sonar-maven-plugin:3.5.0.1254 and connecting to a SonarQube 8.6.0 server.
After both the local scan (Maven side) and remote analysis (SQ server side) are done, I download some issues. In particular, I download all the instances of issue java:S2111, which flags calls to BigDecimal(double) (calling the constructor with a double parameter). All have status OPEN.
Then I run again, using just
mvn sonar:sonar '-Dsonar.projectKey= …
That is, I’ve already compiled the code (all the .class files are still there), so I just want to scan the code again. (In real use, this might be because of a change to a Quality Profile.)
When everything is done the second time, I find that many of the instances of java:S2111 have been closed. It turns out that all of the closed issues are calls to BigDouble() with a parameter which is double in another file (i.e., not a double literal or local variable).
It seems that having the .class files present isn’t sufficient for interprocedural analayis (in this case, detecting that the parameter is, in fact, a double); I have to be actively compiling as part of THAT Maven build. Is this correct?