External jar files ignored by Sonar Scanner

Hi,

SonarQube: Community Edition v9.2.4.50792.
SonarScanner: 4.6.2.2472
Note: I am not using Maven or any other build tool.

I have a Java project which references a number of external libraries. The external libraries are stored as .jar files and contain only the .class files, not the source code.

Is it possible for the SonarScanner to scan these external libraries using only the .class files or would it be necessary to also provide the corresponding .java files?

I had thought it might be possible given that there is a sonar.java.libraries property which can set for the scan, however I’ve been unable to get this to work. It seems like SonarScanner is finding the files as I can see the line below in the debug output;

14:29:40.065 DEBUG: Property ‘sonar.java.libraries’ resolved with:

However when I check the scan results on the SonarQube Web UI I can’t see any indication that the external library code is being scanned.

Do you know why this is? Let me know if you need further information.
Thanks

Hi,

Welcome to the community!

You need to provide both source and class files for analysis. Additionally, analysis won’t crack open your jar files even if you point directly at them with sonar.sources &etc. Assuming your jar contains both types of files, you would need to explode the zip first.

The libraries parameter you noted is for just that - providing the libraries needed to fully understand the source & class files under analysis.

 
HTH,
Ann

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.