How to scan JS files which are not being compiled with Maven

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension) - Community Edition Version 9.4 (build 54424)
  • what are you trying to achieve - JS files are not being scanned
  • what have you tried so far to achieve this - Compile the code and tried the scan with SonarQube. Only Java files are scanned but not JS.

Need guidance on analyzing all files (Java and JS) available in a git repo.

Hey there.

You can update <sonar.sources> in your pom.xml to include other directories (it defaults to src/main/java). You can include multiple, comma separated directories.

Currently I am using below goals in Maven for Sonar Analysis.

mvn -Pbootstrap clean install sonar:sonar

Please confirm if the below tag to be added to file.


This would be added instead of your Maven pom.xml file, either at the root or for a specific project (if only one project contains Javascript files, for example).

@Colin - Thank you Colin for the prompt response but unfortunately suggested solution didn’t work.

I have added below properties to pom.

Any other alternate option?

* *

  • <sonar.sources>src/js</sonar.sources>*

As per Analysis JavaScript and Java in one project - #2 by TomVanBraband

It’s probably best if you share the logs from an analysis (mvn sonar:sonar) where you’ve made the adjustment, as well as the pom.xml that you adjusted.

Looks like I found the root cause
I used Sonar Secret plugins for free text password but now they are not compatible with Java11.

Can Sonar Community edition scan and report free text passwords from JS files?

Hey there.

I’m not sure I understand – what plugin were you using, and where was it installed?

Hi @Colin -
I have used Sonar Secret plugins - GitHub - Skyscanner/sonar-secrets: SonarQube plugin for identifying hardcoded secrets, such as passwords, API keys, AWS credentials, etc.. in Java 8 [Sonar Community edition - * 8.8 (build 42792).
Now I am in * Community Edition * Version 9.4 (build 54424) .
Somehow JS files are being ignored even with pom change

Okay. As mentioned before:

Hi @Colin -
Please find the attached Jenkins console output.

/tools/devutils/apache-maven-3.3.3/bin/mvn -f FTS-GUISVR/pom_sonar.xml -DSOURCE_GIT_COMMIT=a45fg6rd66955b987345dsews474edc5bf3b871d -DJAVA_HOME=/opt/java8jdk/bin -s /tools/devutils/sonar_config/maven-3.3.3/settings_sonar_222h.xml -U -e -Pbootstrap clean install org.sonarsource.scan
ConsoleLog.txt (120.0 KB)
ner.maven:sonar-maven-plugin: -Dgjslint=true -Denv.RELEASE=22.2h

Hi @Colin -
Could you please check the earlier comments and suggest?

Thank You .

All of the source paths still read Source paths: pom.xml, src/main/java or Source paths: pom.xml, so it looks like any changes you’ve made haven’t taken effect.

Which is why this information was requested earlier:

Hi @Colin
Post GIT clone, I have copied the WS related files to parent folder and triggered scan.
I have attached Jenkins job log.

Thank You .
ConsoleLog.txt (120.0 KB)

Hey @satyanarayanm

I’ve asked you to share your pom.xml file twice, and you keep providing other information. Can you share the pom.xml file where you made the adjustments to sonar.sources?

Hi @Colin
PFA pom file.
Below changes were added to copy the WS folders to parent folder

    </plugin> (3.2 KB)

I don’t see any changes like this

Hi @Colin
Even we have not added Sonar Source (src/java) to POM, do we need to specify src/js explicitly?
Can this be added to
In case similar issue is reported for other file types, it will be easier to manage from
Please confirm.

In case it is not possible have the tag in file, could you please let me know where to add this tag in POM file?

Thank you

You cannot use a file with the Scanner for Maven.

src/main/java is a default value – you will need to adjust sonar.sources to include other directories.

And an example was shown in the very first reply to this thread: