Importing third-party issues not working

Sonar Server 10.5 on Docker
Sonar Scanner 5.0.1

We are trying to import PMD results for Apex scan into Sonarqube but it seems the results are not being imported into Sonar server.

There is not errors in the log:

15:58:30.371 INFO: Sensor Import of PMD issues [sonarapex]
15:58:30.374 INFO: Importing /mnt/c/salesforce-poc/CodeAnalyzerPmdAppExchange.xml
15:58:30.434 INFO: Sensor Import of PMD issues [sonarapex] (done) | time=63ms

this is a snapshot of the PMD report, not sure if the report is not in the right format, but it looks ok for me:

<results total="58" totalViolations="79">

      <result file="force-app\main\default\classes\Controller.cls" engine="pmd-appexchange">
          <violation severity="3" line="118" column="52" endLine="118" endColumn="76" rule="AvoidHardcodedCredentials" category="AppExchange Security Review" url="">Remove hard-coded credentials from source code.</violation>


Welcome to the community!

Can you add -Dsonar.verbose=true to your analysis command line? That may give us more details about what’s happening here.

BTW, the most common reason for this sort of thing is a mismatch between the paths in your report and the file paths analysis sees.


Hey Ann,

thanks for the update. Initially I did not get what you meant by “mismatch between the paths in your report and the file paths analysis sees”, but while I investigated it further I noticed the PMD report has a reference for the file path like:
<file name="C:\repos\salesforce-poc\force-app\main\default\classes\CalculateCaseDate.cls">
and it seems to be used as a key to correlate the PMD violations with the Sonar Issues.

When I changed that to match what we have in sonar server salesforce-poc/force-app/main/default/classes/CalculateCaseDate.cls, then the issue was correctly linked to the file in Sonar Server and we could see the PMD violations too.

Another problem I noticed, we were using the PMD report generated by sfdx-scanner and that seems not to be in the same format used by PMD itself and I suppose, expected by Sonar.

So I can confirm that using the report generated by PMD itself and ensuring the ‘file name’ tag in the report matches the path in Sonar Server, the import works fine.

I will investigate further to see if sfdx-scanner could possibly generate a report preserving the PMD format as that would be preferable in our use case.


1 Like

Just for the records, sfdx-scanner can export the scan results in sarif format:

sf scanner run --engine pmd-appexchange --format sarif --outfile CodeAnalyzerPmdAppExchange.sarif .....

then you can use sonar.sarifReportPaths instead of sonar.apex.pmd.reportPaths to import the PMD results into Sonar server.

1 Like