Hi, we are trying to create some custom rules for Sonar 8.9 LTS around accessibility.
We’ve just noticed the provided sources are very incomplete :
https://repo1.maven.org/maven2/org/sonarsource/java/sonar-java-plugin/184.108.40.206025/sonar-java-plugin-220.127.116.11025-sources.jar (~25 ko)
https://github.com/SonarSource/sonar-java/archive/refs/tags/18.104.22.168025.zip (~8 Mo)
Maybe some packaging issue ? It would be nice to have the right sources provided in Maven Central to avoid the need of manual binding. I guess, you may not fix already published sources, but it would be useful for future versions anyway.
Hey @Tristan107 ,
There is nothing missing in the sources
sonar-java-plugin. All the code related to this module is present in the
However, when you look at the dependencies of this jar, you will see that it has multiple compile dependencies, for instance, these ones (not exhaustive list):
org.sonarsource.java >> java-frontend
org.sonarsource.java >> java-checks
org.sonarsource.java >> external-reports
This can be seen in the maven central view, here:
We publish independently the sources of each of these modules, for all our versions. You should be able to access their sources from there.
Hope this helps,
Thanks for your answer.
The thing is these modules are not just dependencies (which would be automatically detected by any IDE), the produced classes are embedded in sonar-java-plugin. Like org.sonar.plugins.java.api.tree.Tree from java-frontend which is directly in sonar-java-plugin-*.jar
So maybe downloading the full sources manually from github was the best way to go for this kind of packaging to be able to bind sources to code (the longer method would be to explicitely declare a compile dependency to all modules, then manually bind all not found classes). It’s not a difficult thing, it’s just surprising when u can see no source when Ctrl-clicking common classes in an open source library, maybe it could be documented in the quite good 101 doc.