Launching maven plugin separately

sbernard · March 12, 2025, 10:53am

Hi,

I experiment Sonarcloud for our Open source Leshan project. This is a Java/Maven project.
Here is current topic about that.
Here is the sonarcloud page.
(sorry I repeat this information all time but this is to give some context and also to make each topic self-contained)

We currently use Automatic Analysis but I learned/tried about using the CI-based Analysis with corresponding maven plugin.

Reading Invoking the goal chapter :

When invoking the SonarScanner goal it is recommended that you do it as part of a single maven command in line with the other goals needed for the build. For example:
mvn verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
  -Dsonar.organization=<your organization key> \
  -Dsonar.projectKey=<your project key>
where the org.sonarsource.scanner.maven:sonar-maven-plugin:sonar goal follows the verify goal.

This is in contrast to invoking org.sonarsource.scanner.maven:sonar-maven-plugin:sonar in a dedicated mvn invocation. For example:
mvn clean install
mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
  -Dsonar.organization=<your organization key> \
  -Dsonar.projectKey=<your project key>
The advantage with the first technique is that the SonarScanner has access to the full build context and can therefore make a more thorough analysis. For this reason, the first technique is preferred.

That doesn’t fit at all our current CI configuration at least for PR.
We currently run each maven goal separately.
Why do we do that?
because :

this allow us to generate custom private comment for each goals.
this allow us to continue to execute some goals even if ~~one~~ not critical one failed.

You could see our main workflow executed on PR here and actions called and comment generated in cases of failure are available here

To better understand; some example :

if check formatting failed we create a comment but we continue to build.
if compile failed we do not try to test
if compile succeed we execute unit-test but if unit-test failed we execute Integration tests anyways.

So “execute sonar goal as part of a single maven command in line with the other goals needed for the build” is very restrictive to us. So concretely what do we lost if we do something like :

mvn clean install
mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
  -Dsonar.organization=<your organization key> \
  -Dsonar.projectKey=<your project key>

ganncamp · March 13, 2025, 2:29pm

Hi,

Why would you do that? For instance, if the build fails, what possible point could there be in running install? There’s nothing to install.

Ann

sbernard · March 13, 2025, 2:52pm

Sorry that was a typo.
I wanted to write “if not critical one failed”.

And this is not the only one reason we do that so even the first was strange to you maybe the second make more sense ? “this allow us to generate custom private comment for each goals.”

If you want to better understand our use case, take a look at code I share.
I also explain some example in my previous comment…

Ideally I understand I should do a full build (even tests) before sonar goal.

What concretely I lost if I don’t do that.
If I can not follow that recommendation will I have worst result than automatic mode ?

ganncamp · March 13, 2025, 3:23pm

Hi,

Well, I saw this, but I didn’t see any comments, as such, in the files you pointed to. Is this about the descriptions you’re using?

I’m trying to get details on this. What I’ve gotten so far is that each Maven run is stateless and if you’re using plugins that affect the build & not running those plugins again for the analysis, you could end up missing critical data that analysis needs to be fully accurate.

HTH,
Ann

sbernard · March 13, 2025, 3:31pm

This is this link :

and comment generated in cases of failure are available here

Each folder(except util) is a “sub task” of the main workflow. It contains the github action to execute and the comment to push in case of failure.

You can look at “formatter”, “build” or “integrationtests” forlder to get an idea.

Thx

ganncamp · March 14, 2025, 3:53pm

Hi,

I’m not coming up with any more detail on this.

I think your best course forward is to run analysis each way and compare the results to see if what you get from isolating the steps is acceptable to you.

HTH,
Ann

sbernard · March 14, 2025, 3:59pm

Thx a lot for taking time to try to get that information.
I will continue with Automatic Mode and If I decide to invest more time in SAST later, I will rather go for more simple, fully open source and locally executed solution like :

Thx again for you time, I really appreciated it