Our project is using SpringBoot and also Lombok. The SonarQube scan is triggered by the synopsis GitHub Action (sonarsource/sonarqube-scan-action@master).
After the scan we had many major issues in SQ like ‘Remove this unused “errorMessage” private field’. We learned that this is caused because SQ does not find the Lombok library so we had to set the sonar.java.libraries property.
We tried to set sonar.java.libraries property to the path to Lombok library in the maven repository:
This did not work, we got the following error:
ERROR: Error during SonarScanner execution
java.lang.IllegalStateException: No files nor directories matching ‘/home/runner/.m2/repository/org/projectlombok/lombok/1.18.28/lombok-1.18.28.jar’
at org.sonar.java.classpath.AbstractClasspath.getFilesFromProperty(AbstractClasspath.java:128)
We tried different variations with ** and *, nothing worked. We checked the path for typos, it is correct (we see the jar with ls).
The Lombok library was only found when we copied the lombok.jar to a subdirectory under the target folder:
Here are the versions we are using:
INFO: Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties
28INFO: Project root configuration file: NONE
29INFO: SonarScanner 5.0.1.3006
30INFO: Java 17.0.8 Alpine (64-bit)
31INFO: Linux 5.19.0-41-generic amd64
32INFO: User cache: /opt/sonar-scanner/.sonar/cache
33INFO: Analyzing on SonarQube server 9.9.1.69595
Is there a way to use the lombok.jar from the maven repository? What are the possible values for sonar.java.libraries? Only folders under target?
Hello Ann,
We are aware of the solution using the maven plugin for SonarQube, a neighbor project also uses this solution. However for our project it was decided to build the CI/CE pipeline with github actions that can be re-used by other projects too. So the workaround for lombok (copying the jar from maven repository to a folder under target) currently hinders the reusability of our shared workflows.
Is there a way to make the discovery of the libraries work in the SonarQube github action similar to the SonarQube maven plugin?
The SonarScanner for Maven and the SonarScanner for Gradle are provided to integrate into your build environment and reuse its information. If you choose not to use them, you’re on your own for providing correct configuration.
Hello Ann,
We understand that if the parameter sonar.java.libraries is set automatically everything works. However the parameter can also be set manually, so we are just trying to understand what are the possible values that SonarQube can use and understand: clearly the given paths must exist, and contain valid jar files. Are there any other constraints? Can we just pass any folder for instance from a harddrive or it just to be a subfolder of the analyzed project (target)?
Thank you
Tiberiu
A thousand years ago when I analyzed via an Ant script, I believe I iterated the directories and passed a value that was a complete, comma-delimited list of all jar paths.
Comma-separated paths to files with third-party libraries (JAR or Zip files) used by your project. Wildcards can be used: sonar.java.libraries=path/to/Library.jar,directory/**/*.jar