Make pom.xml, *.gradle, package-json.lock part of sonar.sources

Hi there :wave:

i am investigating a convenient solution how to make pom.xml, *.gradle, package-json.lock part of sonar.sources.

Considering that there are multiple ways to configure the scanner context, which one would you use to reduce the configuration burden on each team?


We are working with OWASP dependency-check(-plugin) and here i just found this little reminder:

This plugin tries to add SonarQube issues to your project configuration files (e.g. pom.xml, *.gradle, package-json.lock). Please make sure, that these files are part of sonar.sources.

4sakeofbrevity: Consider me using up to date versions of $things (oh, nvm, edit: in SQ Server)


Hi Daniel,

If you’re looking for least burden across multiple teams/projects, you’d want to do this centrally.

Since you’ve cited Maven and Gradle, both with scanners that automatically define sonar.sources from the build context, probably the easiest thing to do is handle that in their central configs. I know that exists for Maven. TBH, I’m guessing about Gradle.

So for Maven, that would mean an entry in the global settings.