Versions

SonarQube: 7.5.0*
Sonar Maven Plugin: 3.9.1.2184

*I am aware much newer versions of SonarQube are available. Unfortunately I do not have the permissions necessary within my organization to perform the upgrade.

What am I trying to achieve

Our organization has defined a custom set of rules that teams must reference during their Sonar scans. A number of development teams use the multi-module Maven project composition for their applications. During the execution of the Sonar scan we are seeing errors in console output pointing to the sonar.java.libraries property. This example was used to generate the multi-module-project and test the scan.

Important
My team and I have developed a templated pipeline solution for Jenkins that’s used by many application development teams. We’re looking to identify a non-complicated and sustainable solution that works for all teams that have multi-module Maven projects.

Command

A custom rules jar is downloaded and exploded prior to executing the command below. CUSTOM_RULES is a folder located at the root of the workspace (alongside the parent pom.xml file) and it contains all libraries necessary to account for all custom rules during the Sonar scan. Other non-invasive custom properties are set in the actual command; they have no influence on how sonar.java.libraries is handled. However, those properties are omitted to keep the example simple.

Note
Tacking ${env.WORKSPACE} to the beginning of the sonar.java.libraries value (i.e., ${env.WORKSPACE}/CUSTOM_RULES/**/*.jar) does not make a difference, and produces the same errors.

mvn -B sonar:sonar -Dsonar.java.libraries=CUSTOM_RULES/**/*.jar

Console Output

[ERROR] Invalid value for sonar.java.libraries
[ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.9.1.2184:sonar (default-cli) on project multi-module-project: No files nor directories matching 'CUSTOM_RULES/**/*.jar' -> [Help 1]

What have I tried so far to achieve this

Copying CUSTOM_RULES at the root of the workspace into each sub-module resolves the issue. A hacky (and less sustainable) approach for our templated pipeline solution would be to determine if the help:evaluate goal with project.modules as the expression returns an array of strings. If it does, we can perform the copy/paste operation into each string (representative of a module/folder).

On a related note… while Gradle is a completely different build tool, the Sonar Gradle plugin is able to handle similar use cases successfully for both single module and multi-module project compositions.

Are less complex options available?

Hey there.

There’s unfortunately really no support we can provide in this community for a non-LTS version that was released in December 2018 (4.5 years ago). Using such an old version of SonarQube represents an operational and security risk to your organization, and you need to push your organization to upgrade as soon as possible.

What you’re trying to do also sounds… kind of weird (if you have custom rules deployed to your SonarQube server, why should those rules rely on any external dependencies that need to be passed to the scanner, rather than bundled in with the custom rules themselves?)

Do you manually pass in sonar.java.libraries there as well, or let all the information be picked up by the gradle scanner?

I understand and agree with your sentiments. I’ve relayed your insight regarding custom rules and external dependencies onto the group that develops and supports them.

Yes, sonar.java.libraries is manually passed onto Gradle, like so: gradlew sonarqube -Dsonar.java.libraries=CUSTOM_RULES/**/*.jar.

I would go ahead and check what values are actually making it to the scanner and compare between Gradle/Maven. You can find this in your project-level Administration > Background Tasks > [Analysis] > Scanner Context