ALM Used : Bitbucket Cloud
CI system used : Bitbucket Cloud
Language used : Java 11
Build Tool : Gradle v6.0
Scanner command : As detailed in the documentation
Thats not very good at all. Sonar must run standalone without hindering our dev or build environments.
What you are suggesting is, we need to take time upgrading gradle (which involve resolving dependencies), roll it out to all devs as well as our pipelines.
Btw, one of your documentation suggested Gradle 5+ is enough which is incorrect as well then.
Can you please feed this back internally within your team and they must know we are not happy how java upgrades are being handled.
Would you mind pointing me to that so we can get it corrected?
How you run your build is your business, but from what I can tell, active support for Gradle 6 ended nearly 3 years ago, in April 2021, and critical bug / vulnerability fixes stopped almost a year ago.
On our side, our policy is to support the tool versions that are supported by their vendors.
I agree Gradle 6 support was ended. This is our build environment which requires changing.
But my argument is, Sonar shouldnt be banking on our build process to execute. Rather it must have a standalone way to execute and analyse our code.
I was hoping you would suggest Sonar scanner or Bitbucket pipeline Sonar scanner image. So my question is, will I be able to use Sonar scanner CLI or Bitbucket pipeline Sonar scanner image for our purpose? Just dont want to spend too much time on it and realising this is not for us.
Please let me know if one of them would work and we will assign it to someone to have a look.
The benefit of using the build-specific scanners is that they assemble most of the information needed for analysis for you from the environment. But at the end of the day, they’re wrappers around SonarScanner CLI.
So yes, you can do this manually. For the best analysis, you’ll need to make sure you provide all the relevant data for all the Java-specific properties.
