Problem to update sonarqube 9.x with maven jdk 1.8

Hi everyone,

I have Sonarqube Enterprise 8.9 and I have problems when I do the update to a new version 9.x, this is because my applications use maven with jdk 1.8 so the update of sonar needs jdk 1.11 but my applications have problems with this version and when I used this i can not run my jobs in gitlab.

Any suggestions?

Thanks a lot,

Susana

Hi,

we use Jenkins instead of Gitlab, some legacy projects use JDK8 for their Maven build, whereas the Sonarqube scan must use JDK11.

But there’s a simple solution, just split your Maven CLI commands in two parts.

Part 1 for the build, Jenkins pipeline syntax
i.e.

withMaven(jdk: 'openjdk-8', maven: '3.8.5', globalMavenSettingsConfig: '...') {
  genericSh("mvn ${mvnDebug ? '-X' : ''} -U ${mvnPomPath ? "-f \"$mvnPomPath\"" : ''} ${mvnProfile ? "-P $mvnProfile -DprofileIdEnabled=true" : ''} ${p.get('mvnClean')?.value ? 'clean' : ''} install -Dmaven.javadoc.failOnError=false -DskipITs=$skipIntegrationTests dependency:tree")
  if(p.junitTests) {
    junit allowEmptyResults: true, testResults: 'target/surefire-reports/*.xml'
  }
}

Part 2 for the sonar:sonar goal afterwards
i.e.

nodejs(configId: genericNpmSettings(), nodeJSInstallationName: 'nodejs-16') {
  withSonarQubeEnv(sonarenv) {
    withMaven(jdk: 'openjdk-11', maven: '3.8.5', globalMavenSettingsConfig: '...')) {
      genericSh("mvn ${sonarDebug ? '-X' : ''} ${isDMZ ? mvnDMZparams : ''} sonar:sonar ${sqProjectVersion ? "-Dsonar.projectVersion=$sqProjectVersion" : ''} -Dsonar.branch.name=$BRANCH_NAME")
    }
  }
}

Note that also nodejs is needed for javascript and css analysis.

Gilbert

1 Like

Thank you Gilbert, I appreciate your help. When you run sonar scanner what commands do you send? Because I was tried with this mvn sonar:sonar -Dsonar.scm.disabled=True and I have this errors:

[INFO] ------------------------------------------------------------------------
[INFO] Reactor Build Order:
[INFO]
[INFO] sri-recaudacion [pom]
[INFO] sri-recaudacion-modelo [jar]
[INFO] sri-recaudacion-cliente [ejb]
[INFO] sri-recaudacion-logica [ejb]
[INFO] sri-recaudacion-web [war]
[INFO] sri-recaudacion-generico [ear]
Downloading from Central: Maven Central Repository Search
Downloading from Central: Maven Central Repository Search
Downloading from Central: Maven Central Repository Search
Downloading from Central: Maven Central Repository Search
[WARNING] Checksum validation failed, expected <!-- but is 1311799e5472f837be1103e85a248ba457198186 from Central for Maven Central Repository Search
[WARNING] Checksum validation failed, expected <!-- but is 1311799e5472f837be1103e85a248ba457198186 from Central for Maven Central Repository Search
[WARNING] Checksum validation failed, expected <!-- but is 1311799e5472f837be1103e85a248ba457198186 from Central for Maven Central Repository Search
[WARNING] Checksum validation failed, expected <!-- but is 1311799e5472f837be1103e85a248ba457198186 from Central for Maven Central Repository Search
[WARNING] Could not validate integrity of download from Maven Central Repository Search Checksum validation failed, expected <!-- but is 1311799e5472f837be1103e85a248ba457198186
[WARNING] Could not validate integrity of download from Maven Central Repository Search Checksum validation failed, expected <!-- but is 1311799e5472f837be1103e85a248ba457198186
[WARNING] Could not validate integrity of download from Maven Central Repository Search Checksum validation failed, expected <!-- but is 1311799e5472f837be1103e85a248ba457198186
[WARNING] Could not validate integrity of download from Maven Central Repository Search Checksum validation failed, expected <!-- but is 1311799e5472f837be1103e85a248ba457198186
[WARNING] Checksum validation failed, expected <!-- but is 1311799e5472f837be1103e85a248ba457198186 from Central for Maven Central Repository Search
[WARNING] Checksum validation failed, expected <!-- but is 1311799e5472f837be1103e85a248ba457198186 from Central for Maven Central Repository Search
[WARNING] Checksum validation failed, expected <!-- but is 1311799e5472f837be1103e85a248ba457198186 from Central for Maven Central Repository Search
[WARNING] Checksum validation failed, expected <!-- but is 1311799e5472f837be1103e85a248ba457198186 from Central for Maven Central Repository Search
Downloaded from Central: Maven Central Repository Search (2.5 kB at 85 B/s)
Downloaded from Central: Maven Central Repository Search (2.5 kB at 85 B/s)
Downloaded from Central: Maven Central Repository Search (2.5 kB at 85 B/s)
Downloaded from Central: Maven Central Repository Search (2.5 kB at 85 B/s)
Downloading from Central: Maven Central Repository Search
[WARNING] Checksum validation failed, expected <!-- but is 1311799e5472f837be1103e85a248ba457198186 from Central for Maven Central Repository Search

Hi,

i’m using this Maven command for Sonarqube analysis

mvn ${sonarDebug ? '-X' : ''} ${isDMZ ? mvnDMZparams : ''} sonar:sonar ${sqProjectVersion ? "-Dsonar.projectVersion=$sqProjectVersion" : ''} -Dsonar.branch.name=$BRANCH_NAME

this means
use -X (set loglevel DEBUG) if property sonarDebug is set for the pipeline
use additional properties as

-Dhttps.proxyHost=… -Dhttps.proxyPort=… -Dhttp.nonProxyHosts=… -Dhttp.socket.timeout=… -Dsonar.ws.timeout=…

when running in a specific network area if property isDMZ is set for the pipeline

call the sonar:sonar goal of Sonarqube Maven plugin
use sonar.projectVersion property if set for the pipeline
use the Jenkins BRANCH_NAME to set the sonar.branch.name property, a Jenkins multibranch pipeline sets a bunch of environment variables and BRANCH_NAME is one of them

[WARNING] Checksum validation failed, expected <!-- but is

This means, one of your dependencies in Maven Central is corrupted, it’s a Maven problem.
From the maven log you should see the affected artifact.
You may try to use a more current version of this dependency that might have fixed the checksum.

In your Maven settings.xml you have different options to deal with checksum errors,
ignore, fail or warn.
see Maven – Settings Reference and search for ‘checksum’

Is there a specific reason for using sonar.scm.disabled=true ?
With this setting Sonarqube will not be able to use the git blame information

Gilbert