SCA and Code Coverage Report for a Java Composite Multi-Module Project

SonarQube Server / Community Build
1

Must-share information

  • SonarQube Server version: 6.3.5

  • Deployment method: Docker (in Azure DevOps environment)

What I’m trying to achieve

I want both of the following to work correctly for my project:

  • Code coverage reporting

  • SCA (dependency analysis)

My project has 3 modules, and I want both code coverage and SCA results to be displayed properly in SonarQube for all modules.

What I’ve tried so far

Case 1: Module-level base directory

When I add the following to each module’s build.gradle:

property "sonar.projectBaseDir", project.projectDir

  • :white_check_mark: SCA works correctly for each module (scans only that specific module)

  • :cross_mark: Code coverage does not work as expected

Case 2: Root-level base directory

When I change it to:

property "sonar.projectBaseDir", "${project.projectDir}/../../"

  • :white_check_mark: Code coverage works

  • :cross_mark: SCA does not work

It seems like I can only get one of the two (code coverage or SCA) to work at a time, but not both together.

I’ve tried multiple approaches and also followed suggestions from AI tools (ChatGPT, Gemini, etc.), but haven’t been able to resolve this issue.

Note: Apologies if anything is unclear—this is my first time posting here.
Thanks in advance for your help! :pleading_face:

3

Hi,

Could you double-check your SonarQube Server version? 6.3 was initially released in 2017, well before we introduced SCA, and there was never a .5 version.

Since you’re talking about SCA, I’m going to assume you’re on a relatively modern version. :sweat_smile:

What happens if you don’t specify sonar.projectBaseDir at all? Because you shouldn’t need to do that. It’s really only called for when you’re kicking analysis off from somewhere other than the project directory. And tell me about your coverage reports. How are they generated and are you passing in a report per module or one combined report?

 
Thx,
Ann

1 Like
4

I’ve called to this endpoint to check the current version: http:///api/server/version

It returned 2025.4.3.113915. (sorry for the wrong version in the post)

I’ve noticed that if I do not specify sonar.projectBaseDir, the code coverage does not work properly, no coverage information is displayed on the SonarQube server. However, Sonar SCA works correctly (I mean the dependency analysis for each module display correctly).

And yes, I agree that sonar.projectBaseDir shouldn’t need to be defined; however, I haven’t been able to get code coverage working unless I set it to ${project.projectDir}/../../.”

Below is part of the current pipeline script used to generate and report both code coverage and Sonar SCA:

image
image1206×385 37.1 KB

My project consists of multiple submodules. Below is the current build.gradle configuration for one of them:

image
image743×381 30.2 KB

The analysis is executed per module, not as a combined report, because the project uses a Gradle composite build (includeBuild), where each module is treated as an independent build and scanned separately via the sonarComposite task.

Many thanks,
Trong

5

Hi Trong,

Let’s work on fixing the coverage. Knowing what this will look like, I hesitate to ask, but can you give me a --debug analysis log?

 
Thx,
Ann