Hello guys,
Are there any risks when not providing the java libraries to the Sonar Analysis? The jar files are too big to live on gitLab servers. What purpose does it serve to provide the jar files to pair my binaries files?
Hey there.
It’s not clear to me what you mean by this. Do you mean that you don’t build your Java projects on Gitlab at all?
The goal is that you run analysis immediately after a build is completed (when the binaries are available because they were just compiled) – not store them in Gitlab.
Having the bytecode (binaries) available for analysis greatly improves the quality of analysis.
Currently my CI pipeline on gitLab run sonar scanner as a CLI in a different stage. So the java projects are built in a different container. If I wanted to pass the snapshot jar file onto another container I believe I have to save them as artifacts. I have attached the binaries to the properties file, but I get this error regarding the libraries.
Dependencies/libraries were not provided for analysis of SOURCE files. The ‘sonar.java.libraries’ property is empty.
Does providing the dependencies make a huge change in the analysis of source files? Or what are the risks of not providing it as well?
Yes, it affects the quality of the analysis. Without the dependencies, the analyzer has no information about types, for example.
Can the dependencies be found in the snapshot jar or do they live elsewhere?
Hey there.
sonar.java.libraries expects to have access to the original JARs of your dependencies to be able to add them to the classpath.
This all happens automatically when you run analysis in the same environment as you build – what are you trying to achieve by separating them?