I noticed this myself today, because none of our docker projects have the Dockerfile indexed.
The sonar-maven-plugin is able to recognize that my project is a war and adds the warSourceDirectory of maven-war-plugin to the list of sources.
the final sonar.sources then contains:
src/main/webapp (contains all the .jsp, .html, .css, .js)
pom.xml
src/main/java
as you see, no need to configure anything special for the sonar scan.
If I set <sonar.sources>Dockerfile</sonar.sources> in my pom.xml then only Dockerfile is indexed, but no other sources, so it is not adding a source it is replacing whatever Maven knows.
Right now, because of that I would need to manually configure the pom.xml for every Maven project and set the sonar.sources property, which needs to include the java-source dir, the webapp dir, the pom.xml and the Dockerfile, something like:
<sonar.sources>src/main/webapp,pom.xml,src/main/java,Dockerfile</sonar.sources>
All these can have custom values. Unfortunately I am speaking about hundreds of projects in our company, so it is not me that can do this with every new project/branch that gets started, this needs to work out-of-the-box.
And since I don’t know which project ends up in a docker container, I don’t even know which projects are missing the Dockerfile in their sonar.sources config. yes, I could look up hundreds of git repos and many more branches to get that info.
potential solutions to the problem:
- if it exists, automatically add Dockerfile to the list of sources, like you currently do for pom.xml or src/main/webapp. Unfortunately the file can have a different name, DockerSensor also allows Dockerfile.*
- allow us to add source files/directories in addition to the sources discovered by Maven, by adding a property like sonar.sources.add or sonar.docker.file. The 2nd one could even be used for DockerSensor. I could then add this property to a parent-pom and force all projects to use that.
btw: the same seems also true for YAML files that are located somewhere within your maven project, but not within the source directories that sonar-maven-plugin is looking for.