Hi!
Must-share information (formatted with Markdown):
I want Dockerfile in root directory of project to be scanned. It doesn’t seem to be scanned unless I explicitly add it to sonar.source. Is this expected? I haven’t made any other settings beyond sett url to sonar server and setting the project.
Hi,
What was sonar.source set to originally? Did the definition include the project root? I.e. was it . or something like that?
Ann
I haven’t set it explicitly, so whatever the default is for the maven-plugin. According to the documentation “Read from build system for Maven”. That seems to include the pom-file at the root, but not the Dockerfile. Wouldn’t it be reasonable that the plugin also finds Dockerfile at the root, now when Sonar can scan them?
Hi,
Okay, this makes sense. The SonarScanner for Maven takes a very Maven-centric, i.e. Java-centric view of things and only passes Java source files to analysis.
Ehm… maybe? TBH, you still have to manually override sonar.sources when your Maven project includes JavaScript, and we’ve analyzed it for years.
Ann
ok, maybe I need to manage my expectations 
Thanks for taking the time to answer!
I noticed this myself today, because none of our docker projects have the Dockerfile indexed.
The sonar-maven-plugin is able to recognize that my project is a war and adds the warSourceDirectory of maven-war-plugin to the list of sources.
the final sonar.sources then contains:
src/main/webapp (contains all the .jsp, .html, .css, .js)
pom.xml
src/main/java
as you see, no need to configure anything special for the sonar scan.
If I set <sonar.sources>Dockerfile</sonar.sources> in my pom.xml then only Dockerfile is indexed, but no other sources, so it is not adding a source it is replacing whatever Maven knows.
Right now, because of that I would need to manually configure the pom.xml for every Maven project and set the sonar.sources property, which needs to include the java-source dir, the webapp dir, the pom.xml and the Dockerfile, something like:
<sonar.sources>src/main/webapp,pom.xml,src/main/java,Dockerfile</sonar.sources>
All these can have custom values. Unfortunately I am speaking about hundreds of projects in our company, so it is not me that can do this with every new project/branch that gets started, this needs to work out-of-the-box.
And since I don’t know which project ends up in a docker container, I don’t even know which projects are missing the Dockerfile in their sonar.sources config. yes, I could look up hundreds of git repos and many more branches to get that info.
potential solutions to the problem:
btw: the same seems also true for YAML files that are located somewhere within your maven project, but not within the source directories that sonar-maven-plugin is looking for.
Hi @youngroman,
As a workaround, you could just blanket-set sonar.sources=. for all projects. That’s a bit of a kludge, since you’d probably then want to also add an exclusion for target, but it gets around the question of examining hundreds of projects, and alternate names for the files.
Ann
FWIW I agree completely with Romans excellent write-up. For us the effect of this is that we just don’t scan the Dockerfiles in maven projects, since it’s to much of hassle to manually configure sonar-paths. So any solution in the plugin would would be greatly appreciated.