Sonar-maven-plugin and Dockerfile


Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    SQ: 10.2.1, sonar-mave-plugin
  • how is SonarQube deployed: zip, Docker, Helm

I want Dockerfile in root directory of project to be scanned. It doesn’t seem to be scanned unless I explicitly add it to sonar.source. Is this expected? I haven’t made any other settings beyond sett url to sonar server and setting the project.

1 Like


What was sonar.source set to originally? Did the definition include the project root? I.e. was it . or something like that?


I haven’t set it explicitly, so whatever the default is for the maven-plugin. According to the documentation “Read from build system for Maven”. That seems to include the pom-file at the root, but not the Dockerfile. Wouldn’t it be reasonable that the plugin also finds Dockerfile at the root, now when Sonar can scan them?


Okay, this makes sense. The SonarScanner for Maven takes a very Maven-centric, i.e. Java-centric view of things and only passes Java source files to analysis.

Ehm… maybe? TBH, you still have to manually override sonar.sources when your Maven project includes JavaScript, and we’ve analyzed it for years.


ok, maybe I need to manage my expectations :grinning:

Thanks for taking the time to answer!

1 Like

A post was split to a new topic: Analysis error with SonarQube 7.8

I noticed this myself today, because none of our docker projects have the Dockerfile indexed.

The sonar-maven-plugin is able to recognize that my project is a war and adds the warSourceDirectory of maven-war-plugin to the list of sources.

the final sonar.sources then contains:
src/main/webapp (contains all the .jsp, .html, .css, .js)

as you see, no need to configure anything special for the sonar scan.

If I set <sonar.sources>Dockerfile</sonar.sources> in my pom.xml then only Dockerfile is indexed, but no other sources, so it is not adding a source it is replacing whatever Maven knows.

Right now, because of that I would need to manually configure the pom.xml for every Maven project and set the sonar.sources property, which needs to include the java-source dir, the webapp dir, the pom.xml and the Dockerfile, something like:

All these can have custom values. Unfortunately I am speaking about hundreds of projects in our company, so it is not me that can do this with every new project/branch that gets started, this needs to work out-of-the-box.
And since I don’t know which project ends up in a docker container, I don’t even know which projects are missing the Dockerfile in their sonar.sources config. yes, I could look up hundreds of git repos and many more branches to get that info.

potential solutions to the problem:

  • if it exists, automatically add Dockerfile to the list of sources, like you currently do for pom.xml or src/main/webapp. Unfortunately the file can have a different name, DockerSensor also allows Dockerfile.*
  • allow us to add source files/directories in addition to the sources discovered by Maven, by adding a property like sonar.sources.add or sonar.docker.file. The 2nd one could even be used for DockerSensor. I could then add this property to a parent-pom and force all projects to use that.

btw: the same seems also true for YAML files that are located somewhere within your maven project, but not within the source directories that sonar-maven-plugin is looking for.


Hi @youngroman,

As a workaround, you could just blanket-set sonar.sources=. for all projects. That’s a bit of a kludge, since you’d probably then want to also add an exclusion for target, but it gets around the question of examining hundreds of projects, and alternate names for the files.


1 Like

FWIW I agree completely with Romans excellent write-up. For us the effect of this is that we just don’t scan the Dockerfiles in maven projects, since it’s to much of hassle to manually configure sonar-paths. So any solution in the plugin would would be greatly appreciated.

1 Like