Sonar-maven-plugin does not work with newer versions of maven-shade-plugin

krissrex · April 26, 2024, 12:28pm

Hi, it seems maven-shade-plugin when upgraded from (working) 3.2.4 to (breaking) 3.5.3 will change the maven property ${project.baseDir}. I don’t know if this is a bug in shade or sonar.

The result is that sonar scanner runs from inside the target folder as its project base dir, and finds no source files nor coverage.

Explicitly setting <sonar.projectBaseDir>${project.basedir}</sonar.projectBaseDir> makes no difference. That’s why I think shade is overwriting this value.

Logs from shade 3.2.4:
2024-04-26T12:09:22.0978416Z [INFO] 12:09:22.097 Base dir: /home/runner/work/my-private-project/my-private-project

Logs from shade 3.5.3:
2024-04-26T11:41:18.0620501Z [INFO] 11:41:18.061 Base dir: /home/runner/work/my-private-project/my-private-project/target

GitHub
Github Actions
Kotlin
Potential workaround: downgrade shade

maven pom.xml snippets:

<profile>
      <id>sonarcloud</id>
      <activation>
        <property>
          <name>env.SONARCLOUD_TOKEN</name>
        </property>
      </activation>
      <properties>
        <sonar.organization>my-org-here</sonar.organization>
        <sonar.host.url>https://sonarcloud.io</sonar.host.url>
        <sonar.projectKey>redacted</sonar.projectKey>
        <sonar.token>${env.SONARCLOUD_TOKEN}</sonar.token>
        <sonar.projectBaseDir>${project.basedir}</sonar.projectBaseDir>
      </properties>
      <build>
        <plugins>
          <plugin>
            <groupId>org.sonarsource.scanner.maven</groupId>
            <artifactId>sonar-maven-plugin</artifactId>
            <version>3.11.0.3922</version>
            <executions>
              <execution>
                <phase>verify</phase>
                <goals>
                  <goal>sonar</goal>
                </goals>
              </execution>
            </executions>
          </plugin>
        </plugins>
      </build>
    </profile>

shade

<maven-shade-plugin.version>3.5.3</maven-shade-plugin.version>

      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-shade-plugin</artifactId>
        <version>${maven-shade-plugin.version}</version>
        <configuration>
          <filters>
            <filter>
              <artifact>*:*</artifact>
              <excludes>
                <exclude>META-INF/*.SF</exclude>
                <exclude>META-INF/*.DSA</exclude>
                <exclude>META-INF/*.RSA</exclude>
              </excludes>
            </filter>
          </filters>
        </configuration>
        <executions>
          <execution>
            <phase>package</phase>
            <goals>
              <goal>shade</goal>
            </goals>
            <configuration>
              <dependencyReducedPomLocation>${project.build.directory}/dependency-reduced-pom.xml
              </dependencyReducedPomLocation>
              <filters>
                <!-- Excluding signed manifest files from dependencies -->
                <filter>
                  <artifact>*:*</artifact>
                  <excludes>
                    <exclude>META-INF/*.SF</exclude>
                    <exclude>META-INF/*.DSA</exclude>
                    <exclude>META-INF/*.RSA</exclude>
                  </excludes>
                </filter>
              </filters>
            </configuration>
          </execution>
        </executions>
      </plugin>

All shade versions from 3.3.0 (2022-03-24) and after will have this issue. The latest working shade is 3.2.4.

To see if basedir is changed for every plugin, I ran a stat together with shade 3.5.3 , and no, basedir is correct here: /home/runner/work/my-private-project/my-private-project. This runs just before sonar, when I inspect logs.

<plugin>
  <groupId>org.codehaus.mojo</groupId>
  <artifactId>exec-maven-plugin</artifactId>
  <version>3.2.0</version>
  <executions>
    <execution>
      <id>exec-stat</id>
      <phase>verify</phase>
      <goals>
        <goal>exec</goal>
      </goals>
      <configuration>
        <executable>stat</executable>
        <arguments>
          <argument>${project.basedir}</argument>
        </arguments>
      </configuration>
    </execution>
  </executions>
</plugin>

krissrex · April 30, 2024, 10:49am

It seems to be a bug in shade that has reoccurred several times, if you search their jira.
It is caused by the dependency reduced pom.
The fix is available at [MSHADE-124] keep original basedir after set d-r-p location to build dir by gzm55 · Pull Request #128 · apache/maven-shade-plugin · GitHub , but no maintainer wants to merge it.

[MSHADE-160] change default location of dependency-reduced-pom.xml - ASF JIRA
[MSHADE-23] ${basedir} is wrong after running shade plugin - ASF JIRA
[MSHADE-123] 1.7 Causes failures in other plugins make "basedir" point to the build dir - ASF JIRA

The property in the pom even explains this

Margarita_Nedzelska · April 30, 2024, 1:38pm

Hello @krissrex,

Thanks for reaching out. Yes, this looks like the bug on shade plugin side. So, I can recommend running the Sonar task before the maven shade plugin.

Best,
Margarita

system · May 7, 2024, 2:57pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.