Sonar-scanner CLI does not find issues found by sonar gradle plugin

SonarQube
, , ,
1

Version information:

  • which versions are you using:
    SQ Community Edition Version 8.9.9 (build 56886)
    Sonar-Scanner CLI:
    -SonarScanner 4.7.0.2747
    -Java 11.0.14.1 Eclipse Adoptium (64-bit)
    -Mac OS X 12.6 x86_64

  • how is SonarQube deployed: zip

  • what are you trying to achieve: obtain findings parity between CLI scanner and gradle-plugin scanner

  • what have you tried so far to achieve this:

  1. created sample gradle/java project with issues not found while using CLI (java:S1948)
  2. configured project for gradle-plugin scanning (build.gradle configurations) and CLI scanning (sonar-project.properties)
  3. created scanning scripts for both scenarios for “one-click” run
  4. put the whole project on github at GitHub - AndreiRinea/sq-diff-scan

I’ve compared log files of the CLI scan run ( sq-diff-scan/sq-scan-via-cli.log at master · AndreiRinea/sq-diff-scan · GitHub ) and the Gradle scan run ( sq-diff-scan/sq-scan-via-gradle.log at master · AndreiRinea/sq-diff-scan · GitHub ) but can’t find any relevant missing configuration for CLI as compared to the (successful) gradle run…

Would I be able to run the CLI scanner to obtain the same level of thoroughness as the gradle scanner? I would need a unified approach on a large project portfolio spanning across many stacks and would hate to make a different scenario for each (gradle, maven, npm etc.)

I did read as much as I could on the community but aside from When to use sonar-scanner CLI versus SonarScanner plugin available with build tool’s like Maven,Gradle. etctera..? - #2 by bcipollone I haven’t found much information.

2

Hi,

Using the specialized scanners is easier because they set many additional properties automatically. Look at the SonarScanner for Gradle, for example:

Notice that additional defaults are provided for projects that have the Java-base or Java plugin applied:

Property Gradle default
sonar.sourceEncoding ${project.compileJava.options.encoding}
sonar.java.source ${project.targetCompatibility}
sonar.java.target ${project.targetCompatibility}
sonar.sources ${sourceSets.main.allJava.srcDirs} (filtered to only include existing directories)
sonar.tests ${sourceSets.test.allJava.srcDirs} (filtered to only include existing directories)
sonar.java.binaries ${sourceSets.main.output.classesDir}
sonar.java.libraries ${sourceSets.main.compileClasspath} (filtering to only include files; rt.jar and jfxrt.jar added if necessary)
sonar.java.test.binaries ${sourceSets.test.output.classesDir}
sonar.java.test.libraries ${sourceSets.test.compileClasspath} (filtering to only include files; rt.jar and jfxrt.jar added if necessary)
sonar.junit.reportPaths ${test.testResultsDir} (if the directory exists)

If you’re using the SonarScanner CLI you’ll need to set all properties manually (see also the section “Java analysis and bytecode” on Java).

1 Like
3

Is there a way to list out all the properties and their values that the gradle plugin runs?

I already have set the following ones for CLI:

  • sonar.java.source
  • sonar.sources
  • sonar.tests
  • sonar.java.binaries

(these can be observed at sq-diff-scan/sonar-project.properties at master · AndreiRinea/sq-diff-scan · GitHub )

additionally I’ve followed the debug-verbose log of the gradle scan and also set:

  • sonar.java.jdkHome

I’ve seen the CLI run getting (correctly) resolved:

  • sonar.java.libraries (based on jdkHome)

I added sonar.java.target (same value as sonar.java.source, 1.8) as we “speak”, ( trying also sonar.java.target on CLI · AndreiRinea/sq-diff-scan@02c6dfa · GitHub ) but no improvement.