Sonar Scanner for Maven reports warning "missing sonar.java.libraries" when project doesn't have any dependencies

SonarCloud
,
1

Hello,
I have a Maven project without any dependencies (see: EasyBundle). Sonnar Scanner for Maven reports the following warning:

12:37:56 [INFO] Sensor JavaSquidSensor [java]
12:37:58 [INFO] Configured Java source version (sonar.java.source): 6
12:37:58 [INFO] JavaClasspath initialization
12:37:58 [WARNING] Bytecode of dependencies was not provided for analysis of source files, you might end up with less precise results. Bytecode can be provided using sonar.java.libraries property.
12:37:58 [INFO] JavaClasspath initialization (done) | time=88ms
12:37:58 [INFO] JavaTestClasspath initialization
12:37:58 [INFO] JavaTestClasspath initialization (done) | time=1ms
12:37:59 [INFO] Java Main Files AST scan
12:37:59 [INFO] 14 source files to be analyzed
12:38:03 [INFO] Java Main Files AST scan (done) | time=3866ms
12:38:03 [INFO] Java Test Files AST scan
12:38:03 [INFO] 8 source files to be analyzed
12:38:03 [INFO] 14/14 source files have been analyzed
12:38:04 [INFO] Java Test Files AST scan (done) | time=1405ms
12:38:04 [INFO] Sensor JavaSquidSensor [java] (done) | time=7678ms

It is also visible in SonarQube Web :wink:

warning

It would be great if the scanner could be smart enough to hide the warning when no dependencies are used :slight_smile:

Environment:

  • SonarQube 7.5.0
  • Sonar Scanner for Maven 3.5.0.1254
  • Java plugins:
    • SonarJava 5.9.2 (build 16552)
    • JaCoCo 1.0.1 (build 143)
    • FindBugs 3.9.1
    • PMD 3.1.3

Cheers

2

I can confirm this.
Also tried putting in the <dependecies> tag in the POM and adding no <dependency> tags to it.
The warning still shows up.

Not sure if this happend with SonarQube 7.3, but it does with 7.4 and 7.5.

4

I think the issue is caused by the Sonar Scanner :wink:

9

The scanner for Maven automatically collect dependencies, and passes sonar.java.libraries property. When there are no dependencies, the property is empty. SonarJava reads this property and raises a warning when it is empty, considering this is likely a configuration mistake (for people manually providing scanner configuration).

I’m still not clear how to properly fix this, but in the meantime, I have created a ticket:
https://jira.sonarsource.com/browse/MSONAR-170

2 Likes
10

Hi @Julien_HENRY :slight_smile:

I have two proposals:

  1. Show the warning only if the parameter is not defined:

    • sonar.java.libraries= ← correct, no libraries
    • sonar.java.libraries=foo.jar ← correct, one library
    • missing ← warning

  2. Add a new property which allows disabling the warning:

    • sonar.java.libraries= and sonar.java.libraries.empty=true ← correct, no libraries
    • sonar.java.libraries= or missing ← warning

The first looks better, but many people prepare configuration by copy&paste anti-pattern, and only remove values which they don’t understand. The second is more secure but introduces the new stupid property :disappointed:

I hope you will find a better approach.

Cheers

1 Like
14

This is still an issue in March 2021 … I notice that the original Jira issue is still open with little or no activity since then :frowning: .

15

Hey there @ed_ward_graham

In fact, I think MSONAR-170 should probably be closed as “Won’t Fix” or “Duplicate” (ping @Julien_HENRY) now that SONARJAVA-3114 has been created (and solved!) in SonarQube v8.7. It should also be addressed on SonarCloud

1 Like
16

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.