SonarQube 26.4 – Java Plugin Not Loaded During Analysis

Hi Team,

We are facing an issue with Java analysis in SonarQube deployed as a pod on AWS EKS.

Environment

• SonarQube Version: 26.4.0.121862 (Community Build)

• Deployment: Kubernetes (AWS EKS)

• SonarQube runs inside an EKS pod

• CI/CD:

  • AWS CodePipeline

  • AWS CodeBuild

• Scanner Runtime Tested:

  • Java 17 (Amazon Corretto)

  • Java 21 (Amazon Corretto)

• Maven Scanner Versions Tested:

  • sonar-maven-plugin 3.11.x / 4.x

  • sonar-maven-plugin 5.2.x

• Project Type: Java (Spring Boot / Maven)

• Sample Service Used for Testing: demo-service

Current Behavior

With sonar-maven-plugin 5.2.x

The scan fails during scanner-engine provisioning with SHA/hash mismatch errors.

Example:

• Expected hash != Actual hash

• Scanner engine provisioning failure

With sonar-maven-plugin 4.x and below

The pipeline completes successfully without errors, but Java analysis does not happen.

Observed warning:

[WARNING] No language plugins are installed.

What Works

• Java files are detected and indexed successfully

• Around 268 Java files are indexed

• Quality profile for Java loads successfully

• Active rules load successfully

• CPD Block Indexer runs

• Analysis report uploads successfully

• Background task status shows SUCCESS

What Does Not Work

• SonarJava Sensor does not run

• No Java LOC/issues are visible in UI

• Dashboard shows:
  “Main branch has no lines of code”

Important Log Snippet

[INFO] Loading plugins for detected languages
[INFO] Load/download plugins (done) | time=51ms
[WARNING] No language plugins are installed.
[INFO] Sensor Java CPD Block Indexer

It appears the Java plugin is not being loaded during scanner-side analysis runtime.

Plugin Verification

The installed plugins API confirms the Java plugin is present:

• key: java

• requiredForLanguages: java, jsp

• type: BUNDLED

• filename: sonar-java-plugin-8.27.0.43088.jar

Plugin locations checked:

/opt/sonarqube/lib/extensions/

Contains:

sonar-java-plugin-8.27.0.43088.jar

/opt/sonarqube/extensions/plugins/

Contains only:

README.txt

We also tested manually copying the plugin into:

/opt/sonarqube/extensions/plugins/

but SonarQube fails to start due to duplicate plugin conflicts.

Additional Validation Performed

We already tested the following:

• Java 17 and Java 21 scanner runtimes

• sonar-maven-plugin 3.x, 4.x, and 5.x

• Clearing ~/.sonar/cache

• Multiple fresh project keys

• Running with and without sonar-project properties

• Verified correct project path and source path

• Verified buildspec.yml path handling using:

  cd demo-service
  
  

• Verified pom.xml and src directories are correctly accessible in CodeBuild

• Verified Java sources are indexed successfully

• Tried scanner execution from different working directories

Network / Connectivity Validation

The SonarQube endpoint is accessed through:

• CloudFront

• Corporate Zscaler network path

We validated connectivity extensively:

• Tested with proxy

• Tested without proxy

• Tested with NO_PROXY configuration

• Tested direct curl downloads

• Verified SHA/hash consistency through curl downloads

Connectivity and artifact downloads appear successful outside the scanner runtime.

Deployment Architecture

• SonarQube runs as a pod inside AWS EKS

• AWS CodePipeline triggers AWS CodeBuild

• CodeBuild executes Maven sonar scans

• Communication happens through CloudFront ingress endpoint to SonarQube

Our Observation / Doubt

It appears bundled plugins are visible on the server side but are not being loaded into the scanner-side runtime during analysis execution.

Because:

• Plugin exists and is reported by API

• Java files are indexed

• Quality profiles load

• But Java sensor never executes

Questions

1. How are BUNDLED plugins expected to be activated in SonarQube 26.4 Community Build?

2. Is any additional configuration required for scanner-side language plugin loading?

3. Is this a known issue with SonarQube 26.4 Community Build and Maven scanner compatibility?

4. Is there any recommended stable scanner version for Java analysis with SonarQube 26.4?

Please let us know if any additional logs or diagnostics are required.

Thanks,
Raghu

Hi Raghu,

I think a first step here would be to go directly to the plugin in your server and crack it open to see if it’s non-empty. If it is empty, then there’s something wrong with your installation. Because bundled plugins are … bundled. Meaning they’re already in there and there’s nothing more you need to do to get them. If it’s non-empty (as it should be) then you should look to the other layers in your stack and see if something is interfering with the jar’s delivery.

And as a lucky coincidence, 26.5 was recently released. I just pulled down a fresh copy of that zip and verified that the Java analyzer jar is non-empty. So since it’s time to upgrade anyway, that would be a good reason to go ahead & get that done.

 
HTH,
Ann

Hi Ann Campbell

Thank you for the clarification.

We will verify the bundled Java plugin JAR directly inside the SonarQube 26.4 server to confirm that it is present and non-empty.

Given your note about 26.5, we will also proceed with an upgrade to SonarQube 26.5 Community to rule out any installation or runtime issues specific to 26.4.

We’ll share the outcome after validating both.

Thanks again for the guidance.

Best regards,
A. Raghu

Plugin file is non-empty:

-r-xr-x—. 1 sonarqube root 20M Apr 8 07:52
/opt/sonarqube/lib/extensions/sonar-java-plugin-8.27.0.43088.jar

Size: 20MB — file is intact.

So the plugin is present and non-empty.
Something in the stack is interfering with JAR delivery to the scanner.

We are running SonarQube on AWS EKS behind CloudFront.
CodeBuild triggers the Maven scan externally.

Could you advise what layer might be blocking
plugin delivery from server to scanner?

Also — is upgrading to 26.5 recommended as next step?

Update: Upgraded to SonarQube 26.5.0.122743
Same warning persists: “No language plugins are installed”

Also noticed server version reported differently:

• Before upgrade: SonarQube Server 26.4.0.121862
• After upgrade: SonarQube Server 12.30.0.3186

Is 12.30.0.3186 the correct internal version for 26.5?
Or does this indicate a migration/installation issue?

Hi,

I don’t recognize this version number. What shows up in the page footer?

This is going to be about the things on your network. I’m unable to comment intelligently. Just pay attention to all the “helpful” filtering layers between the server and the build agent.

 
Ann

Hi @ganncamp ,

image1868×875 87.4 KB

Tested plugin download directly from CodeBuild:

curl -v “https:///api/plugins/download?plugin=java”

Result: 20MB downloaded successfully — no network blocking.

So the JAR is accessible from the build agent.
But scanner still shows “No language plugins are installed”

Could the issue be that sonar-maven-plugin 3.11.x
is not sending the correct request to trigger
plugin download during analysis?

Hi,

I’m confident that it’s not.

 
Ann

@ganncamp ,

We have verified:

1. Plugin JAR is 20MB (non-empty) on server
2. Plugin JAR is downloadable from build agent (20MB)
3. /api/plugins/installed shows java plugin correctly
4. Network is clean - no blocking

Scanner combinations tried - all give same warning:

• sonar-maven-plugin 3.11.x + Java 17
• sonar-maven-plugin 3.11.x + Java 21
• sonar-maven-plugin 4.0.0.4121 + Java 17
• sonar-maven-plugin 4.0.0.4121 + Java 21

All combinations result in:
[WARNING] No language plugins are installed.

SonarQube UI footer version: Community Build

• v26.5.0.122743

We have exhausted all options on scanner/CI side.
Can you please tell us exactly what configuration
is needed to fix this? We are stuck.

Hi @ganncamp ,

Sharing the sanitized build logs.

One important observation:

• UI Footer shows: Community Build · v26.5.0.122743
• But scanner log shows:
  “Communicating with SonarQube Server 12.30.0.3186”

Why is the scanner seeing a different version
than what UI shows?

Could this version mismatch be causing
“No language plugins are installed”?

[attach the log file[

[INFO[ 11:31:19.254 Base dir: /codebuild/output/src123/src/dummy-service
[INFO[ 11:31:19.254 Working dir: /codebuild/output/src123/src/dummy-service/target/sonar
[INFO[ 11:31:19.262 Load project settings for component key: 'new'
[INFO[ 11:31:19.296 Load project settings for component key: 'new' (done) | time=34ms
[INFO[ 11:31:19.344 Load quality profiles
[INFO[ 11:31:19.434 Load quality profiles (done) | time=90ms
[INFO[ 11:31:19.458 Auto-configuring with CI 'AwsCodeBuild'
[WARNING[ 11:31:19.496 SCM provider autodetection failed. Please use "sonar.scm.provider" to define SCM of your project, or disable the SCM Sensor in the project settings.
[INFO[ 11:31:19.515 Load active rules
[INFO[ 11:31:20.366 Load active rules (done) | time=851ms
[INFO[ 11:31:20.378 Load analysis cache
[INFO[ 11:31:20.404 Load analysis cache (404) | time=26ms
[INFO[ 11:31:20.544 Preprocessing files...
[INFO[ 11:31:20.790 2 languages detected in 268 preprocessed files (done) | time=246ms
[INFO[ 11:31:20.793 Loading plugins for detected languages
[INFO[ 11:31:20.793 Load/download plugins
[INFO[ 11:31:20.838 Load/download plugins (done) | time=45ms
[INFO[ 11:31:20.913 Load project repositories
[INFO[ 11:31:21.054 Load project repositories (done) | time=141ms
[INFO[ 11:31:21.072 Indexing files...
[INFO[ 11:31:21.072 Project configuration:
[INFO[ 11:31:21.118 268 files indexed (done) | time=46ms
[WARNING[ 11:31:21.119 No language plugins are installed.
[INFO[ 11:31:21.121 Quality profile for java: Java_Profile
[INFO[ 11:31:21.121 Quality profile for xml: Sonar way
[INFO[ 11:31:21.121 ------------- Run sensors on module loan
[INFO[ 11:31:21.155 Load metrics repository
[INFO[ 11:31:21.197 Load metrics repository (done) | time=42ms
[INFO[ 11:31:21.236 Sensor JaCoCo XML Report Importer [jacoco[
[INFO[ 11:31:21.240 'sonar.coverage.jacoco.xmlReportPaths' is not defined. Using default locations: target/site/jacoco/jacoco.xml,target/site/jacoco-it/jacoco.xml,build/reports/jacoco/test/jacocoTestReport.xml
[INFO[ 11:31:21.241 No report imported, no coverage information will be imported by JaCoCo XML Report Importer
[INFO[ 11:31:21.241 Sensor JaCoCo XML Report Importer [jacoco[ (done) | time=4ms
[INFO[ 11:31:21.295 ------------- Run sensors on project
[INFO[ 11:31:21.686 Sensor JaCoCo Aggregate XML Report Importer [jacoco[
[INFO[ 11:31:21.687 Sensor JaCoCo Aggregate XML Report Importer [jacoco[ (done) | time=0ms
[INFO[ 11:31:21.687 Sensor Zero Coverage Sensor
[INFO[ 11:31:21.710 Sensor Zero Coverage Sensor (done) | time=23ms
[INFO[ 11:31:21.710 Sensor Java CPD Block Indexer
[INFO[ 11:31:22.299 Sensor Java CPD Block Indexer (done) | time=588ms
[INFO[ 11:31:22.299 ------------- Gather SCA dependencies on project
[INFO[ 11:31:22.309 Dependency analysis skipped
[INFO[ 11:31:22.311 SCM Publisher No SCM system was detected. You can use the 'sonar.scm.provider' property to explicitly specify it.
[INFO[ 11:31:22.341 CPD Executor 155 files had no CPD blocks
[INFO[ 11:31:22.341 CPD Executor Calculating CPD for 112 files
[INFO[ 11:31:22.416 CPD Executor CPD calculation finished (done) | time=75ms
[INFO[ 11:31:22.574 Analysis report generated in 150ms, dir size=270.6 kB
[INFO[ 11:31:22.612 Analysis report compressed in 37ms, zip size=43.5 kB
[INFO[ 11:31:22.695 Analysis report uploaded in 83ms
[INFO[ 11:31:22.697 ANALYSIS SUCCESSFUL, you can find the results at: https:///dashboard?id=new
[INFO[ 11:31:22.697 Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
[INFO[ 11:31:22.697 More about the report processing at https://url/api/ce/task?id=123
[INFO[ 11:31:22.710 Analysis total time: 3.853 s

Core Problem Summary: SonarQube UI shows empty results despite successful analysis: - “Main branch has no lines of code” - No Java issues, bugs, code smells - No LOC count

Hi,

I really can’t speak to the version number you’re seeing in your logs. I just spun up 26.5 and ran a quick test. Here’s what I got:

 
Ann

Hi @ganncamp

Thanks for your response.

We performed further detailed validation to rule out network and infrastructure layers.

We verified plugin delivery explicitly:

• GET /api/plugins/download?plugin=java → HTTP 200 with ~20MB JAR
• Scanner logs show “Load/download plugins (done)”
• Java plugin is present in ~/.sonar/cache during analysis

To further isolate the issue, here is a simplified version of our build execution flow:

Sample Build (simplified for testing):

build:
commands:
- echo “Building sample-service”
- mvn clean verify
- mvn org.sonarsource.scanner.maven:sonar-maven-plugin:4.0.0.4121:sonar
-Dsonar.projectKey=dummy-service
-Dsonar.projectVersion=1.0
-Dsonar.host.url=https://
-Dsonar.token=REDACTED

- echo "===== SONAR CACHE FILES ====="
- find ~/.sonar/cache -type f | grep java || true

During execution:

• Analysis completes successfully
• Java files are indexed
• Quality profile is loaded
• Plugins are downloaded and cached

Cache confirms:

• sonar-java-plugin.jar
• sonar-javasymbolicexecution-plugin.jar

However:

• Scanner still reports: “No language plugins are installed”
• JavaSquidSensor is NOT executed
• Only Java CPD Block Indexer runs
• UI shows 0 lines of code

We reproduced this consistently:

• From AWS CodeBuild
• From an internal jump server
• On SonarQube 26.4 AND 26.5

This demonstrates:
→ Plugin delivery is working
→ Plugin is locally available to scanner
→ Analyzer execution is not triggered

Given these observations, this does not appear to be a network/filtering issue.

Could you please clarify:
Under what conditions would the scanner download and cache the Java plugin successfully, but still skip execution of the Java analyzer (JavaSquidSensor)?

This looks like an analyzer activation/runtime issue rather than a plugin download problem.

Thanks.
Raghu

Hi @ganncamp ,

Thanks for your support. The issue was due to CloudFront not forwarding the “Accept” header to the origin. Because of this, the endpoint /api/v2/analysis/engine was returning JSON instead of the actual JAR file, which caused hash mismatch errors and prevented Sonar analysis. Fix: - Enabled forwarding of the “Accept” header in CloudFront (Origin Request Policy) - Invalidated cache for /api/v2/analysis/* After this change, Sonar scans are working correctly. Thanks again for the help!

Hi Raghu,

I’m glad you worked through this and really appreciate your sharing the details. I’m sure it will help others in the future.

 

Ann