Sonarqube 9 github action workflow in maven project using jdk 8

SonarQube Server / Community Build
, ,
1

Using Sonarqube 9 which needs JDK 11, I can not have it when our project is built with JDK 8, unfortunately the docs are down till tmr, so looking for some help.

Yaml file:

on:
  push:
    branches:
      - master # or the name of your main branch
  pull_request:
    types: [opened, synchronize, reopened]
jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
      - name: Set up JDK 11
        uses: actions/setup-java@v1
        with:
          java-version: 11
      - name: Cache SonarQube packages
        uses: actions/cache@v1
        with:
          path: ~/.sonar/cache
          key: ${{ runner.os }}-sonar
          restore-keys: ${{ runner.os }}-sonar
      - name: Cache Maven packages
        uses: actions/cache@v1
        with:
          path: ~/.m2
          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
          restore-keys: ${{ runner.os }}-m2
      - name: Build and analyze
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
        run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar

If I do this my build simply fails because ofc it does not support Java 11, if I set java-version to 8 it builds but sonar scan fails because it requires java 11.

Before the docs were down (last week) I saw that we could set “sonar.java.source=1.8” in the properties but this still fails.

So I’m a bit lost what to do now.

Also, even if sonar wants me to use maven because it sees the pom.xml is there a way to run the analyses as if this was just a simply java project (no maven involved)?

2

Hey there.

You probably want to split your build from your analysis.

  • Use Java 8
  • mvn verify
  • Use Java 11
  • mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar

SonarQube requires the compiled classes of a Java project in order to run analysis. This can be setup without the use of the Scanner for Maven but it’s quite complicated to get right (and why do it when there’s a purpose-built scanner for doing this?)

3

SonarQube requires the compiled classes of a Java project in order to run analysis. This can be setup without the use of the Scanner for Maven but it’s quite complicated to get right (and why do it when there’s a purpose-built scanner for doing this?)

Thanks for the reply, I wasn’t thinking about the compiled classes and just looking from the code analyses perspective, we didn’t want to want more time to the process (we aren’t using github for the actual builds, we just wanted to have easy github integration with sonar for the PRs), but that ofc makes sense, and like you said if this is supported with maven and we built with it, probably best to do it this way.

An in fact I actually tried this approach to but I see now I made a mistake:

name: SonarQube Analysis
on:
  push:
    # branches:
    # master
  pull_request:
    types: [opened, synchronize, reopened]

jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
      - name: Set up JDK 8 # Sonarqube 9 requires java 11
        uses: actions/setup-java@v2
        with:
          java-version: 8
          distribution: adopt
      - name: Cache SonarQube packages
        uses: actions/cache@v1
        with:
          path: ~/.sonar/cache
          key: ${{ runner.os }}-sonar
          restore-keys: ${{ runner.os }}-sonar
      - name: Cache Maven packages
        uses: actions/cache@v1
        with:
          path: ~/.m2
          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
          restore-keys: ${{ runner.os }}-m2
      - name: Build and analyze with sonar
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
        run: mvn -B verify -Dmaven.test.skip=true
  scan:
    name: Scan
    needs: build
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
      - name: Set up JDK 11
        uses: actions/setup-java@v2
        with:
          java-version: 11
          distribution: adopt
      - name: Cache SonarQube packages
        uses: actions/cache@v1
        with:
          path: ~/.sonar/cache
          key: ${{ runner.os }}-sonar
          restore-keys: ${{ runner.os }}-sonar
      - name: Cache Maven packages
        uses: actions/cache@v1
        with:
          path: ~/.m2
          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
          restore-keys: ${{ runner.os }}-m2
      - name: Analyze with sonar
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
        run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dmaven.test.skip=true

I was still calling verify in the second run :facepalm: , I now bumped into:

Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.9.0.2155:sonar (default-cli) on project some-project: Project 'com.projectname:services' can't have 2 modules with the following key: com.projectname:services -> [Help 1]

but I’m assuming this is case I have the project name in the properties file that I was using for doing this w/o maven.

4

Hum nope still fails with the same error, however I no longer have a properties file and in my pom.xml I do have:

 <!-- SonarQube Settings -->
    <sonar.projectKey>com.projectname:services</sonar.projectKey>

Following the setup for the CI configuration template " Update your pom.xml file with the following properties:"

So I’m not sure why this would be happening now…

5

Hey there.

I don’t think there’s a compelling reason to separate your build/scan into two jobs – for analysing Java, you want to have the build done right before the scan (and in the same context, with all the output generated by the build available). Even better, this way the build only has to run once.

With regard to this error:

This has come up before and it is probably easiest for now to just remove sonar.projectKey from your pom.xml and, if it’s something that does match your Maven project’s <group id>:<artifact id> format, specify it as an option to your Maven command (-Dsonar.projectKey=com.projectname:services)

And, I’ve taken the point to investigate this a little further (something is wrong here with the SonarQube tutorial and multi-module maven projects).

6

Yeah that worked, I’m now bumping into:

Your project contains .java files, please provide compiled classes with sonar.java.binaries property, or exclude them from the analysis with sonar.exclusions property

which I though should not happen since, specially now that I’m running “maven package” in the first step, and in fact this was working before (previous to sonar 9 when we were running mvn package org.sonarsource.scanner.maven:sonar-maven-plugin:sonar, since this is a complex project that I did not built and I’ve pretty new to maven I’m a bit unsure what to put in -Dsonar.java.binaries.

I guess I will have to wait till the docs are up

7

Actually I missed a critical part in spiting the job this way.

It will use different runner like in a parallel build even if the job depends on the previous, so the jar files are long gone, I need to run this as steps not split jobs

8

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.