Using Sonarqube 9 which needs JDK 11, I can not have it when our project is built with JDK 8, unfortunately the docs are down till tmr, so looking for some help.
Yaml file:
on:
push:
branches:
- master # or the name of your main branch
pull_request:
types: [opened, synchronize, reopened]
jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Set up JDK 11
uses: actions/setup-java@v1
with:
java-version: 11
- name: Cache SonarQube packages
uses: actions/cache@v1
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Cache Maven packages
uses: actions/cache@v1
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
- name: Build and analyze
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
If I do this my build simply fails because ofc it does not support Java 11, if I set java-version to 8 it builds but sonar scan fails because it requires java 11.
Before the docs were down (last week) I saw that we could set “sonar.java.source=1.8” in the properties but this still fails.
So I’m a bit lost what to do now.
Also, even if sonar wants me to use maven because it sees the pom.xml is there a way to run the analyses as if this was just a simply java project (no maven involved)?
SonarQube requires the compiled classes of a Java project in order to run analysis. This can be setup without the use of the Scanner for Maven but it’s quite complicated to get right (and why do it when there’s a purpose-built scanner for doing this?)
SonarQube requires the compiled classes of a Java project in order to run analysis. This can be setup without the use of the Scanner for Maven but it’s quite complicated to get right (and why do it when there’s a purpose-built scanner for doing this?)
Thanks for the reply, I wasn’t thinking about the compiled classes and just looking from the code analyses perspective, we didn’t want to want more time to the process (we aren’t using github for the actual builds, we just wanted to have easy github integration with sonar for the PRs), but that ofc makes sense, and like you said if this is supported with maven and we built with it, probably best to do it this way.
An in fact I actually tried this approach to but I see now I made a mistake:
name: SonarQube Analysis
on:
push:
# branches:
# master
pull_request:
types: [opened, synchronize, reopened]
jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Set up JDK 8 # Sonarqube 9 requires java 11
uses: actions/setup-java@v2
with:
java-version: 8
distribution: adopt
- name: Cache SonarQube packages
uses: actions/cache@v1
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Cache Maven packages
uses: actions/cache@v1
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
- name: Build and analyze with sonar
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
run: mvn -B verify -Dmaven.test.skip=true
scan:
name: Scan
needs: build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Set up JDK 11
uses: actions/setup-java@v2
with:
java-version: 11
distribution: adopt
- name: Cache SonarQube packages
uses: actions/cache@v1
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Cache Maven packages
uses: actions/cache@v1
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
- name: Analyze with sonar
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dmaven.test.skip=true
I was still calling verify in the second run :facepalm: , I now bumped into:
Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.9.0.2155:sonar (default-cli) on project some-project: Project 'com.projectname:services' can't have 2 modules with the following key: com.projectname:services -> [Help 1]
but I’m assuming this is case I have the project name in the properties file that I was using for doing this w/o maven.
I don’t think there’s a compelling reason to separate your build/scan into two jobs – for analysing Java, you want to have the build done right before the scan (and in the same context, with all the output generated by the build available). Even better, this way the build only has to run once.
With regard to this error:
This has come up before and it is probably easiest for now to just remove sonar.projectKey from your pom.xml and, if it’s something that does match your Maven project’s <group id>:<artifact id> format, specify it as an option to your Maven command (-Dsonar.projectKey=com.projectname:services)
And, I’ve taken the point to investigate this a little further (something is wrong here with the SonarQube tutorial and multi-module maven projects).
Your project contains .java files, please provide compiled classes with sonar.java.binaries property, or exclude them from the analysis with sonar.exclusions property
which I though should not happen since, specially now that I’m running “maven package” in the first step, and in fact this was working before (previous to sonar 9 when we were running mvn package org.sonarsource.scanner.maven:sonar-maven-plugin:sonar, since this is a complex project that I did not built and I’ve pretty new to maven I’m a bit unsure what to put in -Dsonar.java.binaries.
Actually I missed a critical part in spiting the job this way.
It will use different runner like in a parallel build even if the job depends on the previous, so the jar files are long gone, I need to run this as steps not split jobs