SonarQube getting wrong maven dependency

scanner
java

(Thales Brito) #1

Hello all,

I’m running a Docker with SonarQube 6.2-alpine and I’m facing some issues regarding getting the correct dependency.

Explaining the problem:

My application uses the dependency spring-data-commons version 1.13.0.RELEASE in order to be able to use the PageRequest class, but if I have a newer dependency from this package, for instance, 2.0.10.RELEASE in my .m2 repository. I start to have some trouble because this class became deprecated in this newer version.

I need help to understand how Sonar “retrieve” the correct dependency because we have more than one application using both sonar and maven repository and they could have different dependencies.

I need to set sonar to get the proper dependency for each application.


SonarQube Scanner 3.0.0.702


(G Ann Campbell) #2

Hi,

I’m confused by your post. I’ll start at the bottom. In your screenshot the little block showing the version of the upgrade is orange because that version is incompatible with your version of SonarQube. You’d have to upgrade SonarQube (not a bad idea - 7.3 is the current version and 6.7 is the current LTS…) to be able to use that version.

Backing up from that, SonarQube doesn’t “retrieve” dependencies for your applications under analysis. Maven would handle that. Presumably if you have the dependency versions specified in your pom, this should just work.

And before that we come back to the fact that you’re running 6.2, but I’ve already touched on that point.

 
Ann


(Thales Brito) #3

Hello,

Thanks for the answer, I’ll try to update my SonarQube.

But just to explain, when you say:

Backing up from that, SonarQube doesn’t “retrieve” dependencies for your applications under analysis. Maven would handle that. Presumably if you have the dependency versions specified in your pom, this should just work.

That is exactly my problem, I have the dependency versions specified in my pom, but for any reason, when sonar does the scan it is analyzing using a newer version presented in the repository.


(Julien Henry) #5

Hi @tbrito

How do you declare the dependency on spring-data-commons? Are you using a fixed version in your pom? Or are you relying on transitive dependency?

How do you run your analysis? In a single command: mvn verify sonar:sonar or in two separate steps?

To better understand what is the classpath used by SonarJava, you can run the analysis with the parameter -Dsonar.scanner.dumpToFile=scanner.properties and look at the value of the property sonar.java.libraries. Check that it contains spring-data-commons only once, and with the correct version.

Also using tools like mvn dependency:tree could help.

Last tip: I know different Maven versions could resolve transitive dependencies differently. Ensure that you are using the same version of Maven everywhere (on your dev box and on your CI server).