Sonarqube/Scanner without compiling?


I’m using the Community Edition of Sonarqube + Sonarscanner to make an opinion before switching to an Enterprise Edition.

I would like to audit some of my team’s applications but I am having difficulties and I would like to know if I am the one missing an option:

The application I want to audit is based on Maven and contains Java.

During the build phase, I realize that I don’t have access to several dependencies that the application uses and I don’t have the possibility to access them.

I know that I will miss a lot of elements without compiling my application, but is it possible with Sonarqube to do an analysis on the code without compiling it in order to have a first view on the security status of the application?



I believe you can cheat on this requirement by specifying[a valid directory]. I have seen people use which can be expensive, since it will cause a recursive search for the .class files, but I think it works.

But if you tell anyone I told you this, I’ll deny it. :joy:

To be super-clear on this, you will not get a first view of the security status of the application because

  • without the .class files, there will be too little data about the application for analysis to give you this information
  • if you’re after security status then you should really be testing with at least Developer Edition($) (and .class files)

Note that you can get a 2-week trial of Developer Edition or Enterprise Edition($$) for free, so there’s no need to hobble your evaluation of Enterpise Edition by using Community Edition.


1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.