SonarQube with Gradle - Source code overwritten if we used multiple sonar.sources from gradle

SonarQube Server / Community Build
, ,
1

Please find the below details for more information:

  • Community Edition - Version 10.0 (build 68432)
  • SonarQube deployed using Docker image.
  • We’re trying to achieve the code scanning and analyse using sonarqube with gradle integration.
  • We’ve tried below steps to achieve it:
  1. Setup SonarQube and Gradle integration followed by SonarQube documentation.
  2. Setup SonarQube server on local machine using Docker image.
  3. Configured Sonar parameters with our projects requirements. Also setup Sonar.Sources property with multiple module/projects.
  4. It should scan both project or modules as we have already using same setup on Azure DevOps Pipelines, but it is overwriting the first source path code with second source path code.
  5. We’re only getting single project code in SonarQube server in code tab.
  6. For more details please check attached screenshots and code snippets.
    Azure-Devops-Working-Example
    Azure-Devops-Working-Example2716×1430 270 KB

    First source path code scan
    First source path code scan2842×1430 303 KB

    Second source path code scan result
    Second source path code scan result2842×1430 289 KB

Here, in above 3 screenshots, first image shows live working example of same project having 2 module(common and snaplot). In 2nd and 3rd image, you can see first module scan code gets overwritten after second module scan which should not happen.

Kindly support. Thanks! :slightly_smiling_face:

2

Hi,

Welcome to the community!

Analyses are not additive. To get all your code reflected in SonarQube together, you’ll have to analyze it together.

If, for some reason, your modules cannot be built and analyzed together - and this would be unusual - then you should give each one a unique sonar.projectKey so that at least they don’t replace each other in the same project.

 
HTH,
Ann

3

Yes, using a unique sonar.projectKey that is possible to analyze the code. But can’t we use same projectKey for both module which are part of single project. It’s already configured in Azure pipelines but I’m not able to achieve it using gradle file.

Here are the properties which I’m passing:

 properties {
        property 'sonar.host.url', 'http://localhost:9000' //host_url
        property "sonar.token", '<token>' //token
        property "sonar.projectKey", "android"
        property 'sonar.projectName', 'android'
        property 'sonar.projectDescription', 'Mobile App'
        property 'sonar.projectVersion', '1.1'
        property 'sonar.language', 'java'
        // property 'sonar.modules', 'common,snaplot'
        // property "sonar.projectBaseDir", "."
        property "sonar.sources", "snaplot/src/main/java,common/src/main/java"
        property 'sonar.verbose', 'true'
        property 'sonar.java.source', 11
        // property 'sonar.junit.reportPaths', 'build/results'
        property 'charSet', 'UTF-8'
        property "sonar.sourceEncoding", "UTF-8"
        property "sonar.coverage.jacoco.xmlReportPaths", "../**/build/reports/jacoco/**/*.xml"
        property "sonar.exclusions", "build/**,\
                 bin/**,\
                 gradle/**,\
                 gradlew,\
                 gradlew.bat,\
                 *.gradle"
    }

Thanks! :slightly_smiling_face:

4

Hi,

Are the modules built in the same pipeline?

For Java analysis, you need access to both the source and the byte code.

So if all the code is built in the same pipeline, you can absolutely analyze it all together. in fact, that’s the default. How are you running analysis that only one module is being analyzed at a time?

 
Ann

5

Yes, both the module built in same pipeline.

Configuration for same you can see in earlier response. I used this command to run the SonarQube Task - ./gradlew sonarqube --stacktrace

Do you have any other suggestion in above configs?

6

Hi,

I guess you’re doing that for each module? Instead, you should do it once for the whole project.

 
Ann

1 Like
7

That’s correct Ann :clap:
I was doing analysis on each module rather than doing it in root. It solved my problem and able to achieve what I want.

Thanks for you help!! :pray:

Regards,
Chetan.

8

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.