- ALM used: GitHub
- CI system used: Jenkins
- Languages of the repository: Java/JS/TS
Hello! We’re migrating a JDK8 project to JDK17. For SonarCloud analyzing we’re using Maven sonarscanner (which currently runs on JDK11).
Must we migrate environment for sonarscanner to JDK17 or JDK11 environment is enough/won’t cause any problems to analyze the JDK17-built code? Any issues can be caused by using language features/API not existing in JDK11?
Experimentally I discovered that if we use JDK11 for sonarscanner of Java17 code, it will not trigger some remarks like java:S5738 for
new Integer(1), while when use JDK17 for sonarscanner of the same code - it properly generates these remarks.
Sorry for the late response.
It’s convenient if you can run the SonarScanner for Maven with the same JVM you’re using to compile – it means you can write a single command (
mvn clean package sonar:sonar) instead of having to do something like
mvn clean package
I am not sure why
java:S5378 raises that issue when using the Java 17 scanner rather than Java 11. I suspect it has something to do with detecting the JDK used to build the code. I’ll flag it for some expert attention.
The reason why the analyzer behaves differently in Java is because by default, it takes the JAVA API classes from the Java Runtime Environment where the analyzer is running in, not that of the JDK the project is build for. So in your case Java 11, where the
Integer(int) constructor was not yet deprecated.
Cross JDK analysis is possible by setting the
jdkHome parameter, but it’s meant for the other way around, e.g., to analyze a JDK 11 project inside a JDK 17 build environment. This is described in more detail in the documentation here.
Are there any specific reasons why you don’t want to upgrade your build environment to Java 17? We soon will drop scanner support for Java 11 anyway, and as @Colin pointed out, it’s more convenient to use the same JVM.
Hello @Marco_Kaufmann, it seemed to be complicated to migrate all our build infrastructure to Java17 at once. Yet, we achieved that goal with less efforts than expected.
So now we are using JDK17 both for compiling and for Sonar analyzing, thus the issue raised originally is not relevant anymore.
Thanks for sharing the documentation!