SonarScanner: must we use JDK17 for analyzing JDK17 code?

lrozenblyum · June 21, 2023, 8:12am

ALM used: GitHub
CI system used: Jenkins
Languages of the repository: Java/JS/TS

Hello! We’re migrating a JDK8 project to JDK17. For SonarCloud analyzing we’re using Maven sonarscanner (which currently runs on JDK11).
Must we migrate environment for sonarscanner to JDK17 or JDK11 environment is enough/won’t cause any problems to analyze the JDK17-built code? Any issues can be caused by using language features/API not existing in JDK11?

lrozenblyum · June 21, 2023, 11:58am

Experimentally I discovered that if we use JDK11 for sonarscanner of Java17 code, it will not trigger some remarks like java:S5738 for new Integer(1), while when use JDK17 for sonarscanner of the same code - it properly generates these remarks.

Colin · July 4, 2023, 8:44am

Hey there.

Sorry for the late response.

It’s convenient if you can run the SonarScanner for Maven with the same JVM you’re using to compile – it means you can write a single command (mvn clean package sonar:sonar) instead of having to do something like

mvn clean package
Switch JVM
mvn sonar:sonar

I am not sure why java:S5378 raises that issue when using the Java 17 scanner rather than Java 11. I suspect it has something to do with detecting the JDK used to build the code. I’ll flag it for some expert attention.

Marco_Kaufmann · September 15, 2023, 3:45pm

Hello Lrozenblyum,

The reason why the analyzer behaves differently in Java is because by default, it takes the JAVA API classes from the Java Runtime Environment where the analyzer is running in, not that of the JDK the project is build for. So in your case Java 11, where the Integer(int) constructor was not yet deprecated.

Cross JDK analysis is possible by setting the jdkHome parameter, but it’s meant for the other way around, e.g., to analyze a JDK 11 project inside a JDK 17 build environment. This is described in more detail in the documentation here.

Are there any specific reasons why you don’t want to upgrade your build environment to Java 17? We soon will drop scanner support for Java 11 anyway, and as @Colin pointed out, it’s more convenient to use the same JVM.

BR,

Marco

lrozenblyum · September 18, 2023, 1:46pm

Hello @Marco_Kaufmann, it seemed to be complicated to migrate all our build infrastructure to Java17 at once. Yet, we achieved that goal with less efforts than expected.
So now we are using JDK17 both for compiling and for Sonar analyzing, thus the issue raised originally is not relevant anymore.

Thanks for sharing the documentation!

system · September 25, 2023, 1:47pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SonarCloud will no longer accept scans executed using Java 11 starting 15th of November SonarQube Cloud java , sonarqube-cloud	5	567	November 7, 2023
The Java analyzer relies on the JDK used to build your project and not the one used to run the scan Sonar Updates java , accuracy , jdk	0	3253	January 15, 2021
Maven project and sonar scan needs different java version to run SonarQube Server / Community Build	5	5913	February 3, 2025
Java 17 needed for SonarQube 10.4 SonarQube Server / Community Build	4	4954	December 11, 2023
Migration to Java 17 is blocked by Sonar Scanner requirements SonarQube Server / Community Build sonarqube , scanner , jdk	9	13799	February 10, 2022

SonarScanner: must we use JDK17 for analyzing JDK17 code?

Related topics