In recent versions (11.2+) of the docker image sonarsource/sonar-scanner-cli, the linux cli tools find and xargs are no longer available. we’re upgrading from an older pre-10.x version of the image, where we used these tools to identify paths in generated or multi-module java projects in order to set the -Dsonar.java.binaries value. These tools are now unavailable, and no similar equivalents are provided. Could these be re-added to the image?
Thanks.
Hi,
Welcome to the community!
Could you explain why you’re using a CLI image to analyze Java instead of using SonarScanner for Gradle or SonarScanner for Maven, either of which would pick up the binaries locations automatically from the build environment?
Thx,
Ann
Hi Ann,
We need to enforce code quality among a disparate set of projects, some of which may not have individually/manually set up sonarscanner for maven/gradle in a compatible or approved way. Using the cli lets us consistently apply a scan regardless of the project’s individual configuration, or what language the project uses (we also use the same container and job to handle non-java projects).
Hi,
But… that’s the beauty of it; you don’t really need to “set up” these analyses. You just run them and they pick up the “setup” from the projects themselves.
Ann
I understand that it would preferable to use the plugins, but as i mentioned, we can’t guarantee that the teams writing this code will actually include the plugin. we don’t “own” every project, we’re just tasked with scanning them as part of a pipeline.
For projects which already have done so, we’ll have the pipeline use the built-in plugin tooling, but for those that don’t, we may not always be able to get the upstream changes made to leverage these plugins, and still need to provide some reasonable fidelity of a scan result.
Hi,
I’ll ping the dev team on the missing tools.
And, at the risk of seeming argumentative, you don’t have to “add” anything.
mvn clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.token=myAuthenticationToken -Dsonar.host.url=http://sonar.mycompany.com
and
To specify the version of sonar-maven-plugin instead of using the latest:
mvn org.sonarsource.scanner.maven:sonar-maven-plugin:<version>:sonar
It’s a little less prominent for Gradle, but it’s still there
gradle sonar -Dsonar.host.url=http://sonar.mycompany.com -Dsonar.verbose=true-Dsonar.token=myAuthenticationToken
HTH,
Ann
Thanks for passing that along. we’ll look into using the plugins directly as an alternative in the future, but our environment has many subtleties that complicate use of external tools, so that’s why we were hoping to stick with the upstream image we had already worked with.
Cheers!
Hi @psylum
Apologies for the inconvenience caused. In our effort to decrease the chance of security vulnerabilities and make sure that our images are well maintained we removed tools we don’t use. In the future we would like to keep this docker image’s sole use case to wrap our scanner. Install only the minimum necessary tools and those which are available on the base image. Between iterations our base imaged changed which also could cause missing tools.
You can build your own image base it on our image and add the tools you require to eliminate this problem.
Thanks Csaba