Within my organization, upgrading SonarQube to version 9.0 became a lengthy process due to the SonarScanner’s requirement for Java 11 but lack of support for Maven Toolchains.
We bind the SonarScanner to Maven’s verify phase so that the install and deploy phases are not reached if the the Quality Gate fails (recap of the Maven lifecycle if you need it). Along with the SonarScanner, we also bind plugins such as Dependency-Check to Maven lifecycle phases in order to assist and enforce application security practices.
Maven phases execute sequentially, so in any normal setting it would be unnecessary for developers to configure their CI pipelines to call each Maven phase and plugin individually. Yet, SonarQube 9.0 left that as one of only two reasonable options for supporting projects developed to use Java 8. That is, in order to continue scanning projects supporting Java 8, each project’s pipeline would need to be updated to call the following Maven phases independently:
- Call package with
JAVA_HOME=%PATH_TO_JAVA_8%
.
- Call verify with
JAVA_HOME=%PATH_TO_JAVA_11%
.
- Call deploy with
JAVA_HOME=%PATH_TO_JAVA_8%
.
In the case of organizations that do not bind the SonarScanner and other Maven plugins to the verify phase, the alternative is to call the sonar:sonar goal with JAVA_HOME=%PATH_TO_JAVA_11%
. I imagine that the annoyance generated from updating and testing each project’s CI pipeline to achieve this change scales with the number of projects.
The only other reasonable solution involves taking advantage of Maven Toolchains for plugins that do support it. That is, the solution is to rely on maven-compiler-plugin, maven-surefire-plugin, jaxws-maven-plugin, maven-javadoc-plugin, and other plugins that provide Toolchains support or forking ability so that Java 8 can be used. We found this more reasonable because our parent POM, in use by most projects, already took advantage of the forking ability. We were still required to update each project’s CI pipeline to run Maven with Java 11 by setting JAVA_HOME=%PATH_TO_JAVA_11%
.
Java 8 is a LTS version until December of 2030, it’s reasonable to assume that legacy systems will continue using it until very close to that date, and there are few security risks associated with doing so. By not supporting Maven Toolchains or the ability to fork with a different Java executable, the SonarScanner for Maven does not fulfill one of its primary capabilities, the ability to fit into the Maven build without need for manual configuration. I quote the official description of the Maven SonarScanner as follows:
The ability to execute the SonarQube analysis via a regular Maven goal makes it available anywhere Maven is available (developer build, CI server, etc.), without the need to manually download, setup, and maintain a SonarQube Runner installation. The Maven build already has much of the information needed for SonarQube to successfully analyze a project. By preconfiguring the analysis based on that information, the need for manual configuration is reduced significantly.