Unable to scan modules inside java/maven monorepo

• which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension): Sonarqube 10.5, Maven Sonar Plugin 4.0.0.4121
• how is SonarQube deployed: zip
• what are you trying to achieve: I want to scan merge requests, but only the module that has been changed
• what have you tried so far to achieve this:

I feel that it’s necessary for me to describe my current situation before I’m telling you about what I’ve already done about it.

My license type is Enterprise. So I have a large monorepo project with about 400k LoC and 10+ modules with a lot of submodules inside of each one. So I have 1 “root” pom.xml and for each module and submodule I have its own separate pom.xml which inherits some properties from the root one.

When I try to scan the project, including scans triggered by Merge requests (I use Gitlab CI), it usually takes a lot of time, anywhere between 8-12 minutes.
This scan time is unacceptable to us because it takes more time than building and deploying the whole project from scratch.
I figured that I can detect which module has been changed, and scan this exact module/submodule to reduce scanning time. The problem is, when I try to do this, I encounter an error.

• I have tried pointing mvn to the desired (changed) module’s directory by using “-pl” flag for the mvn command while pointing mvn to the “main” pom.xml via “-f”
• I have tried pointing mvn to the desired (changed) module’s directory by using “-f” flag without using “-pl”
• I have tried just “cd desired/module/directory” before doing mvn command (without -f or -pl)

This is an example of script section of my gitlab-ci pipeline which I use to scan the project:

  script:
    - echo $path
    - cd $path
    - "mvn sonar:sonar
      -Dmaven.repo.local=$CI_PROJECT_DIR/.m2/repository \
      -Dsonar.qualitygate.wait=true \
      -Dsonar.projectName=monorepo-name_$module_name \
      -Dsonar.projectKey=$module_name \
      -Dsonar.java.binaries=$CI_PROJECT_DIR/.m2/repository \
      -Dsonar.pullrequest.key=$CI_MERGE_REQUEST_IID \
      -Dsonar.pullrequest.branch=$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME \
      -Dsonar.pullrequest.base=$CI_MERGE_REQUEST_TARGET_BRANCH_NAME \
      -Dmaven.test.skip=true \
      -Dsonar.exclusions=**/*.sql"

Everything leads to a singular error which prevents me from scanning my modules:
“[ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:4.0.0.4121:sonar (default-cli) on project module_name: Maven session does not declare a top level project → [Help 1]”

Can you guide me on how to do this?

Hi,

I’m not a Mavenista, but I suspect this is your problem:

Are these modules buildable independently?

 
Ann

I guess they are not. We use -f -pl to build individual modules. This leads to building exactly this module without touching anything else.
I figured that I could use this approach for scanning modules with SonarQube, but I must have been wrong.

Is there a way to scan individual modules despite them not being buildable independedly? I don’t really want to build them tbh, I just need Sonar to scan the code for code smells etc. I could live without being able to get advanced security scan results until I migrate modules to the individual projects.

Hi,

I decided to search on the error message (‘Maven session does not declare a top level project’) and landed at this SO question which poses the same problem against… SonarQube 3.7!

The answers there may help you wrangle Maven. At the same time, I’m curious what you’re seeing in your logs in the context of a merge request since in that context, analysis should be limited to only what was changed in the MR. Would you mind sharing your analysis log?

The analysis / scanner log is what’s output from the analysis command. Hopefully, the log you provide - redacted as necessary - will include that command as well.

This guide will help you find them.

 
Ann

Good day Ann!

Sorry for the long wait.
merge_request_pipeline_monorepo.txt (32.8 KB)

Here is the log file. I need to find any way to scan different modules of monorepo individually. Is making them buildable independently the only way? It’s a rather old project with a lot of legacy dependencies, I’m really reluctant of changing any pom.xml contents unless it is absolutely necessary.

Hi,

Thanks for the log. I didn’t realize it would be quite so… short.

It looks like you have to sort out the Maven stuff before we can get any further, and I’m not going to be much more help than I already have been.

 

Ann

Good day Ann!
For some reason it just started working, I did not even change anything. Very strange.
Some times it still ends with an error, although not with this one. If I’ll decide to go through fixing that error via forums I will start a separate thread. Thank you.