Why are Java .class files needed in an static analysis?

I’m using 8.4 SonarQube version to make an static analysis of a Java project and I was wondering if .class files are necessary to do it.

The official documentation says that they are optional:

But if I execute sonar-scanner without -Dsonar.java.binaries if fails and return this error:

ERROR: Error during SonarQube Scanner execution
ERROR: Your project contains .java files, please provide compiled classes with sonar.java.binaries property, or exclude them from the analysis with sonar.exclusions property.

If I execute the same command defining "-Dsonar.java.binaries=." I get correctly the analysis with no error returned.

Hi,

Welcome to the community!

Your version is past EOL. You should upgrade to either the latest version or the current LTS at your earliest convenience. Your upgrade path is:

8.4 → 8.9.7 → 9.3 (last step optional)

You may find the Upgrade Guide helpful. If you have questions about upgrading, feel free to open a new thread for that here.

Regarding your question, I suppose that wording in the documentation should be a bit stronger. (I believe I recognize it as something I wrote several years ago, when binaries were still optional. I’ll raise the point internally.) For those languages, plus C, C++, and Objective-C, binaries are required, although for different reasons.

For Java we require the .class files because we read them during analysis to do a deeper, more thorough, more accurate analysis. For the other languages, compilation is required because we eavesdrop on it to learn enough about the project to do a thorough analysis.

 
HTH,
Ann

Hi,

As you said for Java .class files are required to do a more accurate analysis but I don’t understand why if this files are required I can run sonar-scanner in a project with no .class files and just defining "-Dsonar.java.binaries=." supposing it doesn’t take any binaries (if I don’t put that option it returns the error message I said before and that’s why I put the dot).

And another question: from which version binaries are required?

Thank you for the quick response!

Hi,

using sonar.java.binaries=. is a hack that’s not recommended.
As Ann already mentioned, the binaries are required for an accurate analysis -
since the release of Sonar Java 4.12 in 2017.

Gilbert

Hi,

Then what’s the correct way of using sonar.java.binaries? Pointing to a folder or what?

Thank you for the info!

Hi,

yes, pointing to the folder with your binaries = class files.
Don’t know your build system, but maybe this helps:

Hi,

I’m compiling using mvn clean compile and after that using:

sonar-scanner '-Dsonar.host.url=http://192.168.1.25' '-Dsonar.projectKey=org.javaProject:myProject' '-Dsonar.projectName=myProject' '-Dsonar.sourceEncoding=UTF-8' '-Dsonar.sources=src' '-Dsonar.java.binaries=target' '-Djavax.net.ssl.trustStore=/certs'

to make the analysis.

A post was split to a new topic: Get public API of class file

Hi,

If you’re compiling with Maven then you should consider analyzing with Maven too. It knows your project configuration (including where the binaries are! ), so your command becomes

mvn clean compile sonar:sonar -Dsonar.host.url=http://192.168.1.25 -Djavax.net.ssl.trustStore=/certs

 
HTH,
Ann

Hi,

In case I still do the analysis using Scanner instead of Maven, do you know how the folder target in the flag -Dsonar.java.binaries=target has to be structured?

Thank you for all the info!

Hi,

The target folder will be structured the way Maven structures things. If you still want to use the vanilla scanner, point to target/classes for the class files.

 
Ann

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.