This version of the SonarQube documentation is no longer maintained. It relates to a version of SonarQube that is not active.

SonarScanner for Maven

The SonarScanner for Maven is recommended as the default scanner for Maven projects.

SonarScanner for Maven — 5.2.0.4988 | Issue Tracker

5.2.0.4988 2025-08-29 Index .github folder for analysis Download Release notes


5.1.0.4751 2025-03-25 Support sonar.region Download Release notes


5.0.0.4389 2024-11-06 Automatic JRE provisioning Download Release notes


4.0.0.4121 2024-05-31 Drop support of Java 8 runtime Download Release notes


3.11.0.3922 2024-03-13 Collects files outside of conventional sonar.sources (aka scan more files) Download Release notes


3.10.0.2594 2023-09-15 Support Maven 4 Download Release notes


3.9.1.2184 2022-01-12 Increase socket connect timeout to 30s Download Release notes


3.9.0.2155 2021-04-30 Update dependencies Download Release notes


3.8.0.2131 2021-01-13 Support for Bitbucket Pipelines with SonarQube 8.7+, use JDK from the build Download Release notes


3.7.0.1746 2019-10-01 Support SONAR_HOST_URL environment variable to configure the server URL Download Release notes


3.6.1.1688 2019-09-02 Fix a vulnerable dependency Download Release notes

The SonarScanner for Maven is recommended as the default scanner for Maven projects.

The ability to execute the SonarQube analysis via a regular Maven goal makes it available anywhere Maven is available (developer build, CI server, etc.), without the need to manually download, set up, and maintain a SonarQube scanner installation. The Maven build already has much of the information needed for SonarQube to successfully analyze a project. By preconfiguring the analysis based on that information, the need for manual configuration is reduced significantly.

Prerequisites

  • Maven 3.2.5+

  • At least the minimal version of Java supported by your SonarQube server is in use

Edit the settings.xml file, located in <MAVEN_HOME>/conf or ~/.m2, to set the plugin prefix and optionally the SonarQube server URL.

Global settings

Example:

<settings>
    <pluginGroups>
        <pluginGroup>org.sonarsource.scanner.maven</pluginGroup>
    </pluginGroups>
    <profiles>
        <profile>
            <id>sonar</id>
            <activation>
                <activeByDefault>true</activeByDefault>
            </activation>
            <properties>
                <!-- Optional URL to server. Default value is http://localhost:9000 -->
                <sonar.host.url>
                  http://myserver:9000
                </sonar.host.url>
            </properties>
        </profile>
     </profiles>
</settings>

Analyzing

Analyzing a Maven project consists of running a Maven goal: sonar:sonar from the directory that holds the main project pom.xml. You need to pass an Generating and using tokens using the sonar.token property in your command line.

mvn clean verify sonar:sonar -Dsonar.token=myAuthenticationToken

In some situations you may want to run the sonar:sonar goal as a dedicated step. Be sure to use install as first step for multi-module projects

mvn clean install
mvn sonar:sonar -Dsonar.token=myAuthenticationToken

To specify the version of sonar-maven-plugin instead of using the latest:

mvn org.sonarsource.scanner.maven:sonar-maven-plugin:3.7.0.1746:sonar

To get coverage information, you’ll need to generate the coverage report before the analysis and specify the location of the resulting report in an analysis parameter. See Overview for details.

Configuring analysis

Most analysis properties will be read from your project. If you would like to override the default values of specific additional parameters, configure the parameter names found on the Analysis parameters page in the <properties> section of your pom.xml like this:

<properties>
  <sonar.buildString> [...] </sonar.buildString>
</properties>

Sample project

To help you get started, a simple project sample is available here: https://github.com/SonarSource/sonar-scanning-examples/tree/master/sonar-scanner-maven/maven-basic

Excluding a module from analysis

  • define property <sonar.skip>true</sonar.skip> in the pom.xml of the module you want to exclude

  • use build profiles to exclude some modules (like for integration tests)

  • use Advanced Reactor Options (such as "-pl"). For example mvn sonar:sonar -pl !module2

How to fix version of Maven plugin

It is recommended to lock down versions of Maven plugins:

<build>
  <pluginManagement>
    <plugins>
      <plugin>
        <groupId>org.sonarsource.scanner.maven</groupId>
        <artifactId>sonar-maven-plugin</artifactId>
        <version>3.7.0.1746</version>
      </plugin>
    </plugins>
  </pluginManagement>
</build>

Troubleshooting

If you get a java.lang.OutOfMemoryError

Set the MAVEN_OPTS environment variable, like this in Unix environments:

export MAVEN_OPTS="-Xmx512m"

In Windows environments, avoid the double quotes, since they get misinterpreted.

set MAVEN_OPTS=-Xmx512m

Last updated

Was this helpful?