This version of the SonarQube documentation is no longer maintained. It relates to a version of SonarQube that is not active.

SonarScanner for Maven

The SonarScanner for Maven is recommended as the default scanner for Maven projects.

SonarScanner for Maven — 5.2.0.4988 | Issue Tracker

5.2.0.4988 2025-08-29 Index .github folder for analysis Download Release notes


5.1.0.4751 2025-03-25 Support sonar.region Download Release notes


5.0.0.4389 2024-11-06 Automatic JRE provisioning Download Release notes


4.0.0.4121 2024-05-31 Drop support of Java 8 runtime Download Release notes


3.11.0.3922 2024-03-13 Collects files outside of conventional sonar.sources (aka scan more files) Download Release notes


3.10.0.2594 2023-09-15 Support Maven 4 Download Release notes


3.9.1.2184 2022-01-12 Increase socket connect timeout to 30s Download Release notes


3.9.0.2155 2021-04-30 Update dependencies Download Release notes


3.8.0.2131 2021-01-13 Support for Bitbucket Pipelines with SonarQube 8.7+, use JDK from the build Download Release notes


3.7.0.1746 2019-10-01 Support SONAR_HOST_URL environment variable to configure the server URL Download Release notes


3.6.1.1688 2019-09-02 Fix a vulnerable dependency Download Release notes

The ability to execute the SonarQube Server analysis via a regular Maven goal makes it available anywhere Maven is available (developer build, CI server, etc.), without the need to manually download, set up, and maintain a scanner installation. The Maven build already has much of the information needed for SonarQube Server to successfully analyze a project. By preconfiguring the analysis based on that information, the need for manual configuration is reduced significantly.

Prerequisites

  • Maven 3.2.5+

  • Java 17 or later

  • Java 11 or later with JRE auto-provisioning

See also General requirements.

Analyzing

Analyzing a Maven project consists of running a Maven goal: org.sonarsource.scanner.maven:sonar-maven-plugin:sonar from the directory that holds the main project pom.xml. You need to pass an Managing your tokens using one of the following options:

  • Use the sonar.token property. For example, to set it through the command line, Execute mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.token=yourAuthenticationToken and wait until the build has completed, then open the web page indicated at the bottom of the console output. You should now be able to browse the analysis results.

  • Create the SONAR_TOKEN environment variable and set the token as its value.

mvn clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.token=myAuthenticationToken

In some situations you may want to run the org.sonarsource.scanner.maven:sonar-maven-plugin:sonar goal as a dedicated step. Be sure to use install as first step for multi-module projects

mvn clean install
mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.token=myAuthenticationToken

Plugin version

If the sonar-maven-plugin is not configured to a fixed version, the latest one will be used. We recommend specifying the plugin version to avoid breaking changes:

mvn org.sonarsource.scanner.maven:sonar-maven-plugin:<version>:sonar

As of version 5.0 of the scanner, the analysis will run on a provided JDK17 by default. If you are working with a different Java version for your project, there might be inconsistencies between the Java API your project uses and the ones provided during the analysis. Specifying the correct JDK version will ensure that you are running the analysis with the correct Java version. See the Java #Project’s specific JDK article for more information.

Also, see Locking down the version of the Maven plugin article below.

Coverage

To get coverage information, you’ll need to generate the coverage report before the analysis and specify the location of the resulting report in an analysis parameter. See Overview for details.

The SonarScanners run on code that is checked out. See Checked-out code.

Configuring analysis

Most analysis properties will be read from your project. If you would like to override the default values of specific additional parameters, configure the parameter names found on the Analysis parameters page in the <properties> section of your pom.xml like this:

<properties>
  <sonar.buildString> [...] </sonar.buildString>
</properties>

Sample project

To help you get started, a simple project sample is available here: https://github.com/SonarSource/sonar-scanning-examples/tree/master/sonar-scanner-maven/maven-basic

Adjusting the analysis scope

The analysis scope of a project determines the source and test files to be analyzed.

An initial analysis scope is set by default. With the SonarScanner for Maven, the initial analysis scope is:

  • For source files: all the files stored under src/main/java (in the root or module directories).

  • For test files: all the files stored under src/test/java (in the root or module directories).

To adjust the analysis scope, you can:

  • Adjust the initial scope: see below.

  • Exclude specific files from the initial scope: see Introduction.

  • Exclude specific modules from the analysis: see below.

Adjusting the initial scope

The initial scope is set through the sonar.sources property (for source files) and the sonar.tests property (for test files). See Analysis parameters for more information.

To adjust the initial scope, you can:

  • Either override these properties by setting them explicitly in your build like any other relevant maven property: see Setting initial scope.

  • Or use the scanAll option to extend the initial scope to non-JVM-related files. See below.

Using the scanAll option to include non-JVM-related files

You may want to analyze not only the JVM main files but also files related to configuration, infrastructure, etc. An easy way to do that is to enable the scanAll option (By default, this option is disabled.).

If the scanAll option is enabled then the initial analysis scope of source files will be:

  • The files stored in src/main/java.

  • The non-JVM-related files stored in the root directory of your project.

To enable the scanAll option:

  • Set the sonar.maven.scanAll property to true.

Excluding a module from the analysis

To exclude a module from the analysis, you may:

  • In the pom.xml of the module you want to exclude, define the <sonar.skip>true</sonar.skip> property.

  • Use build profiles to exclude some modules (like for integration tests).

  • Use Advanced Reactor Options (such as -pl). For example mvn sonar:sonar -pl !module2

Other settings

Locking down the version of the Maven plugin

It is recommended to lock down versions of Maven plugins:

<build>
  <pluginManagement>
    <plugins>
      <plugin>
        <groupId>org.sonarsource.scanner.maven</groupId>
        <artifactId>sonar-maven-plugin</artifactId>
        <version>yourPluginVersion</version>
      </plugin>
    </plugins>
  </pluginManagement>
</build>

If your instance of SonarQube Server is secured

If your SonarQube Server instance is Operating the server #Securing SonarQube Server behind a proxy and a self-signed certificate, you must add the self-signed certificate to the trusted CA certificates of the SonarScanner. In addition, if mutual TLS is used, you must define the access to the client certificate at the SonarScanner level.

See TLS certificates on client side.

Upgrading Java when you must compile to an earlier version

Upgrading to a version of SonarQube that uses a more recent version of Java as minimum requirement is possible even when you need your Maven project to compile to an earlier version of Java.

To avoid Java version issues and compile the project to a different version that you are currently using, you can pass the target property as a project compilation step.

Refer to the Maven documentation for more information about the syntax to use with this property.

Troubleshooting

If you get a java.lang.OutOfMemoryError

With SonarScanner for Maven version 5.0 or later

Set the SONAR_SCANNER_JAVA_OPTS environment variable, like this in Unix environments.

export SONAR_SCANNER_JAVA_OPTS="-Xmx512m"

In Windows environments, avoid the double quotes, since they get misinterpreted.

set SONAR_SCANNER_JAVA_OPTS=-Xmx512m
With SonarScanner for Maven version 4.0 or earlier

Set the MAVEN_OPTS environment variable, like this in Unix environments:

export MAVEN_OPTS="-Xmx512m"

In Windows environments, avoid the double quotes, since they get misinterpreted:

set MAVEN_OPTS=-Xmx512m

Last updated

Was this helpful?