# SonarScanner for Maven
SonarScanner for Maven — 5.5.0.6356 | Issue Tracker
**5.5.0.6356** **2025-12-05**\ Release after change of signing key\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010140%20AND%20fixversion%20%3D%205.5\&selectedIssue=SCANMAVEN-339)
***
**5.4.0.6343** **2025-12-02**\ Release after change of signing key\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010140%20AND%20fixversion%20%3D%205.4\&selectedIssue=SCANMAVEN-338)
***
**5.3.0.6276** **2025-11-10**\ Support of Maven 4\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010140%20AND%20fixversion%20%3D%205.3)
***
**5.2.0.4988** **2025-08-29**\ Index .github folder for analysis\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010140%20AND%20fixversion%20%3D%205.2)
***
**5.1.0.4751** **2025-03-25**\ Support sonar.region\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010140%20AND%20fixversion%20%3D%205.1)
***
**5.0.0.4389** **2024-11-06**\ Automatic JRE provisioning\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010140%20AND%20fixversion%20%3D%205.0)
***
**4.0.1.6619** **2026-03-09**\ Nudge users into versioning the scanner in their configuration\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues?jql=project%20%3D%20SCANMAVEN%20AND%20fixversion%20%3D%204.0.1)
***
**4.0.0.4121** **2024-05-31**\ Drop support of Java 8 runtime\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010140%20AND%20fixversion%20%3D%204.0)
***
**3.11.0.3922** **2024-03-13**\ Collects files outside of conventional sonar.sources (aka scan more files)\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010140%20AND%20fixVersion%20%3D%2014294)
***
**3.10.0.2594** **2023-09-15**\ Support Maven 4\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010140%20AND%20fixVersion%20%3D%2012662)
***
**3.9.1.2184** **2022-01-12**\ Increase socket connect timeout to 30s\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project+%3D+10140+AND+fixVersion+%3D+12661)
***
**3.9.0.2155** **2021-04-30**\ Update dependencies\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project+%3D+10140+AND+fixVersion+%3D+12660)
***
**3.8.0.2131** **2021-01-13**\ Support for Bitbucket Pipelines with SonarQube 8.7+, use JDK from the build\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project+%3D+10140+AND+fixVersion+%3D+12659)
***
**3.7.0.1746** **2019-10-01**\ Support SONAR\_HOST\_URL environment variable to configure the server URL\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project+%3D+10140+AND+fixVersion+%3D+12657)
***
**3.6.1.1688** **2019-09-02**\ Fix a vulnerable dependency\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project+%3D+10140+AND+fixVersion+%3D+12658)
{% hint style="warning" %}
We do not recommend running an antivirus scanner on the machine where a SonarQube Server analysis runs, it could result in unpredictable behavior.
{% endhint %}
The SonarScanner for Maven is recommended as the default scanner for Maven projects.
The ability to execute the SonarQube Server analysis via a regular Maven goal makes it available anywhere Maven is available (developer build, CI server, etc.), without the need to manually download, set up, and maintain a scanner installation. The Maven build already has much of the information needed for SonarQube Server to successfully analyze a project. By preconfiguring the analysis based on that information, the need for manual configuration is reduced significantly.
## Prerequisites
* Maven 3.2.5+
* Java 21 or later, Java 17 has been deprecated. See [#java-runtime-environment-jre](https://docs.sonarsource.com/sonarqube-server/analyzing-source-code/scanner-environment/general-requirements#java-runtime-environment-jre "mention") for more details.
* Java 11 or later with JRE auto-provisioning, see [managing-jre-auto-provisioning](https://docs.sonarsource.com/sonarqube-server/analyzing-source-code/scanners/scanner-environment/managing-jre-auto-provisioning "mention") for details.
See also [general-requirements](https://docs.sonarsource.com/sonarqube-server/analyzing-source-code/scanners/scanner-environment/general-requirements "mention").
## Analyzing
Analyzing a Maven project consists of running a Maven goal: `org.sonarsource.scanner.maven:sonar-maven-plugin:sonar` from the directory that holds the main project `pom.xml`. You need to pass an authentication token using one of the following options:
* Use the `sonar.token` property. For example, to set it through the command line, Execute `mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.token=yourAuthenticationToken` and wait until the build has completed, then open the web page indicated at the bottom of the console output. You should now be able to browse the analysis results.
* Create the `SONAR_TOKEN` environment variable and set the token as its value.
```css-79elbk
mvn clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.token=myAuthenticationToken
```
In some situations you may want to run the `org.sonarsource.scanner.maven:sonar-maven-plugin:sonar` goal as a dedicated step. Be sure to use `install` as first step for multi-module projects
```css-79elbk
mvn clean install
mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.token=myAuthenticationToken
```
See[managing-tokens](https://docs.sonarsource.com/sonarqube-server/user-guide/managing-tokens "mention") for more information on tokens.
### Plugin version
If the sonar-maven-plugin is not configured to a fixed version, the latest one will be used. We recommend specifying the plugin version to avoid breaking changes:
```css-79elbk
mvn org.sonarsource.scanner.maven:sonar-maven-plugin::sonar
```
As of version 5.0 of the scanner, the analysis will run on a provided JDK17 by default. If you are working with a different Java version for your project, there might be inconsistencies between the Java API your project uses and the ones provided during the analysis. Specifying the correct JDK version will ensure that you are running the analysis with the correct Java version. See the [#project-specific-jdk](https://docs.sonarsource.com/sonarqube-server/languages/java#project-specific-jdk "mention") article for more information.
Also, see *Locking down the version of the Maven plugin* article below.
### Coverage
To get coverage information, you’ll need to generate the coverage report before the analysis and specify the location of the resulting report in an analysis parameter. See the [overview](https://docs.sonarsource.com/sonarqube-server/analyzing-source-code/test-coverage/overview "mention") page for details.
{% hint style="info" %}
The SonarScanners run on code that is checked out. See [verifying-code-checkout-step](https://docs.sonarsource.com/sonarqube-server/analyzing-source-code/scanners/scanner-environment/verifying-code-checkout-step "mention").
{% endhint %}
## Configuring analysis
Most analysis properties will be read from your project. If you would like to override the default values of specific additional parameters, configure the parameter names found on the [analysis-parameters](https://docs.sonarsource.com/sonarqube-server/analyzing-source-code/analysis-parameters "mention") page in the `` section of your `pom.xml` like this:
```css-79elbk
[...]
```
## Sample project
To help you get started, check out this [simple project sample](https://github.com/SonarSource/sonar-scanning-examples/tree/master/sonar-scanner-maven/maven-basic).
## Adjusting the analysis scope
The analysis scope of a project determines the source and test files to be analyzed.
An initial analysis scope is set by default. With the SonarScanner for Maven, the initial analysis scope is:
* For source files: all the files stored under `src/main/java` (in the root or module directories).
* For test files: all the files stored under `src/test/java` (in the root or module directories).
To adjust the analysis scope, you can:
* Adjust the initial scope: see below.
* Exclude specific files from the initial scope: see [introduction](https://docs.sonarsource.com/sonarqube-server/project-administration/adjusting-analysis/setting-analysis-scope/introduction "mention").
* Exclude specific modules from the analysis: see below.
### Adjusting the initial scope
The initial scope is set through the `sonar.sources` property (for source files) and the `sonar.tests` property (for test files). See Analysis parameters for more information.
To adjust the initial scope, you can:
* Either override these properties by setting them explicitly in your build like any other relevant maven property: see [setting-initial-scope](https://docs.sonarsource.com/sonarqube-server/project-administration/adjusting-analysis/setting-analysis-scope/setting-initial-scope "mention").
* Or use the scanAll option to extend the initial scope to non-JVM-related files. See below.
### Using the scanAll option to include non-JVM-related files
You may want to analyze not only the JVM main files but also files related to configuration, infrastructure, etc. An easy way to do that is to enable the scanAll option (By default, this option is disabled.).
If the scanAll option is enabled then the initial analysis scope of *source files* will be:
* The files stored in `src/main/java.`
* The non-JVM-related files stored in the root directory of your project.
{% hint style="warning" %}
The scanAll option is disabled if the `sonar.sources` property is overridden.
{% endhint %}
To enable the scanAll option:
* Set the `sonar.maven.scanAll` property to `true`.
### Excluding a module from the analysis
To exclude a module from the analysis, you may:
* In the `pom.xml` of the module you want to exclude, define the `true` property.
* Use build profiles to exclude some modules (like for integration tests).
* Use Advanced Reactor Options (such as `-pl`). For example `org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -pl !module2`
## Other settings
### Locking down the version of the Maven plugin
It is recommended to lock down versions of Maven plugins:
```css-79elbk
org.sonarsource.scanner.maven
sonar-maven-plugin
yourPluginVersion
```
### If your instance of SonarQube Server is secured
If your SonarQube Server instance is secured behind a proxy and a self-signed certificate, you must add the self-signed certificate to the trusted CA certificates of the SonarScanner. In addition, if mutual TLS is used, you must define the access to the client certificate at the SonarScanner level.
See [manage-tls-certificates](https://docs.sonarsource.com/sonarqube-server/analyzing-source-code/scanners/scanner-environment/manage-tls-certificates "mention") and [securing-behind-proxy](https://docs.sonarsource.com/sonarqube-server/server-installation/network-security/securing-behind-proxy "mention").
### Upgrading Java when you must compile to an earlier version
Upgrading to a version of SonarQube that uses a more recent version of Java as minimum requirement is possible even when you need your Maven project to compile to an earlier version of Java.
To avoid Java version issues and compile the project to a different version that you are currently using, you can pass the `target` property as a project compilation step.
Refer to the [Maven documentation](https://maven.apache.org/plugins/maven-compiler-plugin/examples/set-compiler-source-and-target.html) for more information about the syntax to use with this property.
## Troubleshooting
### If you get a java.lang.OutOfMemoryError
With SonarScanner for Maven version 5.0 or later
Set the `SONAR_SCANNER_JAVA_OPTS` environment variable, like this in Unix environments.
```css-79elbk
export SONAR_SCANNER_JAVA_OPTS="-Xmx512m"
```
In Windows environments, avoid the double quotes, since they get misinterpreted.
```css-79elbk
set SONAR_SCANNER_JAVA_OPTS=-Xmx512m
```
With SonarScanner for Maven version 4.0 or earlier
Set the `MAVEN_OPTS` environment variable, like this in Unix environments:
```css-79elbk
export MAVEN_OPTS="-Xmx512m"
```
In Windows environments, avoid the double quotes, since they get misinterpreted:
```css-79elbk
set MAVEN_OPTS=-Xmx512m
```