Troubleshooting

Advanced Security is only available in SonarQube Server, as an add-on starting in Enterprise Edition.

Troubleshooting issues with analysis

I don't see any issues on my first PR analysis

If the first analysis for your project is on a pull request, the analysis will be unable to determine what dependencies and risks are new in your pull request, so you may not see the results you expect. We recommend running at least one analysis on the main branch before running analyses on pull requests. 

My SCA analysis takes too long

A properly configured analysis with a lockfile should take minimal time. Common causes of extended analysis time are:

JavaScript

Ensure the directory is excluded via sonar.exclusions or sonar.sca.exclusions. See Analyzing projects for dependencies for more information.

Pip / requirements.txt

The Sonar analysis will run pip install -r requirements.txt in a temporary virtual environment for any discovered requirements.txt file. This may take significant memory or time if the installation process requires building native Python wheels.

Maven/Gradle

The Sonar analysis will run Maven or Gradle to resolve the dependencies of your project. If a wrapper is used, it will use the specified JVM memory configuration for maven/gradle, which may be more than what your analysis previously required.

Ensure that the memory parameters are set appropriately, or that your analysis runners have enough memory for your configured JVM memory parameters.

How do I see what the SCA analysis is doing?

You can see the commands being run by examining the scanner log and looking for Running… lines after the ----- Gather SCA dependencies for project line. Running the scanner in debug mode sonar.verbose, or passing -X provides additional detail.

Unknown lifecycle phase error

When analyzing some java projects, you may get an error that says "there was a problem running mvn dependency:tree”, and the following message in the details of the error:

 [ERROR] Unknown lifecycle phase "/some/path/.m2"

This is due to a conflict between a MAVEN_CONFIG environment variable that was present during analysis and the mvnw maven wrapper in your project directory. You can solve this by doing one of the following:

• unset the MAVEN_CONFIG environment variable
• update the maven wrapper in your repository by running ./mvnw wrapper:wrapper, and commit the result
• force the use of mvn instead of the wrapper by setting the sonar.sca.mavenIgnoreWrapper property to true

No dependency chains found

Sonar uses lockfiles that contain a full dependency graph to determine how dependencies are used by your project. If a lockfile is missing, or cannot be generated, dependency chains will be missing.

You can fix this error by ensuring a lockfile is present when analysis is run. Sonar recommends committing the lockfile to your source control system. For examples, you can see the documentation for the python dependency manager poetry and the JavaScript dependency manager yarn.

Errors in the dependency analysis

The scanner will warn you of any errors when processing your dependency files.

Related pages

• Reviewing and fixing dependency risks
• Analyzing projects for dependencies
• Managing license profiles and policies