Start Free
9.9 | Analyzing source code | Scanners | SonarScanner for Maven

SonarScanner for Maven

On this page

Prerequisites Global settings Analyzing Configuring analysis Sample project Adjusting the analysis scope Excluding a module from analysis How to fix version of Maven plugin Troubleshooting

The SonarScanner for Maven is recommended as the default scanner for Maven projects.

The ability to execute the SonarQube analysis via a regular Maven goal makes it available anywhere Maven is available (developer build, CI server, etc.), without the need to manually download, set up, and maintain a SonarQube scanner installation. The Maven build already has much of the information needed for SonarQube to successfully analyze a project. By preconfiguring the analysis based on that information, the need for manual configuration is reduced significantly.

Prerequisites

  • Maven 3.2.5+
  • At least the minimal version of Java supported by your SonarQube server is in use

Edit the settings.xml file, located in <MAVEN_HOME>/conf or ~/.m2, to set the plugin prefix and optionally the SonarQube server URL.

Global settings

Example:

<settings>
    <pluginGroups>
        <pluginGroup>org.sonarsource.scanner.maven</pluginGroup>
    </pluginGroups>
    <profiles>
        <profile>
            <id>sonar</id>
            <activation>
                <activeByDefault>true</activeByDefault>
            </activation>
            <properties>
                <!-- Optional URL to server. Default value is http://localhost:9000 -->
                <sonar.host.url>
                  http://myserver:9000
                </sonar.host.url>
            </properties>
        </profile>
     </profiles>
</settings>

Analyzing

Analyzing a Maven project consists of running a Maven goal: sonar:sonar from the directory that holds the main project pom.xml. You need to pass an authentication token using the sonar.login property in your command line.

mvn clean verify sonar:sonar -Dsonar.login=myAuthenticationToken

In some situations you may want to run the sonar:sonar goal as a dedicated step. Be sure to use install as first step for multi-module projects

mvn clean install
mvn sonar:sonar -Dsonar.login=myAuthenticationToken

To specify the version of sonar-maven-plugin instead of using the latest:

mvn org.sonarsource.scanner.maven:sonar-maven-plugin:3.7.0.1746:sonar

To get coverage information, you'll need to generate the coverage report before the analysis and specify the location of the resulting report in an analysis parameter. See test coverage for details.

Configuring analysis

Most analysis properties will be read from your project. If you would like to override the default values of specific additional parameters, configure the parameter names found on the analysis parameters page in the <properties> section of your pom.xml like this:

<properties>
  <sonar.buildString> [...] </sonar.buildString>
</properties>

Sample project

To help you get started, a simple project sample is available here: https://github.com/SonarSource/sonar-scanning-examples/tree/master/sonar-scanner-maven/maven-basic

Adjusting the analysis scope

The analysis scope of a project determines the source and test files to be analyzed. 

An initial analysis scope is set by default. With the SonarScanner for Maven, the initial analysis scope is:

  • For source files: all the files stored under src/main/java (in the root or module directories).
  • For test files: all the files stored under src/test/java (in the root or module directories). 

To adjust the analysis scope, you can:

  • Adjust the initial scope: see below.
  • Exclude specific files from the initial scope: see Narrowing the focus.
  • Exclude specific modules from the analysis: see below.

Adjusting the initial scope

The initial scope is set through the sonar.sources property (for source files) and the sonar.tests property (for test files). See Analysis parameters for more information.

To adjust the initial scope, you can:

  • Either override these properties by setting them explicitly in your build like any other relevant maven property: see Narrowing the focus.
  • Or use the scanAll option to extend the initial scope to non-JVM-related files. See below.

Using the scanAll option to include non-JVM-related files

You may want to analyze not only the JVM main files but also files related to configuration, infrastructure, etc. An easy way to do that is to enable the scanAll option (By default, this option is disabled.).

If the scanAll option is enabled then the initial analysis scope of source files will be:

  • The files stored in src/main/java.
  • The non-JVM-related files stored in the root directory of your project.

To enable the scanAll option:

  • Set the sonar.maven.scanAll property to true

Excluding a module from analysis

  • define property <sonar.skip>true</sonar.skip> in the pom.xml of the module you want to exclude
  • use build profiles to exclude some modules (like for integration tests)
  • use Advanced Reactor Options (such as "-pl"). For example mvn sonar:sonar -pl !module2

How to fix version of Maven plugin

It is recommended to lock down versions of Maven plugins:

<build>
  <pluginManagement>
    <plugins>
      <plugin>
        <groupId>org.sonarsource.scanner.maven</groupId>
        <artifactId>sonar-maven-plugin</artifactId>
        <version>3.7.0.1746</version>
      </plugin>
    </plugins>
  </pluginManagement>
</build>

Troubleshooting

If you get a java.lang.OutOfMemoryError

Set the MAVEN_OPTS environment variable, like this in Unix environments:

export MAVEN_OPTS="-Xmx512m"

In Windows environments, avoid the double quotes, since they get misinterpreted.

set MAVEN_OPTS=-Xmx512m

Was this page helpful?

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License