Plugin basics
Building your plugin
Prerequisites
To build a plugin, you need Java 8 and Maven 3.1 (or greater). Gradle can also be used thanks to the gradle-sonar-packaging-plugin (note that this plugin is not officially supported by SonarSource).
Sonar Plugin API
The sonar-plugin-api
is a Java API that is used to develop plugins.
The API used to be part of SonarQube Server and released with it, but it is a separate component since v9.5, with its own releases. You can find it here: sonar-plugin-api.
The groupId
was relocated from org.sonarsource.sonarqube
to org.sonarsource.api.plugin
.
The new coordinates of the dependency are
org.sonarsource.api.plugin:sonar-plugin-api:<version>
Create a Maven project
The recommended way to start is by duplicating the plugin example project: https://github.com/SonarSource/sonar-custom-plugin-example.
If you want to start the project from scratch, use the following Maven pom.xml
template:
pom.xml
Build
To build your plugin project, execute this command from the project root directory:
mvn clean package
The plugin jar file is generated in the project's target/
directory.
Deploy
"Cold" Deploy
The standard way to install the plugin for regular users is to copy the jar artifact, from the target/
directory to the extensions/plugins/
directory of your SonarQube Server installation, then start the server. The file logs/web.log
will then contain a log line similar to:
Deploy plugin Example Plugin / 0.1-SNAPSHOT
Scanner extensions such as sensors are immediately retrieved and loaded when scanning source code.
Debug
Debugging web server extensions
- Edit conf/sonar.properties and set:
sonar.web.javaAdditionalOpts=-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=8000
. - Install your plugin by copying its jar file to extensions/plugins.
- Start the server. The line
Listening for transport dt_socket at address: 5005
is logged inlogs/sonar.log
. - Attach your IDE to the debug process (listening on port 8000 in the example).
Debugging compute engine extensions
Same procedure as for web server extensions (see above), but with the following property:
Debugging scanner extensions
When using the Scanner for Maven, then simply execute:
Advanced build properties
Plugin properties are defined in the file META-INF/MANIFEST.MF
of the plugin jar file.
Most of them are defined through the <configuration>
section of the sonar-packaging-maven-plugin. Some are taken from standard pom nodes Effective values are listed at the end of the build log:
Supported standard pom node properties:
Maven property | Manifest key | Notes |
version | Plugin-Version | (required) Plugin version as displayed in page "Marketplace". Default: ${project.version} |
pluginApiMinVersion | Sonar-Version | Minimal version of supported Sonar Plugin API at runtime. For example, if the value is 9.8.0.203, then deploying the plugin on SonarQube Server versions with sonar-plugin-api 9.6.1.114 (ie. SonarQube 9.5) and lower will fail. The default value is given by the version of sonar-plugin-api dependency. It can be overridden with the Maven property pluginApiMinVersion (since sonar-packaging-maven-plugin 1.22). That allows in some cases to use new features of recent API and to still be compatible at runtime with older versions of SonarQube Server. Default: version of dependency sonar-plugin-api |
license | Plugin-License | Plugin license as displayed on page "Marketplace". Default ${project.licenses} |
developers | Plugin-Developers | A list of developers is displayed on the page "Marketplace". Default: ${project.developers} |
Supported <configuration>
properties:
Maven property | Manifest key | Notes |
pluginKey | Plugin-Key | (required) Contains only letters/digits and is unique among all plugins. Examples: groovy, widgetlab. Constructed from ${project.artifactId}. Given an artifactId of: sonar-widget-lab-plugin , your pluginKey will be: widgetlab |
pluginClass | Plugin-Class | (required) Name of the entry-point class that extends org.sonar.api.SonarPlugin . Example: org.codehaus.sonar.plugins.widgetlab.WidgetLabPlugin |
pluginName | Plugin-Name | (required) Displayed in the page "Marketplace". Default: ${project.name} |
pluginDescription | Plugin-Description | Displayed in the page "Marketplace". Default: ${project.description} |
pluginUrl | Plugin-Homepage | Homepage of website, for example https://github.com/SonarQubeCommunity/sonar-widget-lab${project.url} |
pluginIssueTrackerUrl | Plugin-IssueTrackerUrl | Example: https://github.com/SonarQubeCommunity/sonar-widget-lab/issues. Default: ${project.issueManagement.url} |
pluginTermsConditionsUrl | Plugin-TermsConditionsUrl | Users must read this document when installing the plugin from Marketplace. Default: ${sonar.pluginTermsConditionsUrl} |
useChildFirstClassLoader | Plugin-ChildFirstClassLoader | Each plugin is executed in an isolated classloader, which inherits a shared classloader that contains API and some other classes. By default the loading strategy of classes is parent-first (look up in shared classloader then in plugin classloader). If the property is true, then the strategy is child-first. This property is mainly used when building plugin against API < 5.2, as the shared classloader contained many 3rd party libraries (guava 10, commons-lang, ...) false. |
basePlugin | Plugin-Base | If specified, then the plugin is executed in the same classloader as basePlugin . |
pluginSourcesUrl | Plugin-SourcesUrl | URL of SCM repository for open-source plugins. Displayed on page "Marketplace". Default: ${project.scm.url} |
pluginOrganizationName | Plugin-Organization | The organization which develops the plugin is displayed on the page "Marketplace". Default: ${project.organization.name} |
pluginOrganizationUrl | Plugin-OrganizationUrl | URL of the organization, displayed on the page "Marketplace". Default: ${project.organization.url} |
sonarLintSupported | SonarQube for IDE-Supported | Whether the language plugin supports SonarQube for IDE or not. Only SonarSource analyzers and custom rules plugins for SonarSource analyzers should set this to true. |
pluginDisplayVersion | Plugin-Display-Version | The version is displayed in SonarQube Server administration console. By default it's the raw version, for example, "1.2", but can be overridden to "1.2 (build 12345)" for instance. Supported in sonar-packaging-maven-plugin 1.18.0.372. Default: ${project.version} |
requiredForLanguages | Plugin-RequiredForLanguages | Languages for which this plugin should be downloaded. Use to make sure dependency errors are avoided when the loading of analyzers is optimized. This property must be added to the For an example, see the Custom Rules section of the Java page. |
The Maven sonar-packaging-maven-plugin
supports also these properties:
Maven property | Manifest key | Notes |
addMavenDescriptor | Copy pom file inside the directory META-INF of generated jar file? | Boolean. Default: ${sonar.addMavenDescriptor} / true . |
skipDependenciesPackaging | Do not copy Maven dependencies into jar file. | Default: ${sonar.skipDependenciesPackaging} / false`. |
Other Manifest fields:
Implementation-Build
: Identifier of build or commit, for example, the Git SHA1.94638028f0099de59f769cdca776e506684235d6
. It is displayed for debugging purposes in logs when SonarQube Server starts.
API basics
Extension points
SonarQube Server provides extension points for its three technical stacks:
- Scanner, which runs the source code analysis.
- Compute Engine, which consolidates the output of scanners, for example by:
- computing 2nd-level measures such as ratings.
- aggregating measures (for example number of lines of code of project = sum of lines of code of all files).
- assigning new issues to developers.
- persisting everything in data stores.
- Web application.
Extension points are not designed to add new features but to complete existing features. Technically they are contracts defined by a Java interface or an abstract class annotated with @ExtensionPoint
. The exhaustive list of extension points is available in the Javadoc.
The implementations of extension points (named extensions) provided by a plugin must be declared in its entry point class, which implements org.sonar.api.Plugin
and which is referenced in the pom.xml
:
ExamplePlugin.java
pom.xml
Lifecycle
A plugin extension exists only in its associated technical stacks. A scanner sensor is for example instantiated and executed only in a scanner runtime, but not in the web server nor in Compute Engine. The stack is defined by the annotations @ScannerSide, @ServerSide (for a web server), and @ComputeEngineSide.
An extension can call core components or another extension of the same stack. These dependencies are defined by constructor injection:
It is recommended not to call other components in constructors. Indeed, they may not be initialized at that time. Constructors should only be used for dependency injection.
A compilation will not fail if incorrect dependencies are defined, such as a scanner extension trying to call a web server extension. Still, it will fail at runtime when a plugin is loaded.
Third-party libraries
Plugins are executed in their own isolated classloaders. That allows the packaging and use of 3rd-party libraries without runtime conflicts with core internal libraries or other plugins. Note that since version 5.2, SonarQube Server API does not bring transitive dependencies, except SLF4J. The libraries just have to be declared in the pom.xml
with the default scope "compile":
pom.xml
Technically, the libraries are packaged in the directory META-INF/lib of the generated jar file. An alternative is to shade libraries, for example with maven-shade-plugin
. That minimizes the size of the plugin jar file by copying only the effective used classes.
The command mvn dependency:tree
gives the list of all dependencies, including transitive ones.
Configuration
The core component org.sonar.api.config.Configuration
provides access to configuration. It deals with default values and the decryption of values. It is available in all stacks (scanner, web server, Compute Engine). As recommended earlier, it must not be called from constructors.
MyExtension.java
Scanner sensors can get config directly from SensorContext, without using constructor injection:
MySensor.java
In the scanner stack, properties are checked in the following order, and the first non-blank value is the one that is used:
- System property.
- Scanner command-line (-Dsonar.property=foo for instance).
- Scanner tool ( of scanner for Maven for instance).
- Project configuration defined in the web UI.
- Global configuration defined in the web UI.
- Default value.
Plugins can define their own properties so that they can be configured from the web administration console. The extension point org.sonar.api.config.PropertyDefinition
must be used:
Values of the properties suffixed with .secured
are not available to be read by any users. The .secured
suffix is needed for passwords, for instance.
The annotation org.sonar.api.config.PropertyDefinition
can be used on an extension to declare a property.
Logging
The class org.sonar.api.utils.log.Logger
is used to log messages to scanner output, web server logs/sonar.log, or Compute Engine logs (available from the administration web console). It's convenient for unit testing (see class LogTester
).
Internally, SLF4J is used as a facade of various logging frameworks (log4j
, commons-log
, logback
, java.util.logging
). That allows all these frameworks to work at runtime, such as when they are required for a 3rd party library. SLF4J loggers can also be used instead of org.sonar.api.utils.log.Logger
. Read the SLF4J manual for more details.
As an exception, plugins must not package logging libraries. Dependencies like SLF4J or log4j
must be declared with the scope "provided".
Exposing APIs to other plugins
The common use case is to write a language plugin that will allow some other plugins to contribute additional rules (see for example how it is done for Java analysis). The main plugin will expose some APIs that will be implemented/used by the "rule" plugins.
Plugins are loaded in isolated classloaders. It means a plugin can't access another plugin's classes. There is an exception for package names following pattern org.sonar.plugins.<pluginKey>.api
. For example, all classes in a plugin with the key myplugin
that are located in org.sonar.plugins.myplugin.api
are visible to other plugins.
Serving static resources
If you need to serve static resources from your plugin such as images or JavaScript files, place them in a directory under resources
named static
(myplugin/src/main/resources/static
). At runtime, they'll be available from https://{server}/static/{pluginKey}/{file}
.
Configuring plugins for analyzer loading optimization
By default, SonarQube Server downloads Sonar analyzers and third-party plugins only when they are really required by the scanner (see Improving performance). To make this feature work, each analyzer or third-party plugin should declare the list of languages on which they expect to raise issues through a MANIFEST property called Plugin-RequiredForLanguages
.
Optimization behavior
At the Scanner level, the behavior is as follows:
- Case 1: When the property is not set by the plugin, the plugin is downloaded whatever the contents of the project.
- Case 2: When the property is defined and there are files corresponding to the language declared by the plugin, the plugin is downloaded.
- Case 3: When the property is defined and there are no files corresponding to the language declared by the plugin, the plugin is not downloaded.
This helps save network bandwidth and speed up the bootstrap of the scans. As a side effect, the logs are also cleaner, with fewer “nothing to do” logs for plugins that really have nothing to perform on the repository content.
Avoiding dependency errors
For plugins that have a dependency on a base analyzer provided by default with SonarQube Server (for example, a plugin to add rules or reports to an existing language), it is mandatory to add to the MANIFEST the property Plugin-RequiredForLanguages
to avoid a hard failure.
Take, for example, plugin sonar-xyz which provides additional rules for Java:
- A user scans a repository that only contains Python code.
- sonar-xyz is downloaded because it doesn’t declare the property. So it is downloaded from the server at each scan (case 1 above).
- sonar-java is not downloaded because there are no .java files in the repository to scan (case 3 above).
- Analysis errors-out because a
NoClassDefFoundError
is thrown since sonar-xyz has an unsatisfied dependency on sonar-java, which wasn’t downloaded.
Configuration steps
To avoid dependency errors, you'll need to:
- Upgrade sonar-packaging-maven-plugin to version 1.22.0.705 1.
- Add java to the configuration of sonar-packaging-maven-plugin where “java” is replaced by the language your plugin is dealing with.
- Add the property
<requiredForLanguages>
to the configuration of sonar-packaging-maven-plugin, so thatPlugin-RequiredForLanguages
is added to the MANIFEST. The property accepts several values such asjs
,ts
,css
,web
,yaml
, etc.
Example configurations are available on the language pages (see the Custom rules section of the Java page for example).
API deprecation
Plugin API deprecation policy
The goal of the deprecation policy is to make sure that users are aware of what is changing and have time to adjust before an API component is dropped at a given planned date.
The API deprecation policy states that:
- An API component must be deprecated before being dropped. Furthermore, if the underlying feature is not being dropped, a replacement component must immediately be provided.
- A deprecated API component must be fully supported until its drop (For instance the implementation of a deprecated method can't be replaced by throwing a new UnsupportedOperationException()).
- The API is released independently of SonarQube Server (see the version compatibility matrix).
- All breaking changes in the Plugin API must be preceded by a deprecation period of at least 2 years after the deprecation.
Under special circumstances, for example, when there are security vulnerabilities that need to be addressed, we might make an exception and drop the deprecated API component earlier.
This leads to the following policy recommendations for API users:
- Regularly monitor the deprecation of API components and check if you’re currently using them. See Monitoring the deprecated API components.
- If you're currently using deprecated API components:
- Don't add new uses of it.
- Make the necessary updates in your next few releases so you’re ready for any breaking changes after the next LTA(Long-Term Active) release.
Deprecation mark
A Plugin API component is marked as deprecated with both:
- The annotation
@Deprecated
. - The Javadoc tag
@deprecated
whose message must start with "in x.y", for example:
API Changes
Starting with v9.5, the API is released independently of SonarQube Server. You can find the changes for newer releases in its code repository.
Release 9.3
Added
sonar-plugin-api.src.main.java.org.sonar.api.resources.Language#publishAllFiles
to define whether the files identified with the language should be automatically published to SonarQube Server.org.sonar.api.batch.sensor.SensorDescriptor#processesFilesIndependently
Release 9.0
Deprecated:
org.sonar.api.server.rule.RulesDefinitionXmlLoader
is deprecated. Use thesonar-check-api
to annotate rule classes instead of loading the metadata from XML files.
Removed:
org.sonar.api.ExtensionProvider
Useorg.sonar.api.Plugin.Context#addExtensions()
to add objects to the container.org.sonar.api.batch.sensor.SensorDescriptor#requireProperty()
. Use#onlyWhenConfiguration()
instead.- All API related to preview/issues analysis mode.
- Coverage types (unit, IT, overall) was removed.
- Resource perspectives. Use methods in
SensorContext
. org.sonar.api.platform.Server#getRootDir()
. UseServerFileSystem#getHomeDir()
.org.sonar.api.profiles.ProfileDefinition.java
. Define quality profiles withBuiltInQualityProfilesDefinition
.org.sonar.api.rules.XMLRuleParser
. Use thesonar-check-api
to annotate rule classes.
Release 8.4
Added:
org.sonar.api.batch.scm.ScmProvider#forkDate
Deprecated:
org.sonar.api.rules.Rule#getId()
is deprecated and will always throw UnsupportedOperationException.
Release 8.3
Deprecated:
org.sonar.api.utils.text.JsonWriter
Release 7.8
Added:
org.sonar.api.web.WebAnalytics
Deprecated:
org.sonar.api.i18n.I18
org.sonar.api.SonarQubeVersion
useorg.sonar.api.SonarRuntime
instead.org.sonar.api.profiles.XMLProfileParser
org.sonar.api.notifications.NotificationChannel
Removed:
- Pico components relying on reflection to have their
start
orstop
method called. Make your component implementsorg.sonar.api.Startable
instead.
Release 7.7
Added:
org.sonar.api.batch.scm.ScmProvider#ignoreCommand
Deprecated:
org.sonar.api.batch.fs.InputFile::status
org.sonar.api.resources.Qualifiers#BRC
Removed:
- The preview/issues mode of the scanner has been removed.
Release 7.6
Changed:
PostJob
moved to project level IoC container.InputFileFilter
moved to project level IoC container.
Added:
- New annotation
org.sonar.api.scanner.ScannerSide
to mark (project level) scanner components. org.sonar.api.batch.fs.InputProject
to create issues on projects.org.sonar.api.scanner.ProjectSensor
to declare Sensors that only run at the project level.
Deprecated:
org.sonar.scanner.issue.IssueFilter
is deprecated.org.sonar.api.batch.InstantiationStrategy
is deprecated.org.sonar.api.batch.ScannerSide
is deprecated.org.sonar.api.batch.fs.InputModule
is deprecated.- The concept of global Sensor is deprecated (use
ProjectSensor
instead).
Removed:
- Support of scanner tasks was removed.
RulesProfile
is no longer available for scanner side components (useActiveRules
instead).
Release 7.4
Changed:
- Allow identity provider to not provide login.
Added:
- Allow sensors to report adhoc rules metadata.
Removed:
org.sonar.api.rules.RuleFinder
removed from scanner side.sonar-channel
removed from plugin classloader.- stop support of plugins compiled with API < 5.2.
Release 7.3
Added:
RulesDefinitions
supports HotSpots and security standards.
Deprecated:
org.sonar.api.batch.AnalysisMode
andorg.sonar.api.issue.ProjectIssues
since preview mode is already deprecated for a while.
Release 7.2
Added:
org.sonar.api.batch.sensor.SensorContext#newExternalIssue
to report external issues.org.sonar.api.batch.sensor.SensorContext#newSignificantCode
to report part of the source file that should be used for issue tracking.org.sonar.api.scan.issue.filter.FilterableIssue#textRange
Deprecated:
org.sonar.api.scan.issue.filter.FilterableIssue#line
Release 7.1
Added:
org.sonar.api.Plugin.Context#getBootConfiguration
org.sonar.api.server.rule.RulesDefinition.NewRule#addDeprecatedRuleKey
to support deprecated rule keys.
Release 7.0
Added:
org.sonar.api.batch.scm.ScmProvider#relativePathFromScmRoot
,org.sonar.api.batch.scm.ScmProvider#branchChangedFiles
andorg.sonar.api.batch.scm.ScmProvider#revisionId
to improve branch and PR support.
Was this page helpful?