Below is my github actions call to help sonarqube scan my repository
- name: SonarQube Scanner-Windows
if: ${{ inputs.runsonar =='true' }}
uses: jimseiwert/[email protected]
with:
host-url: http://sonar-rm.mybank.com:9000/
token: ${{ secrets.SONAR_TOKEN }}
project-key: 'MY_WEB'
project-name: ${{ inputs.repo }}
Output:
D:\Git-Runners\mycomp_work_actions\jimseiwert\sonarqube-scanner-windows\v1.0\scanner\bin\sonar-scanner.bat --define sonar.host.url=http://sonar-rm.mybank.com:9000/ --define sonar.login="***" --define sonar.projectKey="My_WEB" --define sonar.projectName="mybank/myrepo"
and then fails as below:
NFO: Project configuration:
INFO: Excluded sources: **/*jquery*, **/*kendo*/**/*, **/node_modules/**, **/*kendo*/**/*, **/*jquery*, **/node_modules/**
ERROR: Error during SonarScanner execution
INFO: ------------------------------------------------------------------------
org.sonar.java.AnalysisException: Your project contains .java files, please provide compiled classes with sonar.java.binaries property, or exclude them from the analysis with sonar.exclusions property.
at org.sonar.java.classpath.ClasspathForMain.init(ClasspathForMain.java:75)
at org.sonar.java.classpath.AbstractClasspath.getElements(AbstractClasspath.java:319)
at org.sonar.java.SonarComponents.getJavaClasspath(SonarComponents.java:205)
I m not sure how can i get this sonarqube scanner to scan my java project.
I'm fine with other solutions if any.
I would also like to know whatever the solution be where would i be able to find the scan reports?
I do not have sonar scanner installed on my runner and i m looking for a market place solution. Incase there is no solution i would appreciate if you can guide me on how to use my self hosted runner to do the sonar scans.
I'm also open to sonarqube scanning using Maven.
I'd simply use Maven (or Gradle if you're already using that) and use its SonarQube plugin. I've done that for dozens of repositories successfully.
An example from my own actions (so don't forget to replace the organization if you copy-paste this):
- name: Set up JDK 17
uses: actions/setup-java@v3
with:
java-version: '17'
distribution: 'temurin'
cache: 'maven'
- name: SonarQube Scan
run: |
mvn clean \
-Dcheckstyle.skip=true \
-Dmaven.javadoc.skip=true \
org.jacoco:jacoco-maven-plugin:prepare-agent \
package \
verify -Dgpg.skip=true \
org.jacoco:jacoco-maven-plugin:report \
org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
-Dsonar.coverage.jacoco.xmlReportPaths=target/site/jacoco/jacoco.xml \
-Dsonar.organization=robtimus-github \
--file pom.xml -B --no-transfer-progress
env:
SONAR_TOKEN: ${{ secrets.SonarCloudToken }}
SONAR_HOST_URL: https://sonarcloud.io
- name: SonarQube Quality Gate check
uses: sonarsource/sonarqube-quality-gate-action@master
timeout-minutes: 5
env:
SONAR_TOKEN: ${{ secrets.SonarCloudToken }}
SONAR_HOST_URL: https://sonarcloud.io
with:
scanMetadataReportFile: target/sonar/report-task.txt
The two skip arguments are because I don't need any Checkstyle or GPG just to run SonarQube. The JaCoCo stuff is there for getting code coverage reported in SonarQube. My POM and its parent do not contain anything related to SonarQube or JaCoCo, all that's done through these command-line settings.
(I can probably get rid of the package goal as it's implied by verify)