Why is it mandatory to run maven install before analyzing the code?

[imtiyaz Baig Moghal]

Hi,

Sonar qube documentation says that we need to run maven install always before running the scanner. The instructions provided here looks to be incorrect because we can obviously analyze code without building the code.

http://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner+for+Maven

# In some situation you may want to run sonar:sonar goal as a dedicated step. Be sure to use install as first step for multi-module projects

mvn clean install

mvn sonar:sonar

Can you please help us understand why we need to run maven install? Why cant we just analyze the code? Please note that, we have two types (templates) of jenkins jobs. One for building the code (&deploying) and the other for just sonar qube scan. We dont want to build the code before scan using the jenkins sonar qube template. Unfortunately, because of the above recommendation by sonar qube, we ended by having both of these templates build the source code which is unnecessary and time consuming. We want to change our sonar qube jenkins template to skip install part and just do sonar:sonar. But before we do this, we wanted to know why sonar qube provided such recommendation?

Thank you,

Imtiyaz

[G. Ann Campbell]

Hi Imtiyaz,

An increasingly large portion of the analysis relies on byte code. If you don't provide byte code, you may exerience false positives or false negatives.

Ann

[imtiyaz Baig Moghal]

Thanks for your reply Ann. Much appreciated!

I am just trying to understand more. The other ways of running sonar for instance sonar-scanner requires only source code path, for instance:

sonar.projectKey=atwork-address-master

sonar.projectName=atwork-address-master

sonar.projectVersion=1.0

sonar.sources=C:/any_java_project/src_path_only

sonar.sourceEncoding=UTF-8

Does this mean, this way of running sonar-scanner skips large portion of the analysis(because it doesn't build/generate byte files)?

Curious to know why do need to analyze the byte code (.class files)? Why cant we just use the source code (.java) files directly? Would you please provide some examples of how byte code helps us in performing the scan versus to just using .java files directly?

Again, thanks for your reply!

Imtiyaz

[Nicolas Peru]

Hi, 

You may want to read the answer of this stackoverflow question : http://stackoverflow.com/questions/38989414/why-sonar-requires-binary-files-sonar-binaries that will give you an understanding of why and how sonar java analyzer reads bytecode.

So in short : when doing a java analysis, you should provide the compiled classes and libraries through sonar.java.binaries and sonar.java.libraries properties. 

You need to specifiy those with sonar runner. 

With sonar scanner for maven, this is done automatically for you by picking up the dependencies in the maven repository, so this is why, to have up to date dependencies, you need to run install before running the analysis.

HTH, 

Cheers, 

--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/69eb100f-0efd-4155-a29a-535b02fc0b24%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Nicolas PERU | SonarSource

Senior Developer
http://sonarsource.com

https://twitter.com/benzonico