SonarQube "Class Not Found" during Main AST Scan

Question

My setup:

Sonarqube 5.1.1
Sonar-Maven Plugin 2.6 (also tried 2.7 and 3.6)
JDK 1.7.0_51

Example of the error:

16:00:54 [INFO] [23:00:54.219] Sensor JavaSquidSensor
16:00:55 [INFO] [23:00:55.030] Java Main Files AST scan...
16:00:55 [INFO] [23:00:55.030] 1532 source files to be analyzed
16:00:58 [ERROR] [23:00:57.927] Class not found: javax.annotation.Nullable
16:00:58 [ERROR] [23:00:57.928] Class not found: javax.annotation.CheckReturnValue
16:00:58 [ERROR] [23:00:58.114] Class not found: javax.annotation.Nullable

According to this stackoverflow question, javax.annotation should be part of java 1.7 and up. Furthermore, I've tried putting it in the local maven repository but that didnt help.

So where is Sonar trying to find this package? Any help?!?

Update:

I've tried modifying the sonar-maven-plugin to include a dependency on javax.annotation
I've tried putting the dependency in my maven's settings.xml
Upgrading my JDK to 1.8 has not helped.

Can you check if the javax.annotation*.jar is present in your Java installation? `\lib\missioncontrol\plugins` Also curious if you have JAVA_HOME and CLASSPATH variables set? — Techtwaddle, Jul 21 '15 at 05:38
This class should be picked in the JDK running the analysis. So please double check the jdk running the analysis as suggested by @Techtwaddle — benzonico, Jul 21 '15 at 07:56
Ah thank you @Techtwaddle. It's missing from my java installation. Thank you so much! I'd been searching on and off for days without much luck — wilson, Jul 21 '15 at 17:12
Hmm...so I was pretty sure it had worked, but it turns out I had only glanced at a part where there weren't any instances of the class not found error. The bug is still there. Any help? — wilson, Jul 22 '15 at 16:05
@Techtwaddle do you think Sonar uses the JDK's lib plugins to scan the java files or since i'm running this via maven, does it check the maven repository ? — wilson, Jul 22 '15 at 16:32

Kraal · Accepted Answer · 2015-10-05T12:05:18.520

12

According to http://docs.oracle.com/javase/7/docs/api/index.html?javax/annotation/package-summary.html the classes you expect are not part of JDK 7.

The classes you're looking for are part of google JSR-305 implementation that was initiated here https://code.google.com/p/jsr-305/source/browse/trunk/ri/src/main/java/javax/annotation/Nullable.java?r=24 and which moved to Findbugs:

<dependency>
  <groupId>com.google.code.findbugs</groupId>
  <artifactId>jsr305</artifactId>
  <version>3.0.0</version>
</dependency>

According to https://jcp.org/en/jsr/detail?id=305 the JSR-305 is finished, but is in dormant status and has not been added to a JDK release yet.

Hope it helps.

edited Oct 05 '15 at 12:05

answered Oct 05 '15 at 11:58

Kraal

2,779
1
19
36

9

Reading this answer, I'm not sure what is the solution. Should I add this dependency withing the sonar maven plugin configuration ? – baraber Oct 09 '15 at 12:45
1

I see similar problems and adding the google findbugs dependency to the project dependencies helps. Similar problems occured with joda convert like `[ERROR] [20:44:25.247] Class not found: org.joda.convert.ToString`. Hence I added – Gerd Aschemann Dec 29 '15 at 01:14

score 9 · Answer 2 · answered Feb 29 '16 at 08:07

To avoid adding SonarQube specific dependencies to your project, define a profile like this:

    <profile>
        <id>sonarqube</id>
        <dependencies>
            <dependency>
                <groupId>org.joda</groupId>
                <artifactId>joda-convert</artifactId>
                <version>1.2</version>
            </dependency>
            <dependency>
                <groupId>com.google.code.findbugs</groupId>
                <artifactId>jsr305</artifactId>
                <version>3.0.0</version>
            </dependency>
        </dependencies>
    </profile>

Then run your sonar analysis with a command like

mvn org.sonarsource.scanner.maven:sonar-maven-plugin:3.0.1:sonar -Psonarqube,sonarqube-dev

The sonarqube-dev profile is defined in my ~/.m2/settings.xml and it just specifies where my development environment SonarQube installation is

    <profile>
        <id>sonarqube-dev</id>
        <properties>
            <!-- no direct db connections in new sonar -->
            <sonar.host.url>
                http://localhost:9000/
            </sonar.host.url>
        </properties>
    </profile>

What is achieved by all this?

sonarqube analysis specific dependencies don't pollute the project unnecessarily
no sonarqube maven plugin defined in pom.xml. Each developer and Jenkins can use whatever sonar plugin and server installation they wish

[WARNING] Some problems were encountered while building the effective settings [WARNING] Unrecognised tag: 'dependencies' (position: START_TAG seen ...\n ... @278:23) @ /home/jenkins/.m2/settings.xml, line 278, column 23 — rhinoceros.xn, Sep 26 '18 at 07:03
Could you be more specific where to add the first profile? If I change the sonar profile in ~/.m2/settings.xml, I get warnings like that of rhinoceros.xn... I think you mean [Different dependencies for different build profiles](https://stackoverflow.com/questions/166895/different-dependencies-for-different-build-profiles) — Roeland Van Heddegem, Oct 04 '18 at 14:37

score 2 · Answer 3 · answered Dec 29 '15 at 01:21

This is more an addendum to the latest answer:

I see similar problems and adding the google findbugs dependency to the project dependencies helps. Similar problems occured with joda convert like

[ERROR] [20:44:25.247] Class not found: org.joda.convert.ToString

Hence I also added

    `<dependency>
        <groupId>org.joda</groupId>
        <artifactId>joda-convert</artifactId>
        <version>1.8.1</version>
        <scope>provided</scope>
    </dependency>`

But note, that I set the scope to provided to prevent these new dependencies to be added to a resulting war file.

However, I still wonder why these errors occur since none of the analyzed classes seem to use these annotations?

SonarQube "Class Not Found" during Main AST Scan

3 Answers3

Linked