Below are the steps to run Sonar o Maven based Java Project
1. Install SonarQube server
2. Add below pluin dependency in application pom.xml:
<plugin>
<groupId>org.sonarsource.scanner.maven</groupId>
<artifactId>sonar-maven-plugin</artifactId>
<version>3.7.0.1746</version>
</plugin>
3. In case you app running on JDK 8 & SonarQube on different JDK, then do the maven clean install in JDK8 & run sonar command in JDK 17
(e.g. export JAVA_HOME=/<Corretto Path>/corretto-17 before running sonar command)
4. Add below plugin in pom.xml to get dependency check report
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>8.4.0</version>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
<configuration>
<formats>
<format>XML</format>
<format>JSON</format>
<format>HTML</format>
</formats>
<!--<outputDirectory>${project.build.directory}/dependency-check-report</outputDirectory>-->
</configuration>
</plugin>
5. Run below command
mvn sonar:sonar -Dsonar.token=<sonar_token> -Dsonar.scm.disabled=true -Dsonar.projectKey=<project key name> -Dsonar.dependencyCheck.reportPath=target/dependency-check-report.xml -Dsonar.dependencyCheck.jsonReportPath=target/dependency-check-report.json -Dsonar.dependencyCheck.htmlReportPath=target/dependency-check-report.html
N.B. OWASP Dependency Check Plugin can be integrated to Sonar Server from Sonar Marketplace. Sonar Marketplace is visible from Admin section of the SonarQube server installed in your system.
