SonarQube "Class Not Found" during Main AST Scan

Question

My setup:

• Sonarqube 5.1.1
• Sonar-Maven Plugin 2.6 (also tried 2.7 and 3.6)
• JDK 1.7.0_51

Example of the error:

16:00:54 [INFO] [23:00:54.219] Sensor JavaSquidSensor
16:00:55 [INFO] [23:00:55.030] Java Main Files AST scan...
16:00:55 [INFO] [23:00:55.030] 1532 source files to be analyzed
16:00:58 [ERROR] [23:00:57.927] Class not found: javax.annotation.Nullable
16:00:58 [ERROR] [23:00:57.928] Class not found: javax.annotation.CheckReturnValue
16:00:58 [ERROR] [23:00:58.114] Class not found: javax.annotation.Nullable

According to this stackoverflow question, javax.annotation should be part of java 1.7 and up. Furthermore, I've tried putting it in the local maven repository but that didnt help.

So where is Sonar trying to find this package? Any help?!?

Update:

• I've tried modifying the sonar-maven-plugin to include a dependency on javax.annotation
• I've tried putting the dependency in my maven's settings.xml
• Upgrading my JDK to 1.8 has not helped.

Answer 1

According to http://docs.oracle.com/javase/7/docs/api/index.html?javax/annotation/package-summary.html the classes you expect are not part of JDK 7.

The classes you're looking for are part of google JSR-305 implementation that was initiated here https://code.google.com/p/jsr-305/source/browse/trunk/ri/src/main/java/javax/annotation/Nullable.java?r=24 and which moved to Findbugs:

<dependency>
  <groupId>com.google.code.findbugs</groupId>
  <artifactId>jsr305</artifactId>
  <version>3.0.0</version>
</dependency>

According to https://jcp.org/en/jsr/detail?id=305 the JSR-305 is finished, but is in dormant status and has not been added to a JDK release yet.

Hope it helps.

Answer 2

To avoid adding SonarQube specific dependencies to your project, define a profile like this:

    <profile>
        <id>sonarqube</id>
        <dependencies>
            <dependency>
                <groupId>org.joda</groupId>
                <artifactId>joda-convert</artifactId>
                <version>1.2</version>
            </dependency>
            <dependency>
                <groupId>com.google.code.findbugs</groupId>
                <artifactId>jsr305</artifactId>
                <version>3.0.0</version>
            </dependency>
        </dependencies>
    </profile>

Then run your sonar analysis with a command like

mvn org.sonarsource.scanner.maven:sonar-maven-plugin:3.0.1:sonar -Psonarqube,sonarqube-dev

The sonarqube-dev profile is defined in my ~/.m2/settings.xml and it just specifies where my development environment SonarQube installation is

    <profile>
        <id>sonarqube-dev</id>
        <properties>
            <!-- no direct db connections in new sonar -->
            <sonar.host.url>
                http://localhost:9000/
            </sonar.host.url>
        </properties>
    </profile>

What is achieved by all this?

• sonarqube analysis specific dependencies don't pollute the project unnecessarily
• no sonarqube maven plugin defined in pom.xml. Each developer and Jenkins can use whatever sonar plugin and server installation they wish

Answer 3

This is more an addendum to the latest answer:

I see similar problems and adding the google findbugs dependency to the project dependencies helps. Similar problems occured with joda convert like

[ERROR] [20:44:25.247] Class not found: org.joda.convert.ToString

Hence I also added

    `<dependency>
        <groupId>org.joda</groupId>
        <artifactId>joda-convert</artifactId>
        <version>1.8.1</version>
        <scope>provided</scope>
    </dependency>`

But note, that I set the scope to provided to prevent these new dependencies to be added to a resulting war file.

However, I still wonder why these errors occur since none of the analyzed classes seem to use these annotations?