search

dependency-check / dependency-check-sonar-plugin

Integrates Dependency-Check reports into SonarQube
585 stars 133 forks source link

Add "DownloadOnlyWhenRequired" to packaging #911

Closed ganncamp closed 5 months ago

ganncamp commented 7 months ago

SonarQube 10.4 will come with a feature to only download plugins when they are required. When there are files corresponding to the language handled by the plugin, the plugin will be downloaded, otherwise, the plugin won't be downloaded. This is great to save network bandwidth and speed up the bootstrap of the scans. This feature will be disabled by default to let the time to plugin maintainers to adjust their plugin. It will be activated by default with SonarQube 10.5

For plugins that have a dependency on a base analyzer provided by default with SonarQube, an additional property is required to be added to the MANIFEST of the plugin. By doing so you will avoid being in this situation:

dependencycheck is downloaded because it doesn't support the new property so it is downloaded from the server at each scan while the underlying language plugins are not downloaded because there are no relevant files in the repo to scan a NoClassDefFoundError is thrown In order to avoid that you need to:

upgrade sonar-packaging-maven-plugin to https://github.com/SonarSource/sonar-packaging-maven-plugin/releases/tag/1.22.0.705 add [your languages]

Because it is not clear to me whether or not this plugin truly "depends on" the underlying language plugins, out of an abundance of caution, the release of 10.4 will include setting the current version of your plugin to end compatibility at SonarQube 10.4 in the Marketplace. That way, when SonarQube 10.5 is released with the new feature on by default, your users' analyses won't error out.

If I'm wrong, please simply submit a new PR resetting your current plugin version to end compatibility at LATEST

Reamer commented 6 months ago

Hi @ganncamp , sorry for the late response. This Sonar plugin can be run for any language. How can I express this?

ganncamp commented 6 months ago

No problem @Reamer! If your plugin isn't going to fail analysis because an underlying language analyzer isn't present (no dependencies either implicit or explicit) then there's nothing for you to do except to (please!) submit a sonar-update-center-properties PR to set the end range of your current version back to LATEST. And then close this issue. :D