Configure Sonar to exclude files from Maven pom.xml

Question

I have a project configured in maven and the code analysis is done by SonarQube.

I am trying to configure SonarQube in the pom.xml file to exclude a few files from the code analysis. Those files can be identified by their class names, they contain the underscore character before the extension (they are metamodel classes). Below I give the part of the pom.xml file where I try to exclude them:

<plugin>
    <groupId>org.codehaus.mojo</groupId>
    <artifactId>sonar-maven-plugin</artifactId>
    <version>2.2</version>
    <configuration>
        <sonar.sources>src/main/java</sonar.sources>
        <sonar.exclusions>file:**/src/main/java/**/*_.*</sonar.exclusions>
    </configuration>
</plugin>

However, the above code does not work. Is there a way to configure SonarQube from my pom.xml file to ignore those files when analysing the source code?

Thank you in advance.

Answer 1

An addition to the answer of @Yatindra Soni (unfortunately I have not yet enough reputation to comment your answer):

If you want to exclude multiple sonar rules by pom.xml, you have to specify

<sonar.issue.ignore.multicriteria>e1,e2,e3</sonar.issue.ignore.multicriteria>

only once and comma separate the values

<properties>
    <sonar.issue.ignore.multicriteria>e1,e2,e3</sonar.issue.ignore.multicriteria>
    
    <!-- rule e1 -->
    <sonar.issue.ignore.multicriteria.e1.ruleKey>
        java:S4784
    </sonar.issue.ignore.multicriteria.e1.ruleKey>
    <sonar.issue.ignore.multicriteria.e1.resourceKey>
        **/commons/**/*
    </sonar.issue.ignore.multicriteria.e1.resourceKey>
    
    <!-- rule e2 -->
    <sonar.issue.ignore.multicriteria.e1.ruleKey>
        java:S2899
    </sonar.issue.ignore.multicriteria.e1.ruleKey>
    <sonar.issue.ignore.multicriteria.e1.resourceKey>
        **/entity/**/*
    </sonar.issue.ignore.multicriteria.e1.resourceKey>
    
    <!-- rule e3 -->
    <sonar.issue.ignore.multicriteria.e1.ruleKey>
        java:S3358
    </sonar.issue.ignore.multicriteria.e1.ruleKey>
    <sonar.issue.ignore.multicriteria.e1.resourceKey>
        **/*.java
    </sonar.issue.ignore.multicriteria.e1.resourceKey>
</properties>

Answer 2

When doing your Sonar exclusions as shown in the accepted answer, make sure you follow this pattern approach from the SonarQube documentation:

Relative paths are based on the fully qualified name of the component (like the one displayed below):

src/main/java/org/sonar/batch/phases/AbstractPhaseEvent.java

Examples:

# Exclude all classes ending with "Bean"
# Matches org/sonar.api/MyBean.java, org/sonar/util/MyOtherBean.java, etc.
**/*Bean.java

# Exclude all classes in the "src/main/java/org/sonar" directory
# Matches src/main/java/org/sonar/MyClass.java, src/main/java/org/sonar/MyOtherClass.java
# But does not match src/main/java/org/sonar/util/MyClassUtil.java
src/main/java/org/sonar/*

# Exclude all files in the "bank" directory and its sub-directories
# Matches bank/ZTR00021.cbl, bank/data/CBR00354.cbl, bank/data/REM012345.cob
bank/**/*

# Exclude all COBOL programs in the "bank" directory and its sub-directories whose extension is .cbl
# Matches bank/ZTR00021.cbl, bank/data/CBR00354.cbl
bank/**/*.cbl

So if you want to exclude all classes ending with "Bean" and all classes in the "src/main/java/org/sonar" directory (but not in its sub-directories) add the following sonar.exclusions property to the pom's properties:

<properties>
  ...
  <sonar.exclusions>**/*Bean.java,src/main/java/org/sonar/*</sonar.exclusions>
</properties>

Answer 3

There are three ways to do.

1. You can add these files to the properties in your pom.xml:
   This one is to exclude from code duplication:

<properties>
    <sonar.cpd.exclusions>
        **/dto/**/*,
        **/entity/**/*
    </sonar.cpd.exclusions>
</properties>

2. Using pom.xml
   We can also define exclusion rules in the pom.xml file using analysis properties.

<properties>
<sonar.issue.ignore.multicriteria>e1</sonar.issue.ignore.multicriteria>
    <sonar.issue.ignore.multicriteria.e1.ruleKey>
        java:S4784
    </sonar.issue.ignore.multicriteria.e1.ruleKey>
    <sonar.issue.ignore.multicriteria.e1.resourceKey>
        **/commons/**/*
    </sonar.issue.ignore.multicriteria.e1.resourceKey>
</properties>

3. Using sonar-project.properties
   We can also define exclusion rules in the sonar-project.properties file using analysis properties.Let's define and add the sonar-project.properties file to our resource dir:

sonar.issue.ignore.multicriteria=e1
sonar.issue.ignore.multicriteria.e1.ruleKey=java:S106
sonar.issue.ignore.multicriteria.e1.resourceKey=**/SonarExclude.java

how we can see the rule Key from sonarqube

Answer 4

We have to add below code in maven settings.xml file

       <profile>
                <id>sonar</id>
                <activation>
                    <activeByDefault>true</activeByDefault>
                </activation>     
           <properties>
               <sonar.host.url>http://localhost:9000</sonar.host.url>

               <sonar.exclusions>
               # exclude more class under same package
                  src/main/java/co/domain/*,
                  src/main/java/co/util/JsonMapper.java

               # exclude individual class
                  src/main/java/co/util/ProviderCallBuilder.java
               </sonar.exclusions>
            </properties>
       </profile>

Answer 5

I was using sonar to analyse PHP code base. Both <sonar.exclusions> and <sonar.coverage.exclusions> didn't do the trick. My solution is - Instead of specifying the exclusions, I ended up specifying the inclusion directories as below:

<properties>
  .........
  <sonar.exclusions>./app/models,./app/controllers</sonar.exclusions>
  .........
</properties>

Answer 6

classes/packages mentioned in <sonar.exclusions> excludes the given classes from all static analysis by Sonar, however <sonar.coverage.exclusions> excludes given classes/packages only from coverage, and still be analyzed for other parameters.

<properties>
    <sonar.coverage.exclusions>
        **/domain/**/*,
        **/pojos/*
    </sonar.coverage.exclusions>
</properties>

Reference:

• https://docs.sonarqube.org/display/SONAR/Analysis+Parameters#AnalysisParameters-Exclusions/Inclusions

Source:

• https://docs.sonarqube.org/display/SONAR/Narrowing+the+Focus#NarrowingtheFocus-IgnoreCodeCoverage
• https://docs.sonarqube.org/display/SONAR/Analysis+Parameters#AnalysisParameters-Exclusions/Inclusions
• https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner+for+Maven#AnalyzingwithSonarQubeScannerforMaven-ExcludingamodulefromSonarQubeanalysis

Answer 7

Sonar exclusions (like other sonar properties) have to be added to the <properties> section of the POM file. Like so (example from excluding jOOQ autogenerated code from current project):

<properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <sonar.host.url>http://www.example.com/</sonar.host.url>
    <sonar.jdbc.url>jdbc:postgresql://www.example.com/sonar</sonar.jdbc.url>
    <sonar.jdbc.driver>org.postgresql.Driver</sonar.jdbc.driver>
    <sonar.jdbc.username>sonar</sonar.jdbc.username>
    <sonar.jdbc.password>sonar</sonar.jdbc.password>
    <sonar.exclusions>org/binarytherapy/generated/**/*, **/GuiceBindComposer.java</sonar.exclusions>
    <sonar.dynamic>reuseReports</sonar.dynamic>
</properties>