This SonarQube plugin uses Error Prone and reports findings in your project. Additionally, some Error Prone plugins are included:
Enable a quality profile including some rules, for NullAway you will need to configure the list of annotated packages
The plugin is compatible with SonarQube from version 9.9 LTS through 10.x.
The Sonar analyzer and Error Prone must run on JDK 11 or newer but can analyze Java 8 code. When running on JDK 16 or newer add the following options due to JEP 396:
--add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED
--add-exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED
--add-exports=jdk.compiler/com.sun.tools.javac.main=ALL-UNNAMED
--add-exports=jdk.compiler/com.sun.tools.javac.model=ALL-UNNAMED
--add-exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED
--add-exports=jdk.compiler/com.sun.tools.javac.processing=ALL-UNNAMED
--add-exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED
--add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED
--add-opens=jdk.compiler/com.sun.tools.javac.code=ALL-UNNAMED
--add-opens=jdk.compiler/com.sun.tools.javac.comp=ALL-UNNAMED
See .mvn/jvm.config for a way to do it with Maven and gradle.properties for a way to do it with Gradle
From SonarQybe 10.6 the scanner also auto provisions a JRE and runs the analysis off that JVM. Since the JRE does not include the required compiler module, this needs to be disabled with sonar.scanner.skipJreProvisioning=true.
When these options are not set you will receive errors:
Exception in thread "main" java.util.ServiceConfigurationError: com.google.errorprone.bugpatterns.BugChecker: Provider ... could not be instantiated
...
Caused by: java.lang.IllegalAccessError: class ... (in unnamed module @...) cannot access class com.sun.tools.javac.code.Symbol (in module jdk.compiler) because module jdk.compiler does not export com.sun.tools.javac.code to unnamed module @...
In SonarQube 10.5 the new feature to only download required plugins causes a NoClassDefFoundError. The workaround for this issue is to enable the sonar.plugins.downloadOnlyRequired option on the server AND on the analyzer: -Dsonar.plugins.downloadOnlyRequired=false
NullAway needs to be configured with the nullaway.annotated.packages option, for instance:
nullaway.annotated.packages=com.foo,org.bar
Running unit and integration tests:
mvn verify -Dsonar.server.version=10.5.1.90531 -Dsonar-java.version=7.34.0.35958 -Dsonar.web.port=9001