Usage

Generate a Meterian JSON report with

Through the Meterian scanner of choice generate a JSON report for your sonar project by launching a scan in the source code folder.

Thin client scanner example

$ java -Dcli.param.report.tree.included=true -jar /tmp/meterian-cli.jar --report-json=report.json

Dockerized client scanner example

$ meterian-docker --report-json=report.json --flags:cli.param.report.tree.included=true

Note: in both examples we are requesting the scanner to generate a JSON report including the dependency tree of the project via the flag cli.param.report.tree.included=true. This is done so that the plugin is capable of showing issues for transitive dependencies.

Import the Meterian findings in SonarQube

To import the Meterian findings in SonarQube, analyze your project via a SonarScanner that is suitable to your it (SonarQube provides a set of scanners dedicated to specific programming languages). The example below uses the generic scanner (suitable for scanning JS, TS, Go, Python, PHP and more).

$ sonar-scanner -Dsonar.login=YOUR_TOKEN \
                -Dsonar.projectKey=PROJECT_UNIQUE_KEY \
                -Dsonar.meterian.reportJsonPath=PATH_TO_REPORT \
                -Dsonar.sources=.

Note: our plugin property is passed as command line flag in this example. Should you prefer you can configure properties in sonar project configuration file (sonar-project.properties) and remove the flags accordingly from the invocation.

sonar.projectKey=PROJECT_UNIQUE_KEY
sonar.login=YOUR_TOKEN
sonar.meterian.reportJsonPath=PATH_TO_REPORT
sonar.sources=.

Different SonarScanners default to analyse different source folders. To ensure that all the main source files are part of the analysis we set sonar.source to the current working directory (the path .). It is important that you ensure that your manifest files are within the sources. You can read more on how to adjust the analysis scope by clicking here.

You source code will be analysed and findings from SonarQube and Meterian will then be uploaded to your SonarQube instance.

These findings will be visible on the web interface as issues:

Last updated