# Usage

## Generate a Meterian JSON report with

Through the Meterian scanner of choice generate a JSON report for your sonar project by launching a scan in the source code folder.

[*Thin client scanner*](https://docs.meterian.io/the-client/client) *example*

```
$ java -Dcli.param.report.tree.included=true -jar /tmp/meterian-cli.jar --report-json=report.json
```

[*Dockerized client scanner*](https://docs.meterian.io/the-client/the-meterian-client-dockerized) *example*

```
$ meterian-docker --report-json=report.json --flags:cli.param.report.tree.included=true
```

{% hint style="info" %}
Note: in both examples we are requesting the scanner to generate a JSON report including the dependency tree of the project via the flag `cli.param.report.tree.included=true`. This is done so that the plugin is capable of showing issues for transitive dependencies.\
\
If you are generating the JSON report on a pipeline it is recommended to enable the inclusion of the tree in the report via the `--flags` operator as shown in the example above. For documentation specific to the `--flags`  operator, please refer to [this page](https://docs.meterian.io/the-client/command-line-parameters/specific-controls).
{% endhint %}

## Import the Meterian findings in SonarQube

To import the Meterian findings in SonarQube, analyze your project via a [SonarScanner](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/overview/) that is suitable to your it (SonarQube provides a set of scanners dedicated to specific programming languages). The example below uses the generic scanner (suitable for scanning JS, TS, Go, Python, PHP and more).

```
$ sonar-scanner -Dsonar.login=YOUR_TOKEN \
                -Dsonar.projectKey=PROJECT_UNIQUE_KEY \
                -Dsonar.meterian.reportJsonPath=PATH_TO_REPORT \
                -Dsonar.sources=.
```

{% hint style="info" %}
Note: our plugin property is passed as command line flag in this example. Should you prefer you can configure properties in sonar project configuration file (`sonar-project.properties`) and remove the flags accordingly from the invocation.

<pre class="language-xml"><code class="lang-xml"><strong>sonar.projectKey=PROJECT_UNIQUE_KEY
</strong>sonar.login=YOUR_TOKEN
sonar.meterian.reportJsonPath=PATH_TO_REPORT
sonar.sources=.
</code></pre>

{% endhint %}

{% hint style="info" %}
Different SonarScanners default to analyse different source folders. To ensure that all the main source files are part of the analysis we set `sonar.source` to the current working directory (the path `.`). **It is important that you ensure that your manifest files are within the sources**. You can read more on how to adjust the analysis scope by clicking [**here**](https://docs.sonarsource.com/sonarqube/latest/project-administration/analysis-scope/).
{% endhint %}

You source code will be analysed and findings from SonarQube and Meterian will then be uploaded to your SonarQube instance.

<figure><img src="https://3502151236-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M-naNCUtT6Gw1tfDjRR%2Fuploads%2FSSjZDT6S06bujJ3zzev4%2Fimage.png?alt=media&#x26;token=0dd7f855-aaad-4412-9e7d-1e2875e28b1c" alt=""><figcaption><p>Logs showing the Meterian plugin sensor in action</p></figcaption></figure>

These findings will be visible on the web interface as issues:

<figure><img src="https://3502151236-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M-naNCUtT6Gw1tfDjRR%2Fuploads%2FLhYYl2dAqeSUBpjTZxOu%2Fimage.png?alt=media&#x26;token=c4b96576-bf05-46bc-a8ed-686ce78896d2" alt=""><figcaption><p>Issues raised by Meterian</p></figcaption></figure>