Meterian
  • Meterian
    • The Platform
    • SSO and MFA
    • Support
  • Codebase scanner
    • The Thin Client
      • How does the client work?
      • How does the client authenticate me?
      • How do I get the client?
      • What if I need a previous release?
      • Use the thin client on Windows
    • Using the client from your command line
      • Authorization in interactive mode
      • Interrupting the client
      • Example: running the client in interactive mode
    • Using the client in your CI/CD pipeline
      • Authorization in non-interactive mode
      • Providing the project branch
      • Concurrent mode
      • Two phases build
      • Controlling the exit code
      • Example: running the client in non-interactive mode
    • General operations
      • Running the analysis remotely
      • Interrupting the client
      • Generating a report
      • Forcing or avoiding specific scans
      • Excluding (and including) specific folders
      • Connecting through a proxy
    • System requirements
    • Command line parameters
      • General configuration
      • Overriding scores
      • Overriding scopes
      • Producing reports
      • Selecting scanners
      • Defining projects
      • Advanced options
        • Autofix
        • Pull Requests
      • System information
      • Specific controls
        • Maven specific controls
        • Dotnet specific controls
        • Npm/Yarn specific controls
        • Gradle specific controls
        • Ant/Ivy specific controls
    • The Dockerized Client
      • Basic usage
      • Advanced usage
        • Invoking via Docker
        • Platform-specific images
        • Usage on a CI/CD platform
        • Disable the client auto-update
      • Troubleshooting
        • Client auto update failure
        • Docker specifics
    • How scores work
    • Guide: your first scan!
      • Your first scan (java thin client)
      • Your first scan (dockerized client)
      • Your first scan (GitHub Action)
  • Scan behaviour matrix
  • THE METERIAN DASHBOARD
    • The Web Dashboard
      • Projects
      • Insights
      • Tokens
      • Badges
      • Policies
      • Tags
      • Teams
      • Configuration
        • Automatic Temporary Branches Clean-up
    • Advanced functionalities
      • Safe versions
      • Software Bill Of Materials (SBOM)
      • Auto-grouping
        • Domain auto-grouping
        • Github auto-grouping
      • How to set a vulnerability exclusion
        • From the report page
        • From the dashboard
        • The .meterian file
        • Generate the .meterian file
    • Troubleshooting
      • Login with credentials
  • Notifications
    • Sentinel
      • Notifications for Slack
      • Notifications for Email
    • Allerta
  • Github Badges
    • Introduction
    • Public repository
    • Private repository
  • ONLINE INTEGRATIONS
    • Introduction
    • GitHub Action
      • Using the Thin Client
      • Code scanning
    • Bitbucket Pipe
    • Azure DevOps Pipelines
  • Languages support
    • Introduction
    • C/C++
    • Clojure
    • Dart / Flutter
    • Elixir (erlang)
    • Golang
    • Java/Kotlin/Scala
      • Scanning EAR or WAR files
    • Javascript
    • .NET
      • Scanning DLLs
    • NodeJS
    • Perl
    • PHP
    • Python
    • R
    • Ruby
    • Rust
    • Swift / Objective-C
    • Generic (third party)
  • Special platfoms
  • Unity Packages
  • Jupyter Notebooks
    • License detection
  • Yocto license manifests
  • Container scanner
    • Container Scanner
      • Introduction
      • General usage
      • Command line parameters
        • General configuration
        • Overriding scores
        • Producing reports
        • Defining projects
        • Advanced Options
        • System information
      • How to set a vulnerability exclusion
  • IaC SCANNER
    • Introduction
    • General usage
    • Command line parameters
      • Producing reports
      • Defining projects
    • Policy management page
    • How to set a vulnerability exclusion
  • CI INTEGRATIONS
    • Introduction
    • AWS CodeBuild
    • Azure DevOps
      • Using the Docker image
      • Using the Java Thin client
    • Bamboo
    • Bitrise
    • CircleCI
    • CodeShip
    • Concourse CI
    • Generic CI
    • GitLab CI/CD
      • Docker-in-Docker configuration
      • Meterian Docker image configuration
      • Non-Meterian Docker image configuration
    • Jenkins
      • Pipeline
    • TeamCity
    • TravisCI
  • DevOps Integrations
    • GitLab Ultimate
    • SonarQube
      • Compatibility
      • Download and installation
      • Plugin properties
      • Usage
      • Report page
  • Management Platforms
    • Threadfix
    • DefectDojo
      • Uploading from a CI
    • Armorcode
    • Jira
  • Dedicated Instance
    • Introduction
    • On Cloud (MC/CC)
    • On Premises (OP)
      • Requirements and install
      • Managing the system
        • Admin dashboard
        • Managing your license
        • Managing accounts
    • Using the scanners
      • Thin client
      • Dockerized client
      • Container Scanner
      • IaC Scanner
  • Meterian API
  • API basics
  • Authorizing the APIs
  • Account APIs
    • Knowing your account
    • Listing your projects
  • Samples
  • Guides
    • Managing teams and members
    • Generating reports via APIs
Powered by GitBook
On this page
  • Generate a Meterian JSON report with
  • Import the Meterian findings in SonarQube

Was this helpful?

  1. DevOps Integrations
  2. SonarQube

Usage

PreviousPlugin propertiesNextReport page

Last updated 1 year ago

Was this helpful?

Generate a Meterian JSON report with

Through the Meterian scanner of choice generate a JSON report for your sonar project by launching a scan in the source code folder.

example

$ java -Dcli.param.report.tree.included=true -jar /tmp/meterian-cli.jar --report-json=report.json

example

$ meterian-docker --report-json=report.json --flags:cli.param.report.tree.included=true

Note: in both examples we are requesting the scanner to generate a JSON report including the dependency tree of the project via the flag cli.param.report.tree.included=true. This is done so that the plugin is capable of showing issues for transitive dependencies.

Import the Meterian findings in SonarQube

To import the Meterian findings in SonarQube, analyze your project via a that is suitable to your it (SonarQube provides a set of scanners dedicated to specific programming languages). The example below uses the generic scanner (suitable for scanning JS, TS, Go, Python, PHP and more).

$ sonar-scanner -Dsonar.login=YOUR_TOKEN \
                -Dsonar.projectKey=PROJECT_UNIQUE_KEY \
                -Dsonar.meterian.reportJsonPath=PATH_TO_REPORT \
                -Dsonar.sources=.

Note: our plugin property is passed as command line flag in this example. Should you prefer you can configure properties in sonar project configuration file (sonar-project.properties) and remove the flags accordingly from the invocation.

sonar.projectKey=PROJECT_UNIQUE_KEY
sonar.login=YOUR_TOKEN
sonar.meterian.reportJsonPath=PATH_TO_REPORT
sonar.sources=.

You source code will be analysed and findings from SonarQube and Meterian will then be uploaded to your SonarQube instance.

These findings will be visible on the web interface as issues:

Different SonarScanners default to analyse different source folders. To ensure that all the main source files are part of the analysis we set sonar.source to the current working directory (the path .). It is important that you ensure that your manifest files are within the sources. You can read more on how to adjust the analysis scope by clicking .

Thin client scanner
Dockerized client scanner
SonarScanner
here
Logs showing the Meterian plugin sensor in action
Issues raised by Meterian