Failing to get dependency during SonarScan action

Question

In our Java SpringBoot project we are using GitHub actions to run SonarScan. It was working like a charm until I've added first custom library to the project. That library is in Nexus repo and accessible only via VPN.

Locally project is built without any issues and works fine. Unit-testing and dev deployment GH actions run successfully. But SonarScan action is failing on :compileJava because of the missing resource (log below).

Looks like it tries to get it from the Apache Maven although it is in the Nexus. Here is the relevant part of the log:

> Task :compileJava
Watching 37 directories to track changes
Resolving global dependency management for project 'project_name'
Resource missing. [HTTP GET: https://repo.maven.apache.org/maven2/com/company_name/lib_name/1.0.7-SNAPSHOT/maven-metadata.xml]
Resource missing. [HTTP GET: https://repo.maven.apache.org/maven2/com/company_name/lib_name/1.0.7-SNAPSHOT/lib_name-1.0.7-SNAPSHOT.pom]
Excluding []


FAILURE: Build failed with an exception.
> Task :compileJava FAILED
* What went wrong:
:compileJava (Thread[included builds,5,main]) completed. Took 4 mins 35.418 secs.
1 actionable task: 1 executed
Execution failed for task ':compileJava'.
> Could not resolve all files for configuration ':compileClasspath'.
   > Could not resolve com.company_name:lib_name:1.0.7-SNAPSHOT.

     Required by:
         project :
      > Skipped due to earlier error

Here is our build.gradle file (shortened):

plugins {
    id 'org.springframework.boot' version '2.6.4'
    id 'io.spring.dependency-management' version '1.0.11.RELEASE'
    id 'java'
    id 'java-library'
    id "org.sonarqube" version "3.3"
}


//Sets Java Version
java {
    toolchain {
        languageVersion.set(JavaLanguageVersion.of(17))
    }
}

ext {
    set('mongoVersion', '4.4.1')
    set('mavenUsername', "maven.user")
    set('mavenPassword', "password")
    set('mavenUrl', "https://nexus-repo-url/repository/repo-name")
}

configurations {
    compileOnly {
        extendsFrom annotationProcessor
    }
}

repositories {
    mavenCentral()
    maven {
        credentials {
            username "${mavenUsername}"
            password "${mavenPassword}"
        }
        url "${mavenUrl}"
        authentication {
            basic(BasicAuthentication)
        }
    }
}

dependencies {
    ...
    implementation "com.company_name:lib_name:1.0.7-SNAPSHOT"
}


sonarqube {
    properties {
        property "sonar.projectKey", "prject_key"
        property "sonar.java.binaries", "build/classes"
    }
}

I am obviously missing some path somewhere, but failing to find where actually.

Answer 1

Could not resolve com.company_name:lib_name:1.0.7-SNAPSHOT.

which seems to be populated by

dependencies {
    ...
    implementation "com.company_name:lib_name:1.0.7-SNAPSHOT"
}

uneducated guess says you're most likely relying on com.company_name and lib_name to be supplied as arguments to your code.

which is kind of weird since you're treating it as a dependency, not a parameter.

it's difficult to imagine the context of that application, but checking whether my repo contains com.company_name and/or lib_name etc etc snapshot is where i'd start.

Answer 2

Solved. Issue was related to the VPN and got fixed in .github/workflows/sonar.yml:

name: SonarScan
on:
  pull_request:
  push:
    branches:
      - main # or the name of your main branch

jobs:
  build:
    name: SonarScan
    runs-on: ubuntu-latest <-- should be [self-hosted, main] to pass the wall
    steps:
      ...