Exclude Third-Party Sources From Sonar

Project Level Configuration

The easiest and cleanest way to make an exclusion of source files from Sonar scanning is from the sonar-project.properties file.

Example

sonar.exclusions=**/com/devdummy/thirdparty/**/*

Key

** -  Any Folder

*   -  Any File

Sonar Level Configuration

You also can set up this exclusion from SonarQube.

Administration -> Analysis Scope -> Code Coverage

However this will impact through out the SonarQube scope affecting to all the projects configured.

Conclusion

• Setting up project-level configuration is always safe, as it impacts only the specified project.
• If you want to apply this to all projects, SonarQube configuration is the best option.
• This should be an administrator task; use with care, as this can be used to skip the scanner-able code purposely.

It is always arguable what code should be excluded, may it be third-party gendered code (such as web service stubs), referring or developing on top of legacy code, or even using third-party client code as the base. However, ideally, third-party stubs above mentioned should be generated separately in a place such as target folder and refered in the compile time for bundling.