Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
{iframe:src=\|width=700\|height=250\|frameborder=0} {color:#333333}Your browser does not support iframes.{color} {iframe} h2. Compatibility matrix All SCM providers currently *require the native executable to be installed* on the box. For example svn.exe must be available in PATH for Subversion projects. || Plugin || 0.1 || 0.2 || 1.0 || 1.1 || 1.2 || || Sonar || 1.12\+ || 1.12\+ || 2.0\+ || 2.0\+ || 2.7\+ || | [Subversion|] | (+) | (/) | (/) | (/) | (/) | | [Git|] | (+) | (/) | (/) | (/) | (/) | | [CVS|] | (-) | (+) | (/) | (/) | (/)\\ | | [Mercurial|] | (-) | (+) | (/) | (/) | (?) &nbsp;Support planned in SCM Activity 1.3 (see [SONARPLUGINS-1067|]) | | [Bazaar|] | (-) | (+) | (/) | (/) | (?) | | [Perforce|] | (-) | (-) | (-) | (+) | (?) | | [StarTeam|] | (-) | (-) | (-) | (-) | (-) | | [Team Foundation Server|] (see [SONARPLUGINS-373|]) | (-) | (-) | (-) | (?) | (?) | | [ClearCase|] | (-) | (-) | (-) | (+) | (?) | | [Accurev|] (see [SONARPLUGINS-455|]) | (-) | (-) | (-) | (?) | (?) | (/) \- tested (+) \- added and tested (?) \- added, but not tested in real-life (x) \- tested, but not working (-) \- not implemented h2. Features This plugin collects and reports information from SCM. h4. SCM Metrics in filter results !metrics.png! h4. Dashboard widget h3. !widget.jpg! h4. {color:#000000}{*}Source code viewer{*}{color} !sources.jpg|border=1! h4. Code Coverage on New/Changed Code Monitoring code coverage is crucial to understand the risks associated to making changes to an application. But when dealing with a big application with low coverage, you will also want to separate new code from old (based upon a given cut-off date) in order to track the new code which does not have any/enough unit tests.&nbsp; This feature is available since Sonar 2.7 and SCM Activity plugin 1.2. h4. Live examples To see live examples, you can browse following projects on Nemo: * Git - [Sonar|] * Subversion - [Sonar Plugins|] * CVS - [Java Calendar Tools|] h2. Usage & Installation # Install from Update Center or download the JAR into the directory /extensions/plugins/ # Restart Sonar # Define the SCM URL of your project (see [SCM URL Format|]). Example for Maven pom.xml : {code:xml,title=pom.xml} <scm> <connection>scm:svn:</connection> <developerConnection>scm:svn:</developerConnection> <url></url> </scm> {code} Or you can use Project Setting - SCM URL. Or specify it via property {{sonar.scm.url}}. # Go to {{Global/Project Settings}} ## Enable plugin. This plugin disabled by default, because can dramatically increase analysis time of your project ## Specify User ({{sonar.scm.user.secured}}) and Password ({{sonar.scm.password.secured}}) if needed; if specified then {{developerConnection}} will be used, otherwise {{connection}} # Launch a new quality analysis and the metrics will be fed h2. Known problems and limitations h4. Subversion "Server certificate verification failed: issuer is not trusted" Add following to {{.subversion/servers}}: {code}
Wiki Markup

This plugin is deprecated since SonarQube 5.0 which has built-in support for SCM information and which relies on independent plugins to cover SCM providers.

Description / Features

This plugin collects SCM blame information and displays the date of the commit and the commiter ID to the left of each line of code:

Image Added

This plugin also enables the computation of:


This plugin is enabled by default for all projects. The SCM Activity plugin can be disabled on a project-by-project basis, or disabled globally at Settings > General Settings > SCM Activity and then enabled on a project-by-project basis.

For more detail on how to see SCM data in the code, please see the SCM Information tab section of the Component Viewer documentation for version 5.0.


All SCM providers currently require the native executable to be installed on the server where the SonarQube analysis will run. For example, for projects hosted on a Subversion repository and analysed on a Jenkins server, an svn executable must be available on the Jenkins server (and its slaves if any).



Subversion (1.6+ client)





















Team Foundation Server (all versions)

Requires SonarTfsAnnotate.exe to be
installed and available from the %PATH%. 










Jazz RTC(error)(question)(question)(star)(star)(star)
MKS Integrity(error)(question)(question)(question)(question)(question)
Visual SourceSafe


CM Synergy






(tick) - supported

(star) - tested by users

(question) - not tested

(error) - not implemented

Include Page
Include - Plugin Installation
Include - Plugin Installation


Configuring the SCM Activity Plugin: SVN, Git, Mercurial and Team Foundation Server (TFS)

Information is automatically retrieved from the .git, .svn, $tf, etc. folders. Therefore, nothing has to be configured and no configuration will be taken into account.

In order for this to work, the file needs to be located in a checked-out folder, but it does not have to be checked-in.
Alternatively, you can set the "sonar.projectBaseDir" property to a checked-in folder (requires sonar-runner 2.4 at least), and have the files located anywhere.

Configuring the SCM Activity Plugin: Others

At the project level, go to Configuration > Settings > SCM Activity

  1. Set the SCM URL your project (see SCM URL Format).

  2. Specify the User and Password properties if needed. If the SCM URL property contains the user information (as with CVS), then these fields should be left blank.
  3. Launch a new quality analysis and the metrics will be computed.

SCM URL Property Key is = sonar.scm.url


titleSecurity note for SonarQube 3.4.0 to 3.6.3 included

For the *.secured properties to be read during the project analysis, it is necessary to set the sonar.login and sonar.password properties to the credentials of a user that is:

  • System administrator
  • And project administrator on the project that is being analyzed
sonar-runner -Dsonar.login=admin -Dsonar.password=admin


Forcing the Retrieval of Blame Information



Note that a property should be added sooner or later to explicitly force this retrieval or not. See SONARPLUGINS-2359.



Subversion "Server certificate verification failed: issuer is not trusted"

Add the following to .subversion/servers:

Code Block
ssl-authority-files = /path/certificate.crt
ssl-trust-default-ca = yes

h4. CVS anonymous access not working 

CVS anonymous access not working "org.apache.maven.scm.ScmException:








Try setting an empty password for the repository in .cvspass. For example:

Code Block
/1 A

h2. Changelog

h4. Release 1.2

See [Sonar 2.7 Upgrade Notes|SONAR:Release 2.7 Upgrade Notes]

{jiraissues:anonymous=true|title=Release 1.2|height=250|width=800|url=|columns=type;key;summary;priority;status;resolution}

h4. Release 1.1

{jiraissues:anonymous=true|title=Release 1.1|height=250|width=800|url=|columns=type;key;summary;priority;status;resolution}

h4. Release 1.0

{jiraissues:anonymous=true|title=Release 1.0|height=250|width=800|url=|columns=type;key;summary;priority;status;resolution}

h4. Release 0.2

{jiraissues:anonymous=true|title=Release 0.2|height=250|width=800|url=|columns=type;key;summary;priority;status;resolution}

h4. Release 0.1

{jiraissues:anonymous=true|title=Release 0.1|height=250|width=800|url=|columns=type;key;summary;priority;status;resolution}

I use Git and the annotated sources sometimes display a wrong/old author name

The plugin uses the 'git blame' command to get the author of each line. Because a single user can commit with multiple author names/emails, it is advised to have a .mailmap file at the root of the repository. This file is used by 'git blame' to determine the canonical name/email of each user.


I use Git and the annotated sources sometimes display "Not Committed Yet"

If you have set the parameter autocrlf to "true" or "input", and the source file was previously committed with Windows line endings, then git blame will report each line as "Not Committed Yet" as an indication that the file will be normalized to Unix line endings in case you do a modification and a commit on the same file.

The simplest workaround is to always set autocrlf to "false" on the box doing the SonarQube analysis.

Specific configuration for Jazz RTC

The number of threads used to speed-up the retrieval of authors by line (aka blame information) has to be set to '1' (sonar.scm.threadCount property).

Additional configuration for Perforce

Since version 1.6, you have to set an additional property to define the Perforce client name while running your analysis:


Code Block