0 lines of code scanned, first scan

SonarQube Cloud
1

We have setup our self-hosted gitlab CI projects with SonarCloud scanning. We initially set our “New Code” to be based on the previous version. The pipeline shows everything was scanned. This is a very old project with commits years old, yet SonarCloud shows 0 lines of code scanned and no issues. Despite this, the pipeline logs definitely show that almost everything was scanned.

We then changed the “New Code” setting to be based on number of x days. This still yields the same result of 0 lines of code scanned and no issues. When looking at the “Code” tab, we can clearly see all the files have been scanned but everything is listed as 0.

There are definitely issues and vulnerabilities in this code, so what do we need to do to display results for an initial scan?

2

Hi @sclse ,
0 lines of code often means there is a misconfiguration. It’s hard to help you with so little information. Which language ? how is the analysis configured ? scanner log…

1 Like
3

The language is PHP, I have attached the scan logs here from the pipeline:

sonarcloud-scanlog.txt (457.5 KB)

Our pipeline in gitlab is configured as followed and runs successfully:


stages:
  - Security
  
variables:
  HTTP_PROXY: "http://xxx.xxx.xxx.xxx:3128"
  HTTPS_PROXY: "http://xxx.xxx.xxx.xxx:3128"
  NO_PROXY: "docker, localhost, 127.0.0.1"
  SONAR_HOST_URL: "https://sonarcloud.io"
  SONAR_TOKEN: "XXXXXXXXX"
  SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
  SONAR_SCANNER_OPTS: '-Dhttp.proxyHost=xxx.xxx.xxx.xxx -Dhttp.proxyPort=3128 -Dhttps.proxyHost=xxx.xxx.xxx.xxx -Dhttps.proxyPort=3128 -Dsonar.verbose=true'
  GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task

sonarcloud-scan:
  stage: Security
  tags:
    - docker-runner
  image:
    name: sonarsource/sonar-scanner-cli:latest
    entrypoint: [""]
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  script:
    - sonar-scanner

Our sonar-project.properties file in the project root is configured as follows:

sonar.projectKey=XXXXXXXXX
sonar.organization=XXXXX
sonar.sourceEncoding=UTF-8
sonar.language=php
sonar.host.url=https://sonarcloud.io
sonar.projectVersion=1.0

Any pointers you could give here would be greatly appreciated. Thanks!

4

Hey there.

It looks like the logs you shared are from the analysis of a short-lived branch where 0 files were detected as having changed.

12:27:09.260 INFO: Branch name: feature/sc-5048-sonarcloud-XXXX, type: short-lived
...
12:28:00.399 DEBUG: SCM reported changed lines for 0 files in the branch

If no code was changed in this branch (other than enabling SonarCloud analysis), the results are expected. I would suggest running the analysis on the main branch of your project, or on a branch with more changes.