After upgrading Azure Pipeline task from v1 to v3 PR scan in analyzing untouched files

Template for a good new topic, formatted with Markdown:

  • ALM used (Azure DevOps)
  • CI system used (Azure DevOps)
  • Scanner command used when applicable (MSBuild)
  • Languages of the repository - C#

I updated the Sonar tasks from v1 to v3 in the special pipeline that is only triggered from pull requests

The project is legacy and sonar scanning was added some time ago. The above changes are the only ones in the PR and still I get a lot of sonar warnings from files I haven’t changed. Since we have a policy that all sonar warnings need to be closed I cannot complete this PR without a massive effort to fix code I haven’t touched.

I tried setting the below settings, but I think those are autodetected anyway,

extraProperties: |
  sonar.pullrequest.key=$(System.PullRequest.PullRequestId)
  sonar.pullrequest.branch=$(System.PullRequest.SourceBranch)
  sonar.pullrequest.base=$(System.PullRequest.TargetBranch)

How can I instruct sonar to only analyze code or files I’m changing?

Hi,

I think your upgrade picked up this change in the underlying scanner, which adds analysis of files that weren’t previously analyzed. Thus this PR analysis is seeing those files for the first time.

It’s nonetheless odd that they’re analyzed, since PR analysis should be working off of what the SCM metadata indicates is changed in the PR.

Can you try setting sonar.scanner.scanAll to false to see if that fixes it?

 
Ann

Thanks for the suggestion, but still experiencing the same problem. The PR only contains the yaml file and still I get all kinds of warnings from c# files.

In the SonarCloudPrepare@3 task I have this
sonar.inclusions = **/*.cs

I tried to change it to
sonar.exclusions=**/.cshtml
# sonar.inclusions = **/
.cs
sonar.scanner.scanAll = false

But now I get errors like below. I saw these earlier also:

Hi,

I think that’s actually progress: it indicates that analysis omitted files that were analyzed previously.

This may be about the SCM metadata that’s available to analysis. Can you share your analysis log?

The analysis / scanner log is what’s output from the analysis command. Hopefully, the log you provide - redacted as necessary - will include that command as well.

This guide will help you find them.

 
Thx,
Ann