SonarAnalysis was running properly so far, for the past few weeks the analysis show vulnerable for the older code which has been committed years back. Attached image for your reference.
There is no issues in the existing commits, why the sonar analysis is checking for the older code. If so it is vulnerable, why the analysis hasn’t reported this long before.
SonarQube backdates issues to the last time a line was touched. If surrounding code is changed that leads to the issue being raised (think: reporting an unused variable because the code that used the variable was removed), it will be backdated.
Backdating also happens:
On the first analysis of a project or branch.
When the rule is new in the profile (a brand new rule activated or a rule that was deactivated and is now activated).
When SonarQube has just been upgraded (because rule implementations could be smarter now).
When the rule is external.
And, your version is past EOL. You should upgrade to either the latest version or the current LTS at your earliest convenience. Your upgrade path is:
As suggested, we have updated the SonarQube service with 9.9.1 LTS version. We are facing a new issue after updating.
It’s checking the security hotspots and shows issue in out .docker file. It shouldn’t analyze that, how to ignore that from analyzing it? Attached image FYR.
Yes, I had a look on that. But. in our case the docker file location differs with the path in separate folders. PFB folder structure for the docker file