Analysis issue with Sonar (checking older code)

Details about sonar server we are using,

  • Developer Edition, Version 9.2.4 (build 50792)
  • SonarQube is deployed in a azure VM (IIS server)

Issue we are facing:

SonarAnalysis was running properly so far, for the past few weeks the analysis show vulnerable for the older code which has been committed years back. Attached image for your reference.

There is no issues in the existing commits, why the sonar analysis is checking for the older code. If so it is vulnerable, why the analysis hasn’t reported this long before.

Kindly acknowledge and help out on the same.

Hey there.

SonarQube backdates issues to the last time a line was touched. If surrounding code is changed that leads to the issue being raised (think: reporting an unused variable because the code that used the variable was removed), it will be backdated.

Backdating also happens:

  • On the first analysis of a project or branch.
  • When the rule is new in the profile (a brand new rule activated or a rule that was deactivated and is now activated).
  • When SonarQube has just been upgraded (because rule implementations could be smarter now).
  • When the rule is external.

And, your version is past EOL. You should upgrade to either the latest version or the current LTS at your earliest convenience. Your upgrade path is:

9.2.4 → 9.9 → 10.1 (last step optional)

You may find these resources helpful:

If you have questions about upgrading, feel free to open a new thread for that here.

Hi Colin,

As suggested, we have updated the SonarQube service with 9.9.1 LTS version. We are facing a new issue after updating.

It’s checking the security hotspots and shows issue in out .docker file. It shouldn’t analyze that, how to ignore that from analyzing it? Attached image FYR.

Kindly assist on the same

This is a feature of SonarQube v9.9 LTS, to analyze Dockerfiles.

And, you can always narrow the scope to exclude these files.

Yes, I had a look on that. But. in our case the docker file location differs with the path in separate folders. PFB folder structure for the docker file

src/Module_name/MS_module_name/module_name.API/Dockerfile

We need help on, how to set exclusion parameter for the above folder structure.

Thanks

If you don’t want to analyze any Dockerfiles, you can just ignore **/Dockerfile

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.