Dear Community,
I have analyzed a Java project for the first time and it passed in spite of the fact that Bugs and Vulnerabilities are both rated E. How come it passed?
The analysis was done on a code snapshot directly (no Git, no Jenkins, No Maven/Gradle/…)
Thanks,
Michael
Hi @AgilEra,
At the start it might create confusion for you but let me explain the things in easy way. While running sonar-scanner, sonar-analyzer(compute engine) do the analysis based on configuration provided in properties file. Analyzer will only fail if it finds problem with infra like issue related with plugins, DB etc and other dependency stuff. Now coming to your question that there is lot of issues(E rating) so now after analysation has been done, there is a concept of quality gate in sonarqube through which you can set the criteria which will help to fail or pass the quality gate of your project like in your case you can define if E rating then fail. So while using CI tools like jenkins you can use the plugin that if quality gates failed then jenkins job will be failed even if the analysis is successful.
Oops i wrote a long story but I hope it helps.
Hi @vicky.
I am using the default quality gate which indicates a failure criteria if those two ratings are below A. That means that the analysis should have failed but it didn’t.
Michael
Hi @AgilEra,
For better understanding of quality gates you can refer this oficial documentation https://docs.sonarqube.org/display/SONAR/Quality+Gates and for analysis you can refer this documentation https://docs.sonarqube.org/display/SONAR/Analyzing+Source+Code.
It will give you clear picture of quality gates and sonar-scanner analysis.
I hope this helps!
Thanks @vicky. Rest assured that I have read and re-read that documentation before opening this thread :-).
There is nothing about why a first-time analysis passes unconditionally. Actually this is consistent - several other projects I have just analyzed exhibit the same behavior.
Hi @AgilEra,
As you have gone through all the documentation then it will be easy to explain. First of all, sonar analyzer traverse across the codes and finds all the issues and other stuffs and then dumps the report to DB (not to the terminal where you are running sonar-scanner )which you access through sonarqube server that’s why after running sonar-scanner you get execution success in terminal but your quality gate fails with lot of bugs and other stuffs.
You can also run sonar-scanner -X and can go through the verbose output on terminal and collect info on what are the things sonar analyzer does while analysis. Also report after analysis is dumped to your local where sonar-scanner is running, go to .scannerwork->scanner-report . You will get the complete report regarding the analysis.
I hope it helps!
Hi @vicky,
I understand all this and I am not asking about the mechanism, the architecture or the flow. My question is very specific: why does the server mark the project as Passed after the first analysis while I expect it to mark it as Failed (based on the current quality gate?
Michael
@AgilEra sorry, i might have misunderstood your question but if you can elaborate the things that would be great.
I found the root cause: the Default quality gate has the passing conditions defined on new code only, rather than on the overall code base.
Thanks for the heads-up ! And just so you know, this default Quality Gate is at the heart of the methodology that SonarQube advocates to gradually improve the quality of a codebase. It’s called Fix the Leak: https://docs.sonarqube.org/display/SONAR/Fixing+the+Water+Leak .