I have analyzed a Java project for the first time and it passed in spite of the fact that Bugs and Vulnerabilities are both rated E. How come it passed?
The analysis was done on a code snapshot directly (no Git, no Jenkins, No Maven/Gradle/…)
At the start it might create confusion for you but let me explain the things in easy way. While running sonar-scanner, sonar-analyzer(compute engine) do the analysis based on configuration provided in properties file. Analyzer will only fail if it finds problem with infra like issue related with plugins, DB etc and other dependency stuff. Now coming to your question that there is lot of issues(E rating) so now after analysation has been done, there is a concept of quality gate in sonarqube through which you can set the criteria which will help to fail or pass the quality gate of your project like in your case you can define if E rating then fail. So while using CI tools like jenkins you can use the plugin that if quality gates failed then jenkins job will be failed even if the analysis is successful.
I am using the default quality gate which indicates a failure criteria if those two ratings are below A. That means that the analysis should have failed but it didn’t.
Thanks @vicky. Rest assured that I have read and re-read that documentation before opening this thread :-).
There is nothing about why a first-time analysis passes unconditionally. Actually this is consistent - several other projects I have just analyzed exhibit the same behavior.
As you have gone through all the documentation then it will be easy to explain. First of all, sonar analyzer traverse across the codes and finds all the issues and other stuffs and then dumps the report to DB (not to the terminal where you are running sonar-scanner )which you access through sonarqube server that’s why after running sonar-scanner you get execution success in terminal but your quality gate fails with lot of bugs and other stuffs.
You can also run sonar-scanner -X and can go through the verbose output on terminal and collect info on what are the things sonar analyzer does while analysis. Also report after analysis is dumped to your local where sonar-scanner is running, go to .scannerwork->scanner-report . You will get the complete report regarding the analysis.
Hi @vicky,
I understand all this and I am not asking about the mechanism, the architecture or the flow. My question is very specific: why does the server mark the project as Passed after the first analysis while I expect it to mark it as Failed (based on the current quality gate?
Thanks for the heads-up ! And just so you know, this default Quality Gate is at the heart of the methodology that SonarQube advocates to gradually improve the quality of a codebase. It’s called Fix the Leak: https://docs.sonarqube.org/display/SONAR/Fixing+the+Water+Leak .