Assistance with Pull Request Analysis setup

SonarQube Cloud
, , ,
1

Hello! I am requesting assistance with an odd issue, I have a private organization with a few projects. The projects are all configured the same and have pull request analysis enabled via BB pipelines.

One project claims there is no pull request analysis set up in the Pull Request tab on SonarCloud, however, the pull request in Bitbucket has the sonarcloud widget loading and the logs of the analysis claim it was a successful run.

The only difference between this project and others is that we run the analysis only on the backend portion of the source code. I.e. We have a frontend that is in the same repository that we are not including in the analysis.

I have destroyed and re-created the project twice in SonarCloud (making sure to update the token that sonar cloud expects to find in the repository variables).

Any assistance would be greatly appreciated.

I have looked at some of the API calls that are made by the scanner to fetch open pull requests for a project and curiously, this project returns an empty array – there are open pull requests that have been analyzed.

  • ALM used: Bitbucket
  • CI system used: Bitbucket Cloud
  • Scanner command used when applicable:
    - step: &full_sast
        size: 2x
        name: Full SAST scan
        script:
          - pipe: sonarsource/sonarcloud-scan:3.0.0
            variables:
              EXTRA_ARGS:
                - '-Dsonar.organization=<PRIVATE_ORGANIZATION>'
                - '-Dsonar.projectKey=<PRIVATE_PROJECT_KEY>'
                - '-Dsonar.exclusions=folder1,folder2'
                - '-Dsonar.sources=folderToScan'
                - '-Dsonar.tests=cypress'
                - '-Dsonar.host.url=https://sonarcloud.io'
                - '-Dsonar.verbose=true'
              SONAR_SCANNER_OPTS: '-Xmx3500m'
  • Languages of the repository: JS + (HTML/CSS), and PHP

Analysis is only done on the PHP code.

  • Only if the SonarCloud project is public, the URL
    • And if you need help with pull request decoration, then the URL to the PR too
  • Error observed (wrap logs/code around with triple quotes ``` for proper formatting): No apparent errors, the analysis was successful.
  • Steps to reproduce: create a PR
  • Potential workaround: I can view the branch the PR is a part of to view the results.

Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!

I would be happy to provide further information in a private thread.

Thank you!

  • Andrew
2

Hey Andrew.

Is your pipeline configured to run &full_sast on pull requests? (docs)? I would be interested to see your entire bitbucket pipelines yml.

3

Hello Colin! I do have the &full_sast set up to run on pull requests.

  default:
    - parallel:
        - step: *full_sast
        - step: *cypress_e2e_tests
        - step: *cypress_e2e_tests
        - step:
            name: Check format
            image: node:16.13.1
            caches:
              - npm
            script:
              - npm ci
              - npm run prettier:php
              - npm run prettier:js
              - npm run prettier:css
4

Hey there.

I don’t think this snippet shows that it’s running on pull requests. I expect to see something like this:

pipelines:
  ...
  pull-requests:
5

I updated our bitbucket-pipelines.yml to use pull-request: instead of default and it works!

Interestingly, it still runs the scanner in the pipeline and shows the widget when it is set to default.

Thanks for your help Colin! Glad it was an easy fix. :slight_smile:

1 Like
6

I don’t know a lot about using default in Bitbucket Pipelines.

I have a feeling that with default an analysis gets triggered, but the pipeline lacks the BITBUCKET_PR_ID and BITBUCKET_PR_DESTINATION_BRANCH environment variables we use to identify a PR analysis and configure the right parameters for PR analysis.

This makes sense, and in reality a pull-request: build of your branch is probably different from a regular build of the branch. The former should actually attempt to merge it and analyze the merged result, while the latter might be out of date by the time you open the PR.

7

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.