Automatic analyze all submodules of the current project

Hi there!

I have set up SonarQube working with GitLab. I see that the submodules (each being a separate GitLab project) are not being scanned. I understand that I can set up each of the submodules in the same way as the main GitLab project to get them all scanned. However, I would want to avoid this due to a large number of submodules.

Is there a way to get SonarQube to automatically scan all the submodules?

sonarqube- Developer Edition


Does this mean each module is a separate SCM repository? Has a separate build in GitLab? Something else?

If they’re separate checkouts, then it’s probably going to be easiest to analyze them separately and then stitch them back together with an Application.

(For those reading this thread later, Applications are available in Developer Edition($).)


Yes, each module is a separate SCM repository. Submodule information is stored in the file .gitmodules. In the main GitLab project’s yaml script, we use GIT_SUBMODULE_STRATEGY: recursive to ensure all submodules are checked out.

We are using .NET solution and Visual Studio. The solution file contains many VS projects, some of the VS projects are git submodules.

    - "C:\\sonar-scanner-msbuild-\\SonarScanner.MSBuild.exe begin /k:\"$SONAR_PROJECT_KEY\" /d:sonar.login=\"$SONAR_TOKEN\" /d:\"$SONAR_HOST_URL\""
    - '& "$env:MSBUILD_PATH" Solution_File.sln /t:Rebuild /restore /property:Configuration=Release /property:Platform="Any CPU"'
    - "C:\\sonar-scanner-msbuild-\\SonarScanner.MSBuild.exe end /d:sonar.login=\"$SONAR_TOKEN\""

My thought is, since the above MSBUILD command takes the solution file and builds the entire solution code, including the code files found in git submodules, in theory, it should be possible for SonarQube to also see these code files in git submodules. Is it possible to let SonarQube scan these code files without having to set up each of the submodules as a separate SonarQube project?


I guess you fire the build command from the root directory? If so, analysis ought to work, although I’m not sure how the SCM data collection will go. Have you tried it?


Yes the build command is fired from the root directory. From what I see under the specific project → Code tab, the folders corresponding to the submodules are not there. Are there some settings needed for this to work?


Can you share your analysis logs?


The log generated by the GitLab “.gitlab-ci.yml” script building process can be viewed at the very long link below.

I think the relevant part of the log is between “MSBuild.exe begin” and “MSBuild.exe end”. DJAYa0CKYQJEtk5P5wf%2F678bsUOGuothOKfh0BwUm0rKSCr0LhLiwHSykDrM J%2BMhruZUgxF1DE83ssw9RffLwkVz2kjTUY1BzdH5whUmNmS6yKUXXeLyHeeI %2B3pCj2%2BIZNgpKqhU4qgHDUEEpzb6tVBbFlAAzls8b%2FieXCu%2BlW9jkyUFeUyF 1f7a8yYYWQwZjdEFYlcwt6AuPFrmuxId9WaI1CakOAzGqDEBLBr2sH6Ft2sc CgBwyEUZbDhQuQo14%2F%2BFG06Ixt5r7d4IOIxJiJe%2Biw%3D%3D&Expires=1645637324


I get an expired token error from that URL. Can you copy/paste?


Sorry for that. here is the text file for that.
analysis_log.txt (2.2 MB)

@Quan_Yu the files in the submodules are being analysed during the build step, but are then being ignored when uploading to SonarQube (if you have a look in the log for the end step you’ll see INFO: 185 files ignored because of scm ignore settings).

You can change this behaviour with the sonar.scm.exclusions.disabled setting. See the docs for more information.

yep i added this /d:\"sonar.scm.exclusions.disabled=true\" into the yaml script and got the submodule analysis result in the web UI. Thanks a ton!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.