I have set up SonarQube working with GitLab. I see that the submodules (each being a separate GitLab project) are not being scanned. I understand that I can set up each of the submodules in the same way as the main GitLab project to get them all scanned. However, I would want to avoid this due to a large number of submodules.
Is there a way to get SonarQube to automatically scan all the submodules?
Does this mean each module is a separate SCM repository? Has a separate build in GitLab? Something else?
If they’re separate checkouts, then it’s probably going to be easiest to analyze them separately and then stitch them back together with an Application.
(For those reading this thread later, Applications are available in Developer Edition($).)
Yes, each module is a separate SCM repository. Submodule information is stored in the file .gitmodules. In the main GitLab project’s yaml script, we use GIT_SUBMODULE_STRATEGY: recursive to ensure all submodules are checked out.
We are using .NET solution and Visual Studio. The solution file contains many VS projects, some of the VS projects are git submodules.
- "C:\\sonar-scanner-msbuild-5.4.0.40033-net46\\SonarScanner.MSBuild.exe begin /k:\"$SONAR_PROJECT_KEY\" /d:sonar.login=\"$SONAR_TOKEN\" /d:\"sonar.host.url=$SONAR_HOST_URL\""
- '& "$env:MSBUILD_PATH" Solution_File.sln /t:Rebuild /restore /property:Configuration=Release /property:Platform="Any CPU"'
- "C:\\sonar-scanner-msbuild-5.4.0.40033-net46\\SonarScanner.MSBuild.exe end /d:sonar.login=\"$SONAR_TOKEN\""
My thought is, since the above MSBUILD command takes the solution file and builds the entire solution code, including the code files found in git submodules, in theory, it should be possible for SonarQube to also see these code files in git submodules. Is it possible to let SonarQube scan these code files without having to set up each of the submodules as a separate SonarQube project?
I guess you fire the build command from the root directory? If so, analysis ought to work, although I’m not sure how the SCM data collection will go. Have you tried it?
Yes the build command is fired from the root directory. From what I see under the specific project → Code tab, the folders corresponding to the submodules are not there. Are there some settings needed for this to work?
@Quan_Yu the files in the submodules are being analysed during the build step, but are then being ignored when uploading to SonarQube (if you have a look in the log for the end step you’ll see INFO: 185 files ignored because of scm ignore settings).
You can change this behaviour with the sonar.scm.exclusions.disabled setting. See the docs for more information.
