We are starting to integrate SonarCloud PR annotations, but it’s not behaving as I would expect.
Initially I thought it was the sonar.pullrequest.source configuration that was wrong (this will default to master, but we PR to team branches a lot that have changes in that aren’t yet in master).
However, on checking the background task history, this is correctly being set.
ALM: Azure DevOps
CI: Azure Devops (MS Hosted agents)
Languages: C# (mainly)
What works:
- PR to master will correctly annotate only the files that have changed as part of the PR. i.e change 2 files, and you’ll get annotations on those files (assuming you write as smelly code as I do
.
What is not working as expected - PR’ing into non-master branch annotates every file that has changed in the target branch when compared to master:
- Create a branch eg. feature/ts/test-base-branch off of master
- Create a “feature” branch e.g. feature/ts/test-base-branch-feature
- Make a change to Endpoint.cs on feature/ts/test-base-branch, push changes
- Make a change to QueueTrigger.cs on the feature branch, push changes
- Create a PR for feature/ts/test-base-branch-feature into feature/ts/test-base-branch
- Build pipeline is automatically run, with following configuration:
- task: SonarCloudPrepare@1
displayName: "Prepare SonarCloud"
inputs:
SonarCloud: '$(tfsSonarCloudServiceConnectionName)'
organization: '$(sonarCloudOrganisation)'
scannerMode: 'MSBuild'
projectKey: '$(projectName)'
projectName: '$(projectName)'
projectVersion: '$(Build.BuildNumber)'
extraProperties: |
sonar.exclusions=$(sonarCloudExclusions)
sonar.cs.opencover.reportsPaths=$(Agent.TempDirectory)/**/coverage.opencover.xml
sonar.cs.vstest.reportsPaths=$(Agent.TempDirectory)/*.trx
sonar.pullrequest.base=$(System.PullRequest.TargetBranch)
sonar.pullrequest.key=$(System.PullRequest.PullRequestId)
sonar.pullrequest.branch=$(Build.SourceBranch)
condition: and(succeeded(), eq('${{ parameters.runDefaultSonarSteps }}', true) , or(eq(variables['Build.Reason'], 'PullRequest'), eq(variables['Build.SourceBranch'], 'refs/heads/master'), startsWith(variables['Build.SourceBranch'], 'refs/heads/teams/')))
… followed eventually by
- task: SonarCloudAnalyze@1
Despite the change being small on the feature branch - one file, one line on QueueTrigger.cs…
It prompts us for warnings on files that are not being commited or touched by this PR, that are changes already in the target branch (feature/ts/test-base-branch)
It looks like it is still comparing against master, as opposed to the target branch
The SonarCloud output suggests 10 new lines for this PR - which is wrong, it should just be the 3 lines in the QueueTrigger.cs, as the Endpoint.cs is a pre-existing change in the target PR branch
Even though the output suggests sonar.pullreqest.base is set correctly?
SonarCloud plugins:
- IaC Code Quality and Security 1.7.0.2012 (iac)
- PL/SQL Code Quality and Security 3.7.0.4372 (plsql)
- Scala Code Quality and Security 1.9.0.3429 (sonarscala)
- C# Code Quality and Security 8.38.0.46746 (csharp)
- Vulnerability Analysis 9.4.1.15913 (security)
- Java Code Quality and Security 7.11.0.29148 (java)
- HTML Code Quality and Security 3.6.0.3106 (web)
- Flex Code Quality and Security 2.7.0.2865 (flex)
- XML Code Quality and Security 2.5.0.3376 (xml)
- Text file Code Quality and Security 1.0.0.120 (text)
- VB.NET Code Quality and Security 8.38.0.46746 (vbnet)
- Swift Code Quality and Security 4.6.0.5406 (swift)
- CFamily Code Quality and Security 6.33.0.46593 (cpp)
- Python Code Quality and Security 3.13.0.9611 (python)
- Dataflow Bug Detection 1.2.0.1485 (dbd)
- Go Code Quality and Security 1.9.0.3429 (go)
- JaCoCo 1.1.1.1157 (jacoco)
- Kotlin Code Quality and Security 2.9.0.1147 (kotlin)
- Mercurial 1.1.2 (scmmercurial)
- Dataflow Bug Detection Rules for Java 1.2.0.1485 (dbdjavafrontend)
- T-SQL Code Quality and Security 1.6.0.4844 (tsql)
- Apex Code Quality and Security 1.9.0.3429 (sonarapex)
- JavaScript/TypeScript/CSS Code Quality and Security 9.2.0.17876 (javascript)
- Ruby Code Quality and Security 1.9.0.3429 (ruby)
- Vulnerability Rules for C# 9.4.1.15913 (securitycsharpfrontend)
- Vulnerability Rules for Java 9.4.1.15913 (securityjavafrontend)
- License for SonarLint 8.0.0.28971 (license)
- Vulnerability Rules for JS 9.4.1.15913 (securityjsfrontend)
- COBOL Code Quality 5.0.0.5433 (cobol)
- Vulnerability Rules for Python 9.4.1.15913 (securitypythonfrontend)
- PHP Code Quality and Security 3.23.1.8766 (php)
- ABAP Code Quality and Security 3.10.0.3628 (abap)
- Configuration detection fot Code Quality and Security 1.2.0.267 (config)
- Vulnerability Rules for PHP 9.4.1.15913 (securityphpfrontend)
Global server settings:
- email.from=noreply@sonarcloud.io
- email.fromName=SonarCloud
- email.prefix=[SonarCloud]
- node_10_end_of_support_date=1620604800000
- node_10_grace_period_termination_date=1621814400000
- search_users_require_auth_start_date=1651622399000
- search_users_require_auth_termination_date=1651708799000
- sonar.auth.bitbucket.enabled=true
- sonar.auth.microsoft.enabled=true
- sonar.core.id=1BD809FA-AWHW8ct9-T_TB3XqouNu
- sonar.core.serverBaseURL=https://sonarcloud.io
- sonar.core.startTime=2022-05-11T11:26:48+0200
- sonar.dbcleaner.weeksBeforeDeletingAllSnapshots=260
- sonar.dbcleaner.weeksBeforeKeepingOnlyOneSnapshotByMonth=4
- sonar.dbcleaner.weeksBeforeKeepingOnlyOneSnapshotByWeek=1
- sonar.global.exclusions=**/build-wrapper-dump.json
- sonar.lf.enableGravatar=true
- sonar.lf.logoWidthPx=105
- sonar.maintenance_mode.link=https://sonarcloud.statuspage.io/incidents/66vlr4dc3jwy
- sonar.maintenance_mode.message=Results of analyses performed prior to 6:15am CET may not be available yet and will be progressively provided throughout coming hours. Results of analysis performed after 8:00am CET are available.
- sonar.maintenance_mode.start_date=2022-03-26T23:00:00.000+01:00
- sonar.organizations.anyoneCanCreate=true
- sonar.organizations.createPersonalOrg=true
- sonar.plsql.file.suffixes=sql,tab,pkb
- sonar.tsql.file.suffixes=.tsql
Project server settings:
- sonar.branch.longLivedBranches.regex=(branch|teams)-.*
- sonar.pullrequest.provider=Azure DevOps Services
- sonar.pullrequest.vsts.token.secured=******
Project scanner properties:
- sonar.cs.opencover.reportsPaths=D:\a\_temp/**/coverage.opencover.xml
- sonar.cs.vstest.reportsPaths=D:\a\_temp/*.trx
- sonar.exclusions=**/obj/**,**/*.dll
- sonar.host.url=https://sonarcloud.io/
- sonar.login=******
- sonar.modules=C3A2336E-473B-4A6A-ABD2-B20675A31A24,C524428D-8F20-4C0F-8EDF-3586719D7B2D,D34AE93A-4ECE-401B-8006-420D23AE4001,DCB75761-4D06-4F04-BCAF-D0553C091F47
- sonar.organization=my-org
- sonar.projectBaseDir=D:\a\1\s
- sonar.projectKey=MY-PROJECT
- sonar.projectName=MY-PROJECT
- sonar.projectVersion=33581-merge
- sonar.pullrequest.base=feature/ts/test-base-branch
- sonar.pullrequest.branch=feature/ts/test-base-branch-feature
- sonar.pullrequest.key=13423
- sonar.pullrequest.provider=vsts
- sonar.pullrequest.vsts.instanceUrl=https://dev.azure.com/my-org/
- sonar.pullrequest.vsts.project=MY-DEVOPS-PROJECT
- sonar.pullrequest.vsts.repository=MY-PROJECT
- sonar.scanAllFiles=true
- sonar.scanner.app=ScannerMSBuild
- sonar.scanner.appVersion=5.5.3
- sonar.scanner.metadataFilePath=D:\a\_temp\sonar\33581-merge\084da375-c3ee-a261-87ed-5963b13f8e8f\report-task.txt
- sonar.sourceEncoding=windows-1252
- sonar.visualstudio.enable=false
- sonar.working.directory=D:\a\1\.sonarqube\out\.sonar
Scanner properties of module: MY-PROJECT:MY-PROJECT:C3A2336E-473B-4A6A-ABD2-B20675A31A24
- sonar.moduleKey=MY-PROJECT:MY-PROJECT:C3A2336E-473B-4A6A-ABD2-B20675A31A24
- sonar.projectBaseDir=D:\a\1\s\MY-PROJECT\Deployment
- sonar.projectKey=MY-PROJECT:MY-PROJECT:C3A2336E-473B-4A6A-ABD2-B20675A31A24
- sonar.projectName=Deployment
- sonar.sources="D:\a\1\s\MY-PROJECT\Deployment\Deployment\azuredeploy.json","D:\a\1\s\MY-PROJECT\Deployment\Deployment\Config\azuredeploy.octo.parameters.json","D:\a\1\s\MY-PROJECT\Deployment\Deployment\Deploy-Arm.ps1","D:\a\1\s\MY-PROJECT\Deployment\Deployment.targets","D:\a\1\s\MY-PROJECT\Deployment\Deployment\Shared\customCertificate.json","D:\a\1\s\MY-PROJECT\Deployment\Deployment\Shared\functions.json","D:\a\1\s\MY-PROJECT\Deployment\Deployment\Shared\customDomainBinding.json","D:\a\1\s\MY-PROJECT\Deployment\Deployment\Shared\updateKeyVault.json","D:\a\1\s\MY-PROJECT\Deployment\Deployment\Shared\storage.json"
- sonar.working.directory=D:\a\1\.sonarqube\out\.sonar\mod0
Scanner properties of module: MY-PROJECT:MY-PROJECT:DCB75761-4D06-4F04-BCAF-D0553C091F47
- sonar.cs.analyzer.projectOutPaths="D:\a\1\.sonarqube\out\3"
- sonar.cs.roslyn.reportFilePaths="D:\a\1\.sonarqube\out\3\Issues.json"
- sonar.moduleKey=MY-PROJECT:MY-PROJECT:DCB75761-4D06-4F04-BCAF-D0553C091F47
- sonar.projectBaseDir=D:\a\1\s\MY-PROJECT\Protocol.UnitTests
- sonar.projectKey=MY-PROJECT:MY-PROJECT:DCB75761-4D06-4F04-BCAF-D0553C091F47
- sonar.projectName=Protocol.UnitTests
- sonar.sourceEncoding=utf-8
- sonar.sources=
- sonar.tests="D:\a\1\s\MY-PROJECT\Protocol.UnitTests\DecoderTests\CommandCompleteDecoderTests.cs","D:\a\1\s\MY-PROJECT\Protocol.UnitTests\DecoderTests\DriveDataDecoderTests.cs","D:\a\1\s\MY-PROJECT\Protocol.UnitTests\DecoderTests\EventDecoderTests.cs","D:\a\1\s\MY-PROJECT\Protocol.UnitTests\DecoderTests\InitializeDecoderTests.cs","D:\a\1\s\MY-PROJECT\Protocol.UnitTests\DecoderTests\LivetrackDecoderTests.cs","D:\a\1\s\MY-PROJECT\Protocol.UnitTests\DecoderTests\MdtDecoderTests.cs","D:\a\1\s\MY-PROJECT\Protocol.UnitTests\DecoderTests\SnapshotDecoderTests.cs","D:\a\1\s\MY-PROJECT\Protocol.UnitTests\Extensions\DeviceConfigurationExtensions\DeviceConfigurationExtensionsTests.cs","D:\a\1\s\MY-PROJECT\Protocol.UnitTests\Extensions\EventTypeExtensionTests.cs","D:\a\1\s\MY-PROJECT\Protocol.UnitTests\Extensions\IntExtensionsTests.cs","D:\a\1\s\MY-PROJECT\Protocol.UnitTests\Mapper\AutoMapperUnitTests.cs","D:\a...
- sonar.working.directory=D:\a\1\.sonarqube\out\.sonar\mod3
Scanner properties of module: MY-PROJECT:MY-PROJECT:D34AE93A-4ECE-401B-8006-420D23AE4001
- sonar.cs.analyzer.projectOutPaths="D:\a\1\.sonarqube\out\2"
- sonar.cs.roslyn.reportFilePaths="D:\a\1\.sonarqube\out\2\Issues.json"
- sonar.moduleKey=MY-PROJECT:MY-PROJECT:D34AE93A-4ECE-401B-8006-420D23AE4001
- sonar.projectBaseDir=D:\a\1\s\MY-PROJECT\Functions.Endpoints
- sonar.projectKey=MY-PROJECT:MY-PROJECT:D34AE93A-4ECE-401B-8006-420D23AE4001
- sonar.projectName=Functions.Endpoints
- sonar.sourceEncoding=utf-8
- sonar.sources="D:\a\1\s\MY-PROJECT\Functions.Endpoints\ApplicationInsights\TelemetryInitializer.cs","D:\a\1\s\MY-PROJECT\Functions.Endpoints\Clients\IMessagingClient.cs","D:\a\1\s\MY-PROJECT\Functions.Endpoints\Constants\DeviceEventConstants.cs","D:\a\1\s\MY-PROJECT\Functions.Endpoints\Decoders\CommandCompleteDecoder.cs","D:\a\1\s\MY-PROJECT\Functions.Endpoints\Decoders\DriveDataDecoder.cs","D:\a\1\s\MY-PROJECT\Functions.Endpoints\Decoders\Enums\FileTypeEnum.cs","D:\a\1\s\MY-PROJECT\Functions.Endpoints\Decoders\Enums\RequestType.cs","D:\a\1\s\MY-PROJECT\Functions.Endpoints\Decoders\EventDecoder.cs","D:\a\1\s\MY-PROJECT\Functions.Endpoints\Decoders\GoToVideoDecoder.cs","D:\a\1\s\MY-PROJECT\Functions.Endpoints\Decoders\InitializeDecoder.cs","D:\a\1\s\MY-PROJECT\Functions.Endpoints\Decoders\MdtDecoder.cs","D:\a\1\s\MY-PROJECT\Functions.Endpoints\Decoders\Models\DecodedItem.cs","D:\a\1\s\VT...
- sonar.working.directory=D:\a\1\.sonarqube\out\.sonar\mod2
Scanner properties of module: MY-PROJECT:MY-PROJECT:C524428D-8F20-4C0F-8EDF-3586719D7B2D
- sonar.cs.analyzer.projectOutPaths="D:\a\1\.sonarqube\out\1"
- sonar.cs.roslyn.reportFilePaths="D:\a\1\.sonarqube\out\1\Issues.json"
- sonar.moduleKey=MY-PROJECT:MY-PROJECT:C524428D-8F20-4C0F-8EDF-3586719D7B2D
- sonar.projectBaseDir=D:\a\1\s\MY-PROJECT\Protcol
- sonar.projectKey=MY-PROJECT:MY-PROJECT:C524428D-8F20-4C0F-8EDF-3586719D7B2D
- sonar.projectName=Protcol
- sonar.sourceEncoding=utf-8
- sonar.sources="D:\a\1\s\MY-PROJECT\Protcol\Parser.cs","D:\a\1\s\MY-PROJECT\Protcol\Enums\CodecType.cs","D:\a\1\s\MY-PROJECT\Protcol\Enums\CommandType.cs","D:\a\1\s\MY-PROJECT\Protcol\Enums\DeviceModel.cs","D:\a\1\s\MY-PROJECT\Protcol\Enums\DevicePowerType.cs","D:\a\1\s\MY-PROJECT\Protcol\Enums\MediaErrorTypes.cs","D:\a\1\s\MY-PROJECT\Protcol\Enums\MediaType.cs","D:\a\1\s\MY-PROJECT\Protcol\Enums\ServerCommand.cs","D:\a\1\s\MY-PROJECT\Protcol\Extensions\BinaryReaderExtensions.cs","D:\a\1\s\MY-PROJECT\Protcol\Flags\EventType.cs","D:\a\1\s\MY-PROJECT\Protcol\Flags\Signal.cs","D:\a\1\s\MY-PROJECT\Protcol\Model\DbAvInfo.cs","D:\a\1\s\MY-PROJECT\Protcol\Model\DbEventInfo.cs","D:\a\1\s\MY-PROJECT\Protcol\Model\DbFrameInfo.cs","D:\a\1\s\MY-PROJECT\Protcol\Model\DbGps.cs","D:\a\1\s\MY-PROJECT\Protcol\D...
- sonar.working.directory=D:\a\1\.sonarqube\out\.sonar\mod1
I have tried on both a bound project, and an unbound project, but get the same results.
I have just noticed that even for files that are successfully being picked up with smells (the files I would expect to be identified), that the path is incorrect (hence why it’s showing as “This file no longer exists in the latest pull request changes.”
I think this may be the root cause, as I would imagine this would mess up the comparison part. Hopefully there’s some extra configuration I need to pass in to correct the source location. I’ll start picking down this route and update this ticket if it fixes it for me.
Many thanks in advance for any help or suggestions.