I am using SonarCloud with Azure DevOps, I have a project where the number of issues detected has increased (almost doubled) on 9th April even if there have been no code changes in the past 2 weeks.
From a quick review it looks as if all the issues are genuine but for code that is not new, the project has been analysed for several months now so I don’t understand why these issues have not been identified before.
Another issue is that the issues are being identified as being on “new code” even if they are not and as such they are causing the quality gate to fail, I understand that since I am not using SCM integration Sonar might be unbale to automatically backdate them, is there a way to backdate them “manually”?
Is you project using JS or TS by any chance ? Because on the 8th of April at the end of the day we deployed a new version of the JS/TS security analyzer, that is now able to find much more issues. That would explain why you suddenly see all those new issues appear. Our analyzer was just not able to find them before.
Regarding your quality gate that fails because those new issues are flagged as new code.
Indeed if you are not using the SCM integration then we are not be able to backdate those issues correctly, you can find more information about issues backdating here.
There is no way to manually backdate them, but you could eventually “confirm” them to accept this debt, doing so will update the Quality Gate status and you should be back to green.
All code is C#, but I have now noticed that most (but not all) of the newly detected issues are in fact in NUnit test files, so it looks like that the scan is now detecting and reporting issues from the unit tests when previously it wasn’t.
Our exclusion filters have not changed and what’s odd is that the number lines of code has not changed, I would have expected that if the issue was with test files being included in the scan that the loc would also increase.
With regards to the “Confirm” option, I have done that but the items still come up and fail the Quality Gate.
BTW, I have started seeing this behaviour in another couple of projects in my organisation.
Yes we are beginning to raise issues for test projects since version 5.2 of the SonarScanner for .NET.
I would recommand you to read our updated wiki about this subject, there’s also a way to deactivate this behavior if needed. And this is expected to not have the increase of LOCs in your project, since we’ve just rolled out this feature, it need to be adopted first.
Thanks for pointing me to that article, that’s helpful.
It’s not clear to me however why this change was introduced, I am also not clear if not counting LOCs is a temporary arrangement or LOCs on test projects will be included at a later time and whether it will affect the cost of the subscription.