Blame Data Is Not Available Via SonarQube Git Plugin

• Versions used:

  • SonarQube Server: 6.7.5 (build 38563)
  • Scanner (SonarQube Gradle Plugin): org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:2.8
  • SonarQube Git Plugin: 1.9 (build 1725)
  • Bamboo: 6.8.1 (build 60805)
  • Sonar4Bamboo Bamboo Plugin: 1.7.11 (last free version)

• Error observed:

  • No blame information is available in SonarQube.
  • The logs indicate that blame information is not retrieved due to a linked repository being used.

    build	21-Nov-2019 20:02:09	> Task :sonarqube
    build	21-Nov-2019 20:02:09	SCM provider for this project is: git
    build	21-Nov-2019 20:02:09	141 files to be analyzed
    build	21-Nov-2019 20:02:09	This repository references another local repository which is not supported. You can avoid borrow objects from another local repository by not using --reference or --shared when cloning it.
    build	21-Nov-2019 20:02:09	Missing blame information for the following files:
    …

• Expected result:

  • The blame information should be read from the linked repository, rather than the SonarQube Git Plugin failing early due to the linked repository. Fully-cloning repositories is slow, and we do not want to maintain an additional long-running repository directory for these scans – we want to start with a clean directory for each scan. Linked repositories (like those used by default with Bamboo) have facilitated this for us until the recent SonarQube Git Plugin update.

• Steps to reproduce:

  • Create a git project with Gradle using the given SonarQube Gradle Plugin
  • Commit code to a branch
  • Create a Bamboo build plan using Sonar4Bamboo 1.7.11
  • Run the build plan for the given branch
  • Blame information is not received

• Potential workaround

  • (Option 1) Revert the SonarQube Git Plugin to a prior version without this issue
  • (Option 2) Manually force Bamboo to execute a full clone before each build (very slow for large repositories)

It looks like this bug was introduced with SONARSCGIT-34 (specific source changes: bda38aeec2). It appears that these changes were made because of the comments here (Gradle SonarJava scan fails) combined with the JGit bug report here (https://bugs.eclipse.org/bugs/show_bug.cgi?id=541050).

It sounds like it comes down to the JGit bug not being fixed, so I wonder if this has to wait until that’s fixed.

Hi,
I’m surprised that the prior version of the Git Plugin works with linked repositories. The change was done because presumably JGit doesn’t support looking up objects in the referenced repository.
Could it be that all objects being read in a particular analysis that works with the previous version just happened to be in the repository (and not in the referenced one)?

I have a similar problem using

• TeamCity 10.0.3 (build 42434)
• SonarQube Server Version 7.5 (build 20543)
• SonarQube Gradle Plugin (org.sonarsource.scanner.gradle:sonarqube-gradle-plugin), I don’t know which version.
• SonarQube Git Plugin 1.9 (build 1725)

After updating the GIT plugin from 1.8.0 (Build 1574) to 1.9 (build 1725), the blame information isn’t available anymore. We didn’t change anything at the build-process when the gradle sonarqube plugin is executed.

We’re seeing a similar issue after updating the SonarQube 8.1. Previously there was no issue with missing blame data. After the update, we’re getting a very noticeable number of source files missing blame data and and quite a few issues without authors as a result. Is there any chance this will get addressed?

I’ve validated that the blame data is not missing on the exact same code base after replacing the 1.9 git plugin version with sonar-scm-git-plugin-1.8.0.1574.jar and restarting the server.

And I just ran the 4.9.0 jgit and at least that version of jgit is seeing the missing blame data. This doesn’t seem to be getting attention here as a “suggest new feature”. I’ve filed the bug here: Blame data present in SonarQube 7.9.1 is now missing after upgrade to 8.1

This appears to be fixed in SonarGit 1.11 (SONARSCGIT-50). We’re seeing blame information again now.