Summary
After manually resolving issues on master (“Won’t fix” or “False positive”), the issues are still reported in branch analysis.
Versions
- SonarQube Enterprise Edition Version 7.5 (build 20543)
- sonar-maven-plugin version 3.7.0.1746
- gitlab-ci, image maven:3-jdk-8
I’m not really sure how to check sonar-maven-plugin version, but we use latest (mvn sonar:sonar) and 3.7.0.1746 is latest at the time of writing at least.
initial code:
public class ReproduceSqBug {
private static final String somethingWithTheWordPasswordInIt = "asdlkj";
}
code after change:
public class ReproduceSqBug {
private static final String somethingWithTheWordPasswordInIt = "asdlkj";
private void unrelatedChangeToSeeIfBranchAnalysisReportsTheNowResolvedIssuesInThisFile() {}
}
Steps to reproduce
- Push the initial code to master
- Four issues are reported (one vuln and three code smells)
- Resolve issues manually as “Won’t fix” or “False positive”
- Branch off master
- Push “code after change” to the branch
- Issues are reported on branch analysis
I resolved the vulnerability and one of the code smells as “False positive”, in case there was a difference between issue types. Furthermore I resolved one code smell as “Won’t fix” and confirmed the last one. The confirmed one didn’t show up in branch analysis, but all the resolved ones did: