Must-share information (formatted with Markdown):
220.127.116.11595 (Sonarqube self-hosted? idfk)
Problem : I have 5 repositories, each trying to scan a branch named
"master" which doesn’t exist in our github projects. I want to change this to be another branch -
release - but the documentation is confusing as hell and doesn’t clearly state how this is done from my perspective. Even when I pushed a branch named “master” it didn’t work.
Can someone please provide me even a hint at how I can set the branch it reads from?
Tried : Looking at every setting in project settings, I’m an admin user so am not missing any areas of the dashboard.
Below is a shot of one of the projects.
This branch has literally no code on it (doesn’t even exist), but it had been reporting as “Passed”?
I made and pushed to a branch named “master” and “main” even, but nothing happens, nothing gets scanned.
I try to change the branch - all I can do is “rename” it which looks like its name only, not the actual branch name, just what the dashboard calls it.
Permissions Are all set according to the docs outlined permission list:
^ This is the application permissions on the Organization Level
I also can confirm the application has access to the repo as its on both the list and the repo itself has it as a github app:
Cant add more photos, but its there.
Sonarqube dashboard also confirms proper connection:
Imagine a screenshot of your dashboard showing confirmed connection since I can’t add more than 3 photos
Welcome to the community!
I would have expected the branch name in SonarQube to default to
main. Perhaps these projects have been under analysis for a while (i.e. on older SonarQube versions)? At any rate, main/master is the default branch; the one that’s analyzed when a branch name isn’t passed into analysis.
Since the branch is empty, I suppose it’s never been analyzed and the passing Quality Gate is just a default.
Your best bet here is to upgrade to 10.2.1, where we added the ability to set another, existing branch as the
But then how come even when I push to either “master” or “main” nothing happens. All the connections are set, I walked through the entire setup doc twice. Nothing happens it just says theres nothing there. All validations it can do to check github say they work and I can even login via github so its clearly connected. Every permission is match to the documentation on the repo as well.
^ Shows Github is connected properly
^ Application Permissions (this is the Installed Application in the Organization level, just for clarity)
Its also connected to the repo desired in its list on the settings page in the app, and I see it on the repository settings as well as an application that has access.
^ This is it connected in the repository
Your use of the word “push” - versus, say, “analyze” - makes me wonder whether the “nothing” is (not) happening at your CI or in SonarQube analysis.
When you push/commit to “master”, does your CI run to build and analyze that branch? And if so, can you please share the full analysis logs of that analysis?
The analysis / scanner log is what’s output from the analysis command. Hopefully, the log you provide - redacted as necessary - will include that command as well.
This guide will help you find them.
What I understand sonarqube does is it is connected to the branches and then when a new push goes to the branch it listens to, its scanning the raw codebase. Are you saying we have to push a compiled build to it?
Our Ci is not configured to listen to “Master” – it listens to a plethora of other branches, which is what I wanted to change it to - “Pre-Release” is our main branch which not only does its build but also submits to apple store testflight. The CI on bitrise works fine and always sees it fine, we just don’t get anything out of sonarqube when even the branch its forcing me to use gets a push.
This answers the question of:
Not as tightly as you think it is
No. There must be an intermediary - the CI - to fire the analysis.
I’m absolutely not saying you should check in the compiled byte code! And you only need compilation depending on the language: Java, C, C++, Objective-C, or C#.
What should happen:
- commit/push to SCM
- CI checks out code
- [CI builds, depending on language]
- CI fires analysis
- [CI waits for Quality Gate to be computed and reflects QG status]
Where the bracketed items are optional.
I don’t understand then why the sonarqube instance needs to connect to our github repo itself at all then, if the CI is what compiles the app build and then sends the compiled build to the sonarqube instance for analysis. Why am I plugging it into branches and such if CI (we use bitrise.io) just sends it a compiled application build?
I’m sorry for being persistent but I basically discovered that we haven’t actually had a scan happen for MONTHS and its just been reporting “passing” on nothing, so we’ve effectively burned $1200 for nothing and its so confusing how to get this working that its pretty disheartening.
SonarQube connects to GitHub to
- onboard projects - this is the initial setup
- decorate pull requests
I linked earlier to the analysis overview. I think it might be helpful if you read through it.
I’ve read it, twice in fact because I figured I missed something, and I still don’t understand.
Does sonarqube see when i push code to the main branch and that push is what triggers the analysis, or is the CI system required to push the code to the sonarqube instance. Nothing in any of these docs has a flow chart or anything to explain the actual process.
Developer Edition adds the ability to analyze your project’s branches and pull requests as well as the ability to automatically report your pull request analysis to your DevOps platform interface.
There is no flow diagram to articulate what the actual flow process expected is so I have no idea how to make this work or even begin to approach fixing the problem.
No. SonarQube isn’t monitoring your SCM. Your CI needs to ‘see’ or be notified of the push. The idea is that you already have a CI pipeline in place to respond to that push - right? It runs your tests and does the build. Just add analysis to that pipeline.
Okay, so I need to have to add a step to my CI process (bitrise.io) to then take the build it compiles and push the compiled build to sonarqube? Or does it just need a step to say “hey sonarqube, go scan my raw repository” ?
Is this the flow? If it is then I am so confused why I need to connect my repo to sonarqube if my CI has to do all the heavy lifting, but if this is the right flow then I can set this up. – Am I supposed to scan a compiled build in this case?
- Push to main branch → Bitrise CI sees this and runs its workflow
- Bitrise CI compiles the build then saves the build to a path
- Bitrise CI then sends the compiled build to SonarQube
- SonarQube scans the build and then reports its results in its dashboard
This is a fair question. In commercial editions you need the setup for SonarQube to be able to decorate your pull requests (count & location of issues, status of PR Quality Gate). In Community Edition, the setup between SonarQube and your DevOps Platform (e.g. GitHub) is “just” to provide you an onboarding wizard for pre-configuring new projects before the first analysis.
Not exactly. What should happen
- User pushes code
- DevOps platform sends webhook to CI
- CI fires job for repository, which does the following:
- check out code
- [build code if it’s a compiled language]
- execute SonarScanner (or language-specific scanner)
- examine each file, collecting metrics and looking for issues
- bundle issues & metrics data
- send bundle to SonarQube server for server-side processing
- [wait for SonarQube Quality Gate status & potentially fail the pipeline]
- save / deploy compiled build as appropriate
Where items in brackets (
[ ]) are optional.
Note that to make this work, you need the appropriate Sonar Scanner(s) installed on your build agents. If you’re working in C, C++ or Objective-C, there’s an additional piece called the build-wrapper.
Does this help?
Okay, so that helped a ton, I was able to get it all wired in. Only question I have left and I promise to shush after this is that I see it says 0 Vulnerabilities, but plenty of bugs and other good finds, so I know its scanning properly now (64k lines in the app, all accounted for)
Does Sonarqube Sonarscanner read the imported cocoa pods at all? I guess I’m just in disbelief a repo with 5 years to its name has 0 vulnerabilities anywhere. I didn’t see a specific field in Analysis parameters for pointing it to the imported modules list, so I’m sorta assuming it scans based on
sonar.sources and then uses the
sonar.tests to do the unit test coverage audits – is there a specific ‘imported modules’ I need to inform sonarscanner of?
No, no. Keep 'em coming as long as you’ve got 'em. Altho, I may ask you to create new threads.
Ehm… Probably not, from what I can see. Can you create a new thread for this?
That will allow me to route that single, narrow question for the attention of the right folks.