Code not covered by tests

Hi I was running sonar scan against the same repo multiple times and sometimes I got “not covered by tests” message beside my codes and sometimes I don’t. I searched online and most people talk about how to add test coverage report. What I want to know if why this message pops up? Is it because the same codes have been scanned elsewhere?


Could you share a screenshot of the message the next time you see it? Just from reading the message, I’m not making any connections…


I had two projects in gitlab, one contains the full owasp juiceshop project, the other one contains individual vulnerable files.

In the full project one Sonarqube found a vulnerability in routes/login.js on line 44 but the same vulnerability wasn’t found in the second project.

The red line on the left showed not covered by tests. Not sure how to fix this. What other information is needed?

When I imported the entire juiceshop project to another repo I only got one vulnerability. I believe there should be around 13 of them.

This is the text file of the scanning output. Not sure if this helps.

sonarscan-output.txt (784.2 KB)


Thanks for the logs & screenshots.

I believe you’re confusing two different things. Here’s a screenshot of your screenshots:

See that red marginal marker? It shows up in both of your screenshots and indicates that the lines in question aren’t covered by tests. Mouse over the red line in either project and you’ll get the same “Not covered by tests” message. That message has nothing to do with what issues are / are not detected by analysis.

Now, to the question of why the vulnerability doesn’t show up in the test project, it’s quite possible that it’s because - as you’ve indicated - it’s not a full copy of the original project. The issue in question is a taint analysis issue. I.e. it’s an issue raised when the dataflow through the program indicates that a value provided by a user is being used in a dangerous way. But if you took a subset of the project that doesn’t actually include gathering data from the user, then that would explain why a dangerous use of user data isn’t detected.

Does that sound right? Or am I misunderstanding what’s in the second project?


1 Like

You are absolutely correct. I created a new empty gitlab project and then added the juiceshop files. Sonarqube properly identified the vulnerabilities. Thank you for your patience and help!!

1 Like

A post was split to a new topic: Coverage questions

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.