Compare Sonar analysis with main branch latest analysis and show the diff

Must-share information (formatted with Markdown):

Sonarqube - 9.9
Plugin - org.sonarsource.scanner.maven:sonar-maven-plugin:3.9.1.2184:sonar

We have setup the main branch as develop on Sonar and our development involves creating a feature branch out of the develop branch and then merging it into develop after development and testing.

For our develop branch there are a lot of Code smells, bugs, vulnerabilities that are currently in Old Code section (probably marked as not fixable), and now whenever a new feature branch is merged to develop, Sonar runs on the entire develop branch and only shows the new Code smells, bugs, etc that got introduced in the current PR, causing the quality gate to fail. Then we fix the issue and merge it again to develop thus solving the smell, bug, etc whatever came.

Is it possible to do this on the feature branch itself, basically run the Sonar scan on the entire feature branch but only show the code smells, bugs, etc. that are not there on the latest Scan of develop branch, essentially show me the diff in smells, bugs, etc.

For eg.
Let us say the latest code of my develop (main branch) has 0 bugs, smells in the New Code section but the Old Code section has 100 smells. Then when I run the Sonar scan on my feature env branch and introduce 1 new smell, then it shows me 1 new smell as the diff and not the absolute 101 smells.

Edit.
I did the above using

-Dsonar.branch.name=$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME -Dsonar.newCode.referenceBranch=develop

When I ran the above for first time, it showed me 1 new smell, which is what I wanted.
Then I added another commit to my feature branch in which I introduced 1 new smell, now I ran the Sonar scanner again, this time it showed me 1 new smell (new one which I introduced in second commit), whereas ideally it should have shown me 2 new smells compared to develop. How can I solve this particular problem?

Hi,

Per the docs,

Reference branch : Available at the project and branch levels. Recommended for projects using feature branches. Choose a specific branch to define your new code. Any differences between your branch and the reference branch in the clone the scanner has access to at analysis time are considered new code.

Detection of new code is based on SCM data, and particularly when a reference branch is in use.

So was there an intermediate merge back into develop between the two commits to the branch? Are you sure the build agent had access to the correct iteration of develop at the time of analysis?

 
Ann

So was there an intermediate merge back into develop between the two commits to the branch? Are you sure the build agent had access to the correct iteration of develop at the time of analysis?

Yes, there weren’t any intermediate commits.
But do you mean to say that by using -Dsonar.newCode.referenceBranch=develop its essentially doing a diff of code between feature branch and develop branch, and then showing the issues on that diff code only?
Doesnt that become equivalent to pull request way of doing things?
-Dsonar.pullrequest.branch=$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME -Dsonar.pullrequest.base=$CI_MERGE_REQUEST_TARGET_BRANCH_NAME

basically run the Sonar scan on the entire feature branch but only show the code smells, bugs, etc. that are not there on the latest Scan of develop branch, essentially show me the diff in smells, bugs, etc.

I want something like this where we run the analysis runs on the entire feature branch, then compare the issues with the last scan results of the develop branch, and only show the diff of issues.

Hi,

Branch analysis is always going to show all issues. But with a reference branch New Code definition, what shows up under ‘new’ will be the changes since the reference branch.

It doesn’t work against the latest version of develop but versus the branch point.

Now that is more like PR analysis.

 
HTH,
Ann

what shows up under ‘new’ will be the changes since the reference branch.

can you elaborate on what is meant by changes here?

but versus the branch point.

you mean the previous scan of the feature branch?

I guess I was hoping to achieve something similar to what is currently an issue with Sonar - https://portal.productboard.com/sonarsource/3-sonarqube/c/295-new-pull-request-issues-on-unchanged-code

We have been struggling a lot with this lately, where the new code itself is not showing any issue upon scanning (we do the PR analysis), but when its merged to develop branch and full scan runs on the develop branch, then we see some issues.

Hi,

No. I mean the changes since the branch diverged in the SCM from the base branch, independent of the last branch analysis.

That’s shows up as a portal card because it hasn’t been implemented yet.

 
Ann

So to summarize my understanding, when we use -Dsonar.newCode.referenceBranch=develop
Sonar runs the full branch analysis on feature branch, but in the new section it only shows the issues that are there on the code that is there in feature branch and not there in develop branch?
Please confirm this.

A follow up on reference branch usage - does Sonar always use the latest version of reference branch that is available in SCM at that time?

Hi,

No.

SonarQube analyzes the whole code base. The entire thing. Every line and file.

What shows up under New Code is what has changed since the branch point.

 
HTH,
Ann