Current SonarQube version is 8.9.8, scanner 4.2.
SonarQube deployed using Helm.
I have upgraded SonarQube to 10.2. The upgrade completed successfully, but I noticed something strange. Before the upgrade, on version 8.9.8, the Sonar analysis report for one branch compared with the main branch showed a total of 70K vulnerabilities on the overall code. After upgrading to 10.2, on the same branch with similar configuration, I am now getting 63K vulnerabilities on the overall code. As per my understanding, if the new version has more rules, we should see more vulnerabilities, but instead, the count has reduced. Do you have any explanation for this scenario?
HI @Sanjana
There are several reasons to have different analyses following an upgrade of the server or scanner.
I suggest you compare the number of lines of code analyzed in the Measure/Size tab.
Then I invite you to compare the quality profiles to understand the evolution of the rules. You can export your old quality profile to the new servers using the back up option.
I assume that you are using the default quality profiles that evolve with the server versions. And sometimes rules that generate false positives are disabled.
Hi,
To add to the excellent list already provided by @Bachri_Abdel, I want to point out that - as they alluded - rules evolve. That includes getting smarter to eliminate false positives.
HTH,
Ann
Hi Bachri,
Thanks for your reply. We are using the same quality profile on both servers, as the new upgraded server has been cloned from the 9.8.9 server. I have checked, and both look the same.
Thanks
Sanjana
Hi Ann,
Thanks for your reply. This could be the reason.
Thanks
Sanjana