Dev updated Laravel dependencies and versions, but code still show no progression

SonarCloud
1

I have two branches setup in sonarcloud, dev and master.
there were lots of vulnerabilities found, and dev now updated Laravel and allot of dependencies claim that lots of bugs and dependencies vulnerabilities should’ve being fixed, on sonar, there’s no change. any help would be appriciated.

2

Hey there.

I’m sorry – I don’t understand your question. Maybe you can share some screenshots or code snippets that demonstrate the issue you’re facing?

3

Let me rephrase:

I have two branches, one dev, one master. They were scanned, and since, only new code commits are being scanned. I understand that.
Now, there were lots of Larval component changes, allot of packages changes and updates. The developers claim that these changes should eliminate allot of the found bugs and vulnerabilities, but I don’t see any changes in the dashboard.

What am I missing?

In addition,

Analysis
Analysis1000×718 36.7 KB

I can see there are failed and passes, and I don’t feel like I understand the logic behind those failes and passes, I see lines of code removed, and added, but I don’t seem to realise why some are passed and some failed.

4

This is good feedback that the Quality Gate conditions aren’t particularly clear in this overview page. Most likely the failures are coming from the new issues being introduced. For now I would suggest clicking into the branch itself to understand the state of the Quality Gate.

SonarQube doesn’t perform any SCA (Software Component Analysis), so it’s unlikely that just changing packages / package versions would fix the bugs/vulnerabilities SonarCloud detects.

What are the bugs/vulnerabilities they think should be fixed?

5

You are right, im doing SCA with a different tool.
But since i started this thread, and I have an ear,
So… two things I currently struggle with,

  1. Master branch history shows the initial scan with all the vulnerabilities found, lets say my devs fix the code, push it to dev branch, then test, then merge it to master branch, how can i see that the original vulnerability isnt there anymore?
  2. Pull requests, this is confusing, i set it up in the settings, but i still see nothing on that page… ive read the documentation, and still cant figure out what is that :slight_smile: lol