Different number of issues on a branch

  • SonarQube Community Build: 24.12.0.100206
  • SonarScanner for .NET: 10.1.0
  • how is SonarQube deployed: Docker

Our CI uses Windows Docker containers to build our C# projects. The workflow is as follows:

  1. Build the project.
  2. If successful, start the SonarScanner job.
  3. In the scanner job, the artifacts from the build step (all bin and obj folders) are downloaded, and the analysis begins.

Now we’re facing an issue with the reported number of issues:

  • During development, the number of issues fluctuates more than expected.
  • Some issues appear or disappear on lines that haven’t changed at all.

What we already tried:

  • Switching to an incremental dotnet build → no effect.

What we observed:
Begin phase:

00:00:00.000  Incremental PR analysis: Automatically detected base branch 'develop' from CI Provider 'GitLab'.
00:00:00.000  Downloading cache. Project key: <project_key>, branch: develop.
00:00:00.000  Incremental PR analysis: 2009 files out of 2170 are unchanged.

End phase:

INFO: SCM Publisher 2048 source files to be analyzed
INFO: 
INFO: SCM Publisher 1747/2048 source files have been analyzed (done) | time=***ms

The number of analyzed files here doesn’t match the number of changed files on this branch.

Recent changes:

  • We removed the artifacts from the previous build step.
  • Upgraded SonarQube Community Edition to 25.9 and SonarScanner for .NET to 10.4.1.

Question:
Is there anything else that could cause these unexpected fluctuations in the number of issues?

Hi,

Welcome to the community!

Only the latest version of SonarQube Community Build is considered active, so you’ll need to update and see if the situation is still replicable before we can help you.

Your update path is:

24.12 → 25.9

You may find these resources helpful:

If you have questions about upgrading, feel free to open a new thread for that here.

If your error persists after update, please come back to us with your pipeline file. It needs to be begin, < build >, [ tests ], end. The fact that you’re downloading artifacts from somewhere else is highly suspicious.

 
Ann

Hi Ann,

after the update and some testing, the problem still persists.

I have attached the CI job that creates the SonarQube analysis in gitlab-ci-job.txt (2.5 KB). The artifacts from the test job only contain the test result and coverage data files.

The Dockerfile for the image used in this job (Dockerfile.txt (1.1 KB)) was also rebuilt so that the latest version of the SonarScanner (10.4.1) is used.

With this job running for both the develop and a feature branch, we get the following results:

develop:

Blocker: 88
High: 76
Medium: 2.1k
Low: 321
Info: 373

feature branch:

Blocker: 2
High: 3
Medium: 2k
Low: 3
Info: 373

And as mentioned in my first post, these few lines are the only ones that differ between both analyses.

Hi,

Thanks for the pipeline.

I’m not seeing your checkout in there. Going back to your original problem statement:

This is likely to be about the SCM data available to analysis. Please make sure the prerequisites are in place.

 
Ann