I am using SonarQube EE 9.9.1
I have different Quality Gates configured in SonarQube for Overall and New Code. The Quality Gate for Overall Code is more lenient, while for New Code it’s stricter.
When someone starts development on a new branch, all the code passes the Overall Code Quality Gate on the first check, and the Quality Gate doesn’t fail. However, when we create a Merge Request from this branch into the main one, all the code will fall under New Code, and in this case, new vulnerabilities will cause the Quality Gate to fail. This behavior does not seem to be expected by developers. I understand that this is a conceptual problem. Perhaps there is a way to fix the situation?
For example, for a number of branches that do not belong to dev, main, test, add everything to New code at once. But maybe there are better solutions.
What can be done about this?
What’s your New Code Definition for those branches? It should probably be Reference branch.
It sounds like
- the branch is created
- changes are made
- the first analysis is run
- this first analysis is used as the baseline analysis & only new code after this is counted.
Thus all the initial changes in the branch are overlooked as new code until merge. Using a reference branch instead should help here.
Thank for your reply!
Now I set in Global Settings ‘Previous version’
As I know in SQ no possibility set Reference branch in Global Settings. In your scheme I shoul set ‘Previous version’ for each project individually? In manual mode or Web API?
I use Gitlab CI\CD and manual mode is unsuitable
Huh? Why not?
As I see in Defining new code there is such definition for this option ’ Reference branch: Available at the project and branch levels.’
Sorry, you do see Reference Branch as an option in the project-level admin in the UI or you do not?
Yes, I see this option in project-level admin in the UI, but in Global Settings of SQ instance I see only Previous version and Number of days
Yes. That’s as expected. What happens if you set
foo as the reference branch at global level and analyze a project without a
Yes, I understand such situtation =)
I wanted to see if it was possible to define a master branch globally and then use that as a Reference Branch. As I understand it, the main solution to my problem is:
-organizationally change QG
-configure Reference Barncs for main/dev/test/etc individually for projects
Did I understand everything correctly?
Well, I’m not sure you need to change your Quality Gate. That’s up to you. But yes, you would configure your reference branches individually at the project or branch level.