Enable Quality Gate check for feature branch and new code

Hi,
I have upgraded the SonarQube to 9.2 and found one issue that after scanning the existing branch (develop) it is falling for a quality check which is expected. But, if I create a new branch from develop then it is getting passed.
So wanted to know how to enable sonar scan for new code on feature branches as well.

Hi,

Welcome to the community!

Is the Quality Gate condition one on new code? Is it possible you haven’t made any changes to the new branch & thus not added any new code to it yet? Without new code, it’s impossible to fail the Quality Gate.

 
Ann

Hi Ann,
Yes, there is the change in the new branch and it is passing even though there are some security issues.
If I add new code in the feature branch, with some vulnerabilities and scan with sonarqube then, it marks quality gate with error but, status is marked as passed
If I merge that code to say develop branch then, the status is marked as passed.
It should mark status to fail for the feature branch as it has some issues.

Thanks
Manish

Hi Manish,

How about a screenshot of the Quality Gate you’re using?

 
Ann

Sure Ann,
Here are two screenshots.

  1. Quality gate setting - I am using the default setting for all projects

  2. Quality gate scan for feature branch - it contains changes after this branch creation from develop branch.

Thanks,
Manish

Hi Manish,

Thanks for the screenshots; they tell the tale.

Your Quality Gate consists only of conditions on New Code. Your 2 vulnerabilities are in Overall code. While anything that shows up in New Code will also show up in Overall code, it seems that these 2 vulnerabilities are not in New Code and that’s why your Quality Gate is passing.

Does that make sense?

 
Ann

It is completely correct for the branch for which I send you the screenshots.
To show you some examples, I have created a new branch from existing and showed you the issue in the overall code.

But if I create a new branch and add some code that has some code issues then the same 2 vulnerabilities will be shown in New Code only and I want Quality Gate check status failed for such issues in New Code.
@harshada

Hi,

Are the two new issues in your example Code Smells? Because your Quality Gate includes a condition on the Maintainability Rating on New Code, but that won’t necessarily exclude new Code Smell issues. You may be interested in the docs on Metric Definitions.

 
Ann

Hi Ann,
I am able to achieve this by setting “Reference Branch” under “Project Settings” of a project.

I want to apply this setting at the global level but, as per the document we don’t have a “Reference Branch” option at the global level.

So my question is, is there any way we can apply the same setting for all the projects in the sonar. As it is not possible to apply to each project as I have more than 100+ projects.

If it is not possible to apply the setting at the global level in the current version, can you add this feature in future versions?

Thanks
Manish

Hi Manish,

You might try the Web API to automate this. However, I need to ask: what is the setting for the develop branch? Whether manually or via automation, once you set the project-level value to reference develop, you’ll also need to update the develop branch in each project to fix its setting.

 
HTH,
Ann

Thanks Ann for the web API option.

I got the change to look into the web API and I tried to set the reference branch to develop for one of the project but, I am getting 401 unauthorized error on the post request (screenshot below). I have given all correct values with credentials with basic authentication. I also have Administrator privileges on the server as well.

I can fetch details using the GET method but for POST.
Please let me know how to resolve this and make it work with the POST method?
Also, provide me the steps to create a Token that I can use for these API calls instead of my login credentials.

Thanks,
Manish