Extra Issues highlighted on lines with no code change

Using Azure DevOps repository with changes to .cs files. When a Pull Request (PR) was created and the gated pipeline was run there were a number of issues (197) were highlighted with comments in the PR that relate to SonarCloud analysis.

However, a lot of those issues were on unrelated parts of the code that hasn’t changed. A couple issues were correctly highlighted with the changed lines of code, these will be corrected. The extra unrelated issues are too many in a single PR to address when they are nothing to do with the required changes in the PR

Even though these issues are valid, no code change occurred near these extra issues. Why have these issues been highlighted with this PR?

Some of these issues are file global issues, like file having too many lines, these are understood and will be dealt with, but others are just specific code issues that don’t need to be addressed at this time.

This is the changed code in a csharp file, this issue will be resolved:

Examples are extra issues highlighted are, why are these turning up, there are more than 190?:
image

Hi,

The issues you’ve shown are actually classic examples of new issues legitimately raised in old code. Presumably the only uses of InvalidLegalFee were deleted in the PR.

That said, I’m a bit surprised that you’re seeing these in a PR, which typically only reports issues on changed code. Are you sure this is a PR analysis and not a short-lived branch?

 
Ann

I was not responsible for this change as I am implementing the enforcement of SonarCloud across the project within the company and not the development.

Yes these are from a PR, there were over 190 comments put on the PR from SonarCloud that related to non changed lines of code. I only gave examples of 2 types of PR comments, but there were many more. The developer responsible has for now resolved these comments in the PR with “Won’t fix” resolution so work can be completed without delay, which will do for now, but I need to understand why these comments have turned up and how to quieten them down as this will interfere with the progress of work on projects.

Hi,

That’s important to know.

Typically when you see issues on old code reported in a pull request, it’s because there was a problem reading the SCM data, which is how analysis determines what’s new. Either that, or the branch being targeted by the PR wasn’t available in the local repository.

If you check the bottom of your analysis log, do you see a message about SCM detection being disabled? Or do you see “shallow clone detected”? If so, that (shallow cloning) should be disabled, typically by setting fetch-depth: 0.

 
Ann

Hi Ann,

I’ve looked at the analysis report (I believe this is the output produced by the yaml task SonarCloudAnalyse@1) and can not find the text “SCM” or “shallow”. Am I looking in the right place?

Bob.

I have looked at the pipeline and it has set the shallow clone to false, I also tested changing shallow clone to true and I received an warning, so the build was on a non-shallow git clone.
These are the references to “SCM” in the log:
image

image

image

Hi,

Are all the prerequisites in place?

 
Ann

Hi Ann, yes all the prerequisites are in place. Bob.

Hi,

Can you please provide the full analysis log?

The analysis / scanner log is what’s output from the analysis command. Hopefully, the log you provide - redacted as necessary - will include that command as well.

This guide will help you find them.

 
Thx,
Ann

Hi Ann,

From the link you provided above I can’t identify the log location other than what is produced the Azure Devops pipeline that utilises the SonarCloudAnalyze@1 task.

This is the log produce, is this what you want?
SonarCloudLogs.txt (46.6 KB)

As the PR has been completed I am unable to reproduce the issue unless I do some work to replicate the problem on test Azure DevOps project.

Bob.

Hi Bob,

That’s the file I was looking for. It’s definitely for a PR analysis:

INFO: Pull request xxxxx for merge into master from xxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyy

Does this analysis log correspond to the screenshots in your first post?

Can I have a screenshot that includes the page header, redacted as necessary E.G.

Specifically, you simply shouldn’t see issues reported on lines that don’t have a blue highlight in PR analysis, so I’d like to double-confirm that that’s what we’re dealing with.

 
Thx,
Ann

Yes this is the log for the original post.
This is the image of the first non-changed line issue.

I’ve gone through the issues and found only issue 138 to issue 142 were in the areas of lines changed.

Hi,

Thanks for jumping through my hoops. I have no clue why you’re seeing these issues in code that analysis doesn’t mark as new in the PR. I’m going to flag this for more expert eyes.

 
Ann

Hi Ann, thankyou for help. Bob

1 Like

Hello @BobW ,

Welcome to the community!

Could you share how you define the Azure pipeline YAML file? This looks like some configuration issue, though I need more information from you to investigate.

Hi Jacek,

We use a template yaml file called from many projects to perform the PR build validation.
gated-originations.yml.txt (3.1 KB) (renamed with .txt to allow upload)

  - task: SonarCloudPrepare@1
    inputs:
      SonarCloud: "SonarCloud_DPRGroupLtd"
      organization: "dprgroupltd"
      scannerMode: "MSBuild"
      projectKey: "$(SonarProjectKey)"
      projectName: $(System.TeamProject) - ${{ parameters.SolutionName }} 
      extraProperties: |
        # Additional properties that will be passed to the scanner
        sonar.scm.provider=git
        sonar.cs.vstest.reportsPaths=$(Agent.TempDirectory)\TestResults\*.trx
        sonar.projectBaseDir=$(Build.Repository.LocalPath)

Thanks for sharing.

Indeed, it doesn’t look suspicious. Does the number of issues you are seeing in SonarCloud UI correspond to the Azure widget of the PR?

It appears that there are only the valid issues on the new lines of code in the Extensions tab and not the other 195 issues commented on in the PR.


However in SonarCloud it does identify that these extra issues highlight were from changes a few years ago except I think the 2 genuine issues.

Hey @BobW ,

Sorry for the late reply.

I’ve investigated a bit your issue and it raised two questions:

  1. Is it correct that target branch of this PR is master?
  2. I’ve noticed in your scanner logs that your project is not bound to Azure Devops, is there any reason to do so? Could you try to fix this and analyze PR again?
INFO: Check ALM binding of project 'xxxxxxxxxxx_xxxxxxx_xxxxxxxxxxxxxxxxxxxx_xxxxxxxxxxxx'
INFO: Detected project binding: NOT_BOUND
INFO: Check ALM binding of project 'xxxxxxxxxxx_xxxxxxx_xxxxxxxxxxxxxxxxxxxx_xxxxxxxxxxxx' (done) | time=130ms

Best,
Jacek