False Positive/won't fix propagation policy across branches

mason · December 1, 2023, 1:08am

for Flase positive / won’t fix, what’s the policy about the propagation across different branches? Does this sync only happen with main branch?
Test1 :
1.mark a false positive/won’t fix in branch1.
2. checkout branch 2 from branch1 , so they have same code.
3. do analyze for branch2. FP /won’t fix is not synced to branch2

Test2:
1.mark a issue as false positive/won’t fix in branch1.
2. do analyze on main branch which have the same vulnerable code.
3. FP /won’t fix is synced to main branch

So is this by design? it would be greate if you can share more information on this policy

Thanks in advance!

ganncamp · December 4, 2023, 3:50pm

Hi

Yes, and only on branch creation. No synching happens after that.

HTH,
Ann

mason · December 4, 2023, 4:13pm

Hi Ann,

is there any document for the detail about this?
在 2023年12月5日 00:01，G Ann Campbell via Sonar Community notifications@sonarcommunity.discoursemail.com写道：

| G Ann Campbell ganncamp SonarSourcer
December 4 |

| - |

Hi

mason:

Does this sync only happen with main branch?

Yes, and only on branch creation. No synching happens after that.

HTH,
Ann

ganncamp · December 4, 2023, 4:15pm

Hi,

I linked to the documentation above.

Ann

Amihay_Schwarz · July 2, 2024, 7:04am

take a look here:

gist.github.com

https://gist.github.com/KingAMS/28bcb30d340fbae682a4f53620609d19

SonarQube-Propagate-Wont-Fix-Issues.md

# Problem Statement
This is a Git flow with 2 release branches, a feature branch and pull requests 
```
master
  |
  |------R-1
  |        |
  |        |--- Feature/1
  |        |    |
  |        |    |

This file has been truncated. show original

propagatingSonarWontFix.groovy

import groovy.json.JsonSlurper

/*
This script is used to propagate the sonar "wont fix" issues from the source branch to the target branch. (done by source PR to the target PR)
First, it fetches all the project keys from the sonarqube server.
Then, it fetches all the issues for the target branch.
If there are no issues in the target branch, it skips the rest of the process.
If there are issues in the target branch, it fetches all the pull requests for the source branch, because the sonar WONTFIX issues are resolved in the PR branch.
Then, it fetches all the issues for each pull request.
It creates a map of source issues.

This file has been truncated. show original

Its solving the propagation with code

Topic		Replies	Views
Dealing with False positives,wont fixes SonarQube Server / Community Build sonarqube , branches , issues	3	2141	December 10, 2020
Dynamically update the Resolution to all branches Product Manager for a Day sonarqube	15	1692	November 30, 2023
Justification Issues [“False Positive” or “Won’t fix”] aren’t synchronized between branches SonarQube Server / Community Build	2	845	November 17, 2021
Copy sonar issue wont fixes / false positives when master is merged in branch Product Manager for a Day sonarqube	6	547	July 2, 2024
False-Positive and Won't Fix retain that status after merge SonarQube Server / Community Build sonarqube	3	284	January 20, 2024

False Positive/won't fix propagation policy across branches

Related topics