I am trying to analyze a C++ project with the following set up:
- Enterprise Edition Version 8.9.3 (build 48735)
- sonar-scanner-cli-4.8.0.2856-linux
This is a generic question on how to best set up SonarQube. A have a typical project, where developers take forks of a main repo and make pull requests from their forks onto the main. I understand that SonarQube will compare the “new code” in their pull requests compared to the master branch on the main repo, and can pass or fail the PR based on newly introduced vulnerabilities or code coverage %age. However, does a separate job need to be set up to constantly be scanning the main repo, in order for the PR analysis to be accurate?
To demonstrate what I mean: say I run a Sonar scan directly on the main repo branch and it shows I have 90% coverage. Now say I have branch analysis configured and merge a PR which should boost my overall coverage to 95%. However, SonarQube doesn’t seem to know that that PR is merged, and continues to show 90% overall coverage until another scan on the main repo branch is run. Does this mean for an accurate SonarQube set up for a repo that accepts pull requests, the main repo branch needs to be scanned first, and THEN run another scan for the branch analysis itself? Essentially running twice for every PR?