Found 6 new bugs in code that was not changed

SonarQube Server / Community Build
, , ,
1

Hello!

We are using Sonarqube developer edition version 9.8.0.63668 to scan CXX project using Jenkins and SonarScanner

In our case sonarqube does 2 scans on each PR (PR scan and full branch scan) to prevent merging unexpected issues into master.

We have created PR where changed only 2 python scripts. During full branch scan, Sonarqube found 6 new bugs in C++ code. No C++ code was changed in this branch.

image-20230118-002304
image-20230118-0023041744×834 69.6 KB

Nightly jobs, where full master branch scan performed, finished successfully with no new issues in code.

success_master
success_master1309×847 37.3 KB

How it could happen? And how we can prevent running into this issue in the future?

If you need any additional information, I will gladly provide it.

3

Hi @KovalovVladislav,

Are these new issues found in the master branch and categorized as old issues?

For branch analysis, new issues aren’t necessarily about changed code. Every branch has a new code definition setting that you can set.
My first guess is that your master branch has a different new code setting than your feature branch. You can check that in the Project Settings.

Thanks,

4

Hi, @Abbas !
Thank you for quick reply.

As I see in New Code settings, there are default general setting for all branches. There is no settings difference between master branch and other branches of project.

settings1
settings11311×749 23.2 KB

settings2
settings21287×887 38.1 KB

UPD: I’ve searched across all issues in master by files and I have not found any issues related

5

@KovalovVladislav, If the issue is not found on master on overall code, then it is not about new code.

It probably means that the code on your branch is different than the code on master!

Are the two branch identical on the last analysis? if yes, did you compare the analysis log of both? are you analyzing the same scope for both?

Thanks,

6

Hi, @Abbas

Branch was created from master. Changes are only in python code. So C++ code is the same for both branches.
Analysis scope is the same for all branches in our project.

7

@KovalovVladislav, does this python file impact the build configuration in any way? For example, if you have a custom-build system written in python.

If not, the only way to move forward is to generate two CFamily reproducers for the source file with different results. One from the master and the other from the branch.

To generate the reproducer file:

  • Search in the analysis log for the full path of the source file for which you want to create a reproducer (for instance, a file that contains a false-positive). You will have to use exactly this name (same case, / or \…)
  • Add the reproducer option to the scanner configuration:
    sonar.cfamily.reproducer=“Full path to the .cpp”
  • Re-run the scanner to generate a file named sonar-cfamily.reproducer in the project folder.
  • Please share this file. If you think this file contains private information, let us know, and we’ll send you a private message that will allow you to send it privately.

Thanks,

8

Hi, @Abbas !
I’ve generated files for master branch and another branch related to this issue.

Could you please send me private message to share this files?
Thank you!

9

@KovalovVladislav,

I used the generated file to rerun the analysis on my side. And for both branches we detect:

S3519:Memory copy function accesses out-of-bound array element

on line 126.

So from the analysis point of view, we are detecting the same issues for both branches.

My last guess is that on the master branch, you resolved these issues as Won't fix or False positive on the master branch. Check the resolution view:

image

Also,

  • make sure you don’t have any other filter enabled on the master branch while searching for the issues.
  • When was the last time you ran the analysis on the master branch? Do you have a run on the last commit?

Thanks,

10

@Abbas through a lot of pain I successfully found this issue in master) It was marked as False-Positive. Why this issue resolution was not migrated to another branch when it was created? And how we can avoid this in the future?

We already have faced with cases when issue was found in development branch, marked as resolved and resolution was not migrated to master. But reversed case happened first time.

11

@KovalovVladislav, Great! I was running out of guesses :smiley:

I think it was marked ar false positive after the creation of that branch.

Also, for branches that are based on master, you should consider changing the new code definition to reference branch(master). This way you focus on the introduced issues. And the status of the branch issues will be propagated once the feature branch is merged.

More details about branch analysis: Branch analysis

Thanks,

1 Like
13

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.