Hi, we are using Github with Advanced Security (if that matters). I have a number of repos that are reporting “SonarCloud is reporting errors. Check the SonarCloud status page for help.”:
in the repo settings under code security and analysis. The status page really doesn’t provide much help:
SonarCloud seems to be running fine against PRs:
Any ideas how to fix this? – Bud
Hey there!
Are you using Automatic Analysis or do you trigger analysis through a CI (like GitHub Actions)?
Is your Main Branch regularly being analyzed?
Automatic analysis and that seems to be working. In the SonarCloud console, I see PRs and the master/main branch getting analyzed.
Hi @budb
Thank you for more details.
A few follow-up questions:
Code scanning Security tab? Also, if you introduce a vulnerability, is it reported?Anita
A few follow-up questions:
- you mentioned that not all your projects have this problem - is there any difference in configuration? Could you make sure that the Code security and analysis is enabled in the failing repos?
Code security and analysis is enabled. No obvious difference in config. I’ve only found one project that does not have this error in the repo.
- Did all problematic projects started having this problem at this same time? E.g. is the date of the last analysis reported by GitHub suggesting similar time?
Does not appear so. One repo I am looking at now, shows this:
but in the Sonarcloud console shows that code is getting analyzed:
In a recent PR:
The console also shows 13 issues, I I sort of expect these to show up in GH under code scanning right?
- Can you see any alerts reported after December 5th in the
Code scanningSecurity tab? Also, if you introduce a vulnerability, is it reported?
I really don’t see anything showing up under code scanning from SC for any of the repos…
Hi @budb
Thanks a lot for the additional info.
In one of the screenshots we can see Errors detected in 1 configuration - it looks like something is misconfigured there. There is an option to View configuration there - could you check what problem GitHub reports?
Anita
When I drill down, it just shows that it hasn’t been scanned for a long while (even though it seems to have been scanned)
Hi @budb ,
Thanks for the answer.
Could it be that you don’t have any vulnerabilities (‘security issues’ is the new name for vulnerabilities now) at this moment in the ‘not working’ repositories? What happens if you introduce one?
Anita
Hi,
I wanted to chime in that I’m seeing the same problem as Bud B is. All the posts Bud B has made could have been about my repo. I’m using the same settings (Code security and analysis enabled on GitHub and automatic analysis setup in Sonar Cloud). Pull requests show successful analysis in GitHub and SonarCloud. Main branch reports scanning successful.
In the Security tab in GitHub it reports “Code scanning configuration error
SonarCloud is reporting errors. Check the SonarCloud status page for help.” The “unnamed SonarCloud config” shows our last scan was Dec 1, 2023.
We have some older low/medium maintainability issues on the project. But no security or reliability issues. Not sure I want to introduce a security issue into the code to test what happens.
As a side note, I have a new project I added with security issues and nothing getting pushed to GH security tab. Integration does not seem to be recreated.
Are there logs on your end you can check?
Hello,
I’ve got the exact same problem as Monica and Bud B. Our last scan is on Dec 8, 2023 so not the exact same date but approximately the same… So I guess something has changed in early december ?
Thank you very much for the reports.
What I suspect for now is that GitHub started reporting SC integration as potentially not working in case there have been no security issues for some time. In case there are some security issues, they are reported correctly, and the integration is highlighted as working on the GitHub side.
@mattboll could you confirm that you also do not have any security issues reported now?
I created an internal ticket, and we’ll take a deeper look into it.
Hi @budb
Do you have any security issues in this new project?
I’ll contact you privately to get the info about the new project.
Hi Anita,
In sonacloud.io I’ve got **15** Security Hotspots to review
Also, in sonarcloud.io I can see that main branch is “not computed” so it may be something on sonar. Same problem for the develop branch Quality Gate Status : not computed
If that matters, I have security “hotspots” but indeed I don’t have security “issue”
Thank you for the confirmation @mattboll .
Quality gate is yet another concept, you can find details when it may not be computed here
We have a Github project that is running SonarCloud. We’ve used the integration for almost two years and it’s been working well. Except now we’re seeing a security warning in Github from SonarCloud: “Code Scanning results may be out of date.” And it references a commit in a random topic branch and pull request from over five months ago.
That PR and commit was successfully scanned, merged, and the branch deleted. That PR, being old and merged, no longer appears in our SonarCloud pull history. Subsequent PRs have been scanned by SonarCloud and we’ve had no problems with functionality. But we still have the persistent security warning that won’t go away.
Has anyone else had this experience? Any suggestions?
