Gitlab CI pull request analysis tags code smell issues in files not changed in the pull request


We’ve got SonarQube Developer Edition version

We use the pull request analysis with the yaml file for Gitlab CI and most of the time there are code smells in the analysis that are not relevant to the pull request

ex. In this pull request there was only 1 line of code changed

and the analysis concluded that there are 37 issues

I’ve checked them and they are from different files that were not touched within this pull request

I think the problem is with determining what is part of the pull request and what is not.
It’s not about the issues, but in the analysis itself, there are lines of code identified as part of the pull request even though they were not changed in it.

This is the code identified as part of this particular pull request

even though there was only 1 line of code changed…

You’re right, those problems usually come from a problem determining what was changed in the pull request compared to its target branch.
The detection of the changes happens in the scanner, using the clone that is available when the scanner is executed in GitLab CI.
Please check your logs with debug enabled. It should show if there was any issues determining the changes. You can also post the logs here and we’ll have a look.
Common causes are shallow clones or broken references to branches in the clone.


right after loading metrics repository and before running sensors, there is this warning that flares up.

WARNING: WARNING: An illegal reflective access operation has occurred
WARNING: WARNING: Illegal reflective access by net.sf.cglib.core.ReflectUtils$1 (file:/C:/Users/srv_glrunner/.sonar/cache/a89f1943fc75b65becd9fb4ecab8d913/sonar-tsql-plugin.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,
WARNING: WARNING: Please consider reporting this to the maintainers of net.sf.cglib.core.ReflectUtils$1
WARNING: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: WARNING: All illegal access operations will be denied in a future release

That’s the only issue I see, nothing else in the logs…

Could you please post the logs?
If debug is enabled it should show what is the sha1 of the merge base between the branch and it’s target.
Please verify that clone/checkout process is ensuring that all history of all git branches are up to date and available to the scanner.


sorry for the late reply…

Posting full logs (they are 10 MB, so I had to zip it) (756.0 KB)

Debug is enabled, however I’ve gone through the entire logs, also tried to search for keywords like “merge base” or “sha1”, but I did not find anything…

I had verified that shallow cloning is disabled, in gitlab tried to change between git clone and git fetch, but the result is still the same.

so I’ve got no clue.

I found this:

16:29:16.501 DEBUG: SCM Step is disabled by configuration
16:29:16.533 INFO: Pull request 4702 for merge into master from hotfix123
16:29:16.550 DEBUG: SCM information about changed files in the branch is not available

Looks like you’re defining somewhere sonar.scm.disabled=true.


Thanks a lot for the info.

In the admin section of SonarQube, we’ve had this setting on true

So I turned it false, which is the default value.

What that means is that at some point in time, I must have disabled it on purpose…
Now the question is why and did I break something else? :smiley:

However it fixed this whole issue. I’ve tested it on several pull requests that had this problem.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.