When I scan my code and check it in the sonarQube dashboard, I find some un-scanned code with the message ‘Not covered by tests’. This is preventing me from finding security vulnerabilities properly.
How can I make sure that all my codes are scanned properly? My server code is written in typescript and my sonarQube is the developer edition.
Hi,
This is apples and oranges. If the code is showing up in SonarQube, it was analyzed.
What “Not covered by tests” is telling you is that the code coverage report you passed in to analysis doesn’t include any data reflecting that unit tests were run on those parts of the code.
HTH,
Ann
Hi, we ask one more time to be sure.
So, does this mean that the code with the ‘Not covered by tests’ message was also scanned with the security rules applied properly without being skipped?
Hi,
Assuming you have those rules enabled, yes. There are several different… “layers” to a SonarQube analysis. The most fundamental one is rules. Rules will be run on all the code that is included in sonar.sources
and not explicitly excluded from analysis (docs). The only question about rules is which rules will run. That’s controlled by your Quality Profile, and the security rules are part of the default profile.
Does that help?
Ann