How to analyse only new added lines of code?

SonarQube
, , ,
1

We recently integrated sonarqube to our existing build and release environment. Everytime any commit triggers sonar scanning total project again instead of latest commit.

How to make sonar to scan only the latest commits from second time onwards as it is taking lot of time for scanning.

If not let us know any alternative for the same.

2

Hi @Jigar_Mehta1

SonarQube cannot analyze only changes at the moment. We have many ā€œadvancedā€ rules that can raise new issues on code that has not been touched. For example if you change a method behavior to return null in some cases while previously it was always non null, all places calling this method should be checked again for possible NPE.
In the past we gave multiple attempts at implementing ā€œincrementalā€/ā€œpartialā€ analysis, but the risk of missing important issues was too high. Also, using caching of some intermediate analysis state was tried, but like often with caching, it is not a silver bullet. Performances are sometimes worst than doing a clean analysis from scratch.

What I would recommend to you is to report factually your issue, and let us investigate what are the options, before jumping to the conclusion that SonarQube should do diff analysis:

  • what do you call ā€œtaking a lot of time for scanningā€? Please give numbers.
  • what is the size of you project? Number of files, number of ncloc?
  • do you have only SonarSource rules, or do you also have custom rules, or third party plugins like PMD/checkstyle/findbugs?
  • what is the part of the SonarQube analysis compared to the rest of your build/release pipeline (unit tests, integration tests)?
3

Hi Julien,

Thanks for your revert. Sometimes it takes 5-6 minutes for the entire project to scan, its a Nodejs code.

Secondly i have been researching and got to know that SonarLint IDE can help to incremental changes issue.? Is that something you are aware of?

4

This is hard to tell if this is an issue or expected, because it heavily depends on the size of your project. Is it TypeScript or JavaScript code? How many lines of code?

SonarLint will indeed help to decrease the feedback loop, since you will see issues reported in your IDE, as you code. The analysis speed is less a concern since files are analyzed only when you work on them. Our recommended workflow is to use SonarLint to catch as many issues as possible while coding, and then use SonarQube or SonarCloud to do a full analysis during CI pipeline (analyzing pull requests before merge is even better).

5

Hi Julien,

Can you please help me with details on new Code Period.

6

Hi Julien,

There is something known as new code period, can you help me with a video or a example which is easily understandable.

https://docs.sonarqube.org/latest/project-administration/new-code-period/

https://docs.sonarqube.org/latest/user-guide/clean-as-you-code/

https://docs.sonarqube.org/8.1/project-administration/new-code-period/

7

Hello,

The first link that you provided should help you understand the concept and how to configure the period on your SonarQube instance. I donā€™t think we have a video to explain the concept. What are you struggling with ?

8

I think Iā€™m facing the same issue.
In my project I want to scan only new code and donā€™t want to scan the past code, and recently I edited one line from my past code and scanned.
After the scan I got unexpected number of code smells and bugs of entire file,
Wanted to know the behavior, Does Sonar scans only new piece of code(What I expected) or it scans entire file?

1 Like
9

Hi Niteesh,
Did you found any resolution around it ?
how to analyze only new Code.

1 Like
10

Hi Niteesh,
Did you found any resolution around it ?
how to analyze only new Code.

Can you help us?