Incorrect analysis for new code with reference branch

  • which versions are you using: SonarQube Community Build v24.12.0.100206 with Community Branch Plugin 1.23.0
  • how is SonarQube deployed: Helm

A bit of background on our setup. We are introducing Sonar with quality gates to block changes but only for new code. We decided to use a reference branch (let’s call it reference-branch) and configured projects to use this branch to calculate new code. We have run an analysis against the reference-branch and our developers work with GitHub flow, i.e. they create a feature branch, open a PR and merge to master branch.

First analysis is run on PR, so devs get some information about quality of their code, then after PR is merged our CI pipeline calls analysis for master branch, so we can monitor if quality of the code in master branch increases after merge.

For some projects it was found that tab New Code in overview of master branch says:
New code: compared to reference-branch
but when I check details of this analysis, I can see that only changes from PR are included in the analysis, while I understand Sonar should report all changes against the reference-branch.

I am looking for some hints on what to check to understand this difference between projects and to finally fix it.

OK, so for anyone interrested - it seems I found the root cause of our situation, so I’m leaving a note.

Some of our projects get built and analyzed in a different way, then those which were working correctly.

One of the cases was a service, for which CI pipeline pulled only the master branch and other branches were not available. With this repository status sonar-scanner logged that it cannot find the reference branch (I missed this initially) and pushed the analysis to the server with whatever state this was. As a result New Code tab showed that it’s calculated against reference branch, but showed difference against last master branch analysis.

In second case code is built and analyzed inside Docker container, but only source code was copied and .git directory was omitted. This also caused sonar-scanner to behave strange, although this time there was no sign of issues logged (i.e. sonar-scanner being unable to find reference branch).

Now the fun part - SonarQube documentation claims, that if there is no SCM data, then it will calculate difference using state of branches in SonarQube:

For the Reference branch option, the analyzed branch is compared to the current state
of the reference branch based on SCM data obtained during analysis.
If the SCM is not available, the two branches are compared based on their current state
in SonarQube.

Source: Defining new code

It seems that this comparison may or may not work, so I guess it is safer to ensure to make SCM data available for sonar-scanner, otherwise results may be surprising.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.