Previously, we were using SonarQube 7.9 to analyze our project. We had fixed all the bugs and several code smells.
Recently, we upgraded SonarQube from version 7.9 LTS to 9.9 LTS. After upgrading, we analyzed the project again and began resolving bugs and code smells reported in the New Code.
However, we later observed that the number of bugs and code smells had increased in the Overall Code.
Could you please help us understand:
Why the number of bugs and code smells increased in the overall code after upgrading SonarQube?
How New Code and Overall Code are evaluated and what’s the best way to manage them effectively?
Hi Raj.
I can’t give you a full explanation but the increase in findings would indicate better analysis performed by the new version. You are after all upgrading over several years in one go.
We did a similar update a few years back and we didn’t notice a major increase in findings, but on the other hand saw a dramatic drop in false positives.
I am working with C and C++ code, so your results may vary but seeing a change in findings after an upgrade would not surprise me.
As for the new code and overall the latter is the total number of findings whereas the first is the number of findings since the last version defined.
If I am resolving bugs in the new code, then how are the total number of bugs in the overall code increasing?
How does the overall code actually work then?
Did the count increase due to the upgrade or due to the fixes you are doing?
If it is due to the upgrade I would expect you saw a huge jump at the time of upgrade.
If it is the latter then I expect you are not using SonarQube in your editor (formerly sonarlint) and you see a gradual increase due to something you introduce to the code. Are you using Sonarqube as a blocking part of your pipeline because in that case you should rarely see an increase and if it happens it should only be a minor increase.
Everything part of the codebase which is compiled and not explicitly excluded by your configuration. It gives you an overview of the entire codebase. The alternative is the new code which is all code added after a version defined by you in SonarQube.
“New code” is a way to draw a line and define e.g. that you want not additional bugs or code smells after the given commit. It makes it a lot easier to monitor if new findings are added to the code since it will disregard old, fixed issues from the count.
On the other hand if you only at the overall code there is a chance that a merge fixes 20 old findings, but adds 15 new of a worse severity. In that case you would see a drop of five but perhaps with worse overall code quality.