- Versions used: SonarQube Enterprise Edition Version 8.4.2 (build 36762)
- Error observed: Lately we are seeing that for many projects the issues are being marked as closed(fixed) automatically even though the issues are not fixed and also we can’t reopen them even after being an admin
Hello @security_prince,
There are 3 reasons for an issue to be closed as fixed:
- Either the issue was fixed in the code, and SonarQube scan notices it in a scan after the code was fixed
- Or the code where the issue was has been removed from the project
- Or there was so much change on the code, that SonarQube may have lost track of the original issue, and when scanning the code and finding a similar issue, cannot figure out that this is the same as an old one, because “too much” has changed in the code (file name change and/or line number changed and/or line content changed etc…). This should happen very rarely and only if you code has dramatically changed from one scan to another
I would guess that you are in the 3rd case.
In that case, the original issue is “Closed/Fixed” and a new equivalent one is opened. Could you check if, in the new issues, there is one that corresponds to the Closed one ?
If so, this is it !
If not, please send me a screenshot of the Closed / Fixed issue (in the code view, so that I can see filename and line number)
Olivier
Hi @OlivierK, thank you for the quick response. Let me invesitgate this further based on your suggestions and get back to you on this
Hi @OlivierK, i worked with the team to investigate this further and this is what we have observed:
We have OWASP Dependency-Check integrated with Sonarqube which basically means that dependency check results will be posted over to Sonarqube, the issue here is that the issues reported by dependency check are not yet fixed by the developers but still somehow sonarqube has marked them as closed(fixed) and we are not able to reopen them
Other reasons could be - an upgrade to dependency-check. I’m not sure if the instances that are being closed might be false positives. In another case we have had reports of “bundling” in ODC not always working. This is where we try to bundle a bunch of related dependencies into a single entry - because when you upgrade them you upgrade them all. Some common examples include Spring and Lucene. If this is the case you may see spring-context and spring-core being flagged - but on the next run spring-core is reported and spring-context is included in the related dependencies of spring-core. We are trying to figure out why this is happening and resolve the issue. We added some additional sorting in 6.0.2 that I believe may resolve the issue.
Hi,
I think it’s worth being really clear here: SonarQube doesn’t arbitrarily close issues. As long as the analyzer continues to report them, they stay open (the caveat being OlivierK’s 3rd scenario). So the real question is why OWASP Dependency-Check stopped reporting the issues. The suggestion of an analyzer upgrade is really relevant here.
Ann
Hi everybody,
I got the same issue. My sonarqube version is 9.9.0 and Developer Edition.
Especially, Cognitive Complexity issues are turned Closed(Fixed) as automatically. I checked my custom quality profile and this issue is added.And all issues are still in the code.
These issues are gone after 24.02.2023 scanning.
What should I check?
Thanks.
Hi Hakan,
I had a same issue as yours. All bugs and code smells were closed automatically although I did not fix them.
Fortunately, the issue was resolved today and the reason was Node.js version on agent is not supported so that the JavaScript rules were not executed for my project. Actually, there was already a warning toast reminding that on SonarQube site. I just upgraded Node.js to the latest version and then triggered SonarQube analysis, finally I could see the bugs and code smells again.
I am not sure whether your development environment is totally same as mine, so I just list the way how I resolve the issue for your reference.
Stqwer
Hi @Stqwer
My development environment is .Net Framework 4.8 and I think my issue is like yours. Because I got this issue after Visual Studio 2022 17.5.0 upgrading.
BTW, I opened a new thread for this and explained more. I can check this