- Versions used: SonarQube Enterprise Edition Version 8.4.2 (build 36762)
- Error observed: Lately we are seeing that for many projects the issues are being marked as closed(fixed) automatically even though the issues are not fixed and also we can’t reopen them even after being an admin
There are 3 reasons for an issue to be closed as fixed:
- Either the issue was fixed in the code, and SonarQube scan notices it in a scan after the code was fixed
- Or the code where the issue was has been removed from the project
- Or there was so much change on the code, that SonarQube may have lost track of the original issue, and when scanning the code and finding a similar issue, cannot figure out that this is the same as an old one, because “too much” has changed in the code (file name change and/or line number changed and/or line content changed etc…). This should happen very rarely and only if you code has dramatically changed from one scan to another
I would guess that you are in the 3rd case.
In that case, the original issue is “Closed/Fixed” and a new equivalent one is opened. Could you check if, in the new issues, there is one that corresponds to the Closed one ?
If so, this is it !
If not, please send me a screenshot of the Closed / Fixed issue (in the code view, so that I can see filename and line number)
Hi @OlivierK, thank you for the quick response. Let me invesitgate this further based on your suggestions and get back to you on this
Hi @OlivierK, i worked with the team to investigate this further and this is what we have observed:
We have OWASP Dependency-Check integrated with Sonarqube which basically means that dependency check results will be posted over to Sonarqube, the issue here is that the issues reported by dependency check are not yet fixed by the developers but still somehow sonarqube has marked them as closed(fixed) and we are not able to reopen them
Other reasons could be - an upgrade to dependency-check. I’m not sure if the instances that are being closed might be false positives. In another case we have had reports of “bundling” in ODC not always working. This is where we try to bundle a bunch of related dependencies into a single entry - because when you upgrade them you upgrade them all. Some common examples include Spring and Lucene. If this is the case you may see spring-context and spring-core being flagged - but on the next run spring-core is reported and spring-context is included in the related dependencies of spring-core. We are trying to figure out why this is happening and resolve the issue. We added some additional sorting in 6.0.2 that I believe may resolve the issue.
Hi @jeremylong, thank you for the information. I will investigate this further and get back to you
I think it’s worth being really clear here: SonarQube doesn’t arbitrarily close issues. As long as the analyzer continues to report them, they stay open (the caveat being OlivierK’s 3rd scenario). So the real question is why OWASP Dependency-Check stopped reporting the issues. The suggestion of an analyzer upgrade is really relevant here.