Constantly reproducible when running it from bitbucket sonar pipe
We were used to run sonar scan from bitbucket pipeline using - pipe: sonarsource/sonarcloud-scan:1.2.0 and it was not detecting any code smells. Now we are moving to use CircleCI, so we integrated gradle sonarqube plugin 3.3 in our Android projects, and when we run sonar scan on same commit using ./gradlew sonarqube command it detects some CodeSmells/Vulnerabilities/SecurityHotspots,
If we run it again from bitbucket pipeline it goes away but if we run it again from CircleCI gradle command it comes back, this is happening to multiple projects and constantly reproducible. We wants to understand why it was not detecting using bitbucket pipelines sonar pipe and started showing with gradle sonarqube.
I suppose I should have asked for both logs at once. I was hoping (assuming) something obvious would jump out at me from this first log. Can I also have the log that does produce issues?
Here is log from grade sonarqube command running in CircleCI:
./gradlew sonarqube --info
.
.
.
.
<gradle log>
.
.
.
.
> Task :app:compileDebugUnitTestJavaWithJavac NO-SOURCE
file or directory '/home/circleci/project/app/src/testDebug/java', not found
Skipping task ':app:compileDebugUnitTestJavaWithJavac' as it has no source files and no previous output files.
:app:compileDebugUnitTestJavaWithJavac (Thread[Execution worker for ':' Thread 3,5,main]) completed. Took 0.001 secs.
:app:sonarqube (Thread[Execution worker for ':' Thread 3,5,main]) started.
> Task :app:sonarqube
No variant name specified to be used by SonarQube. Default to 'debug'
Caching disabled for task ':app:sonarqube' because:
Build cache is disabled
Task ':app:sonarqube' is not up-to-date because:
Task has not declared any outputs despite executing actions.
No variant name specified to be used by SonarQube. Default to 'debug'
User cache: /home/circleci/.sonar/cache
Default locale: "en_US", source code encoding: "UTF-8" (analysis is platform dependent)
Load global settings
Load global settings (done) | time=568ms
Server id: 1BD809FA-AWHW8ct9-T_TB3XqouNu
User cache: /home/circleci/.sonar/cache
Load/download plugins
Load plugins index
Load plugins index (done) | time=131ms
Load/download plugins (done) | time=29606ms
Loaded core extensions: developer-scanner
Found an active CI vendor: 'CircleCI'
Load project settings for component key: 'xyz_android'
Load project settings for component key: 'xyz_android' (done) | time=111ms
Process project properties
Execute project builders
Execute project builders (done) | time=1ms
Project key: xyz_android
Base dir: /home/circleci/project/app
Working dir: /home/circleci/project/app/build/sonar
Load project branches
Load project branches (done) | time=120ms
Check ALM binding of project 'xyz_android'
Detected project binding: BOUND
Check ALM binding of project 'xyz_android' (done) | time=101ms
Load project pull requests
Load project pull requests (done) | time=130ms
Load branch configuration
Auto-configuring branch master
Load branch configuration (done) | time=2ms
Load quality profiles
Load quality profiles (done) | time=142ms
Load active rules
Load active rules (done) | time=4029ms
Organization key: abc
Branch name: master, type: long-lived
Load project repositories
Load project repositories (done) | time=199ms
Indexing files...
Project configuration:
Excluded sources: **/build-wrapper-dump.json
Excluded sources for coverage: **/BuildConfig.*, **/Manifest*.*, **/*Test*.*, android/**/*.*
316 files indexed
> Task :app:sonarqube
0 files ignored because of inclusion/exclusion patterns
0 files ignored because of scm ignore settings
Quality profile for json: SonarQube Way
Quality profile for kotlin: Mobile
Quality profile for xml: Sonar way
------------- Run sensors on module xyz_android
Load metrics repository
Load metrics repository (done) | time=105ms
Sensor IaC CloudFormation Sensor [iac]
0 source files to be analyzed
0/0 source files have been analyzed
125 source files to be analyzed
125/125 source files have been analyzed
281 source files to be analyzed
281/281 source files have been analyzed
> Task :app:sonarqube
Sensor IaC CloudFormation Sensor [iac] (done) | time=11ms
Sensor C# Project Type Information [csharp]
Sensor C# Project Type Information [csharp] (done) | time=1ms
Sensor C# Analysis Log [csharp]
Sensor C# Analysis Log [csharp] (done) | time=16ms
Sensor C# Properties [csharp]
Sensor C# Properties [csharp] (done) | time=0ms
Sensor HTML [web]
Sensor HTML [web] (done) | time=4ms
Sensor XML Sensor [xml]
Sensor XML Sensor [xml] (done) | time=1128ms
Sensor Text Sensor [text]
Sensor Text Sensor [text] (done) | time=164ms
Sensor VB.NET Project Type Information [vbnet]
Sensor VB.NET Project Type Information [vbnet] (done) | time=1ms
Sensor VB.NET Analysis Log [vbnet]
Sensor VB.NET Analysis Log [vbnet] (done) | time=15ms
Sensor VB.NET Properties [vbnet]
Sensor VB.NET Properties [vbnet] (done) | time=0ms
Sensor JaCoCo XML Report Importer [jacoco]
Importing 1 report(s). Turn your logs in debug mode in order to see the exhaustive list.
Sensor JaCoCo XML Report Importer [jacoco] (done) | time=30ms
Sensor Kotlin Sensor [kotlin]
Access to the multi-values/property set property 'sonar.java.binaries' should be made using 'getStringArray' method. The SonarQube plugin using this property should be updated.
Access to the multi-values/property set property 'sonar.java.libraries' should be made using 'getStringArray' method. The SonarQube plugin using this property should be updated.
128 source files to be analyzed
128/128 source files have been analyzed
> Task :app:sonarqube
Sensor Kotlin Sensor [kotlin] (done) | time=18963ms
Sensor KotlinSurefireSensor [kotlin]
parsing [/home/circleci/project/app/build/test-results/**/*.*]
Reports path not found or is not a directory: /home/circleci/project/app/build/test-results/**/*.*
Sensor KotlinSurefireSensor [kotlin] (done) | time=2ms
Sensor CSS Rules [javascript]
No CSS, PHP, HTML or VueJS files are found in the project. CSS analysis is skipped.
Sensor CSS Rules [javascript] (done) | time=1ms
Sensor ThymeLeaf template sensor [securityjavafrontend]
Sensor ThymeLeaf template sensor [securityjavafrontend] (done) | time=2ms
Sensor Serverless configuration file sensor [security]
0 Serverless function entries were found in the project
0 Serverless function handlers were kept as entrypoints
Sensor Serverless configuration file sensor [security] (done) | time=3ms
Sensor AWS SAM template file sensor [security]
Sensor AWS SAM template file sensor [security] (done) | time=1ms
Sensor javabugs [dbd]
Reading IR files from: /home/circleci/project/app/build/sonar/ir/java
No IR files have been included for analysis.
Sensor javabugs [dbd] (done) | time=0ms
Sensor pythonbugs [dbd]
Reading IR files from: /home/circleci/project/app/build/sonar/ir/python
No IR files have been included for analysis.
Sensor pythonbugs [dbd] (done) | time=0ms
Sensor JavaSecuritySensor [security]
Reading type hierarchy from: /home/circleci/project/app/build/sonar/ucfg2/java
Read 0 type definitions
Reading UCFGs from: /home/circleci/project/app/build/sonar/ucfg2/java
No UCFGs have been included for analysis.
Sensor JavaSecuritySensor [security] (done) | time=3ms
Sensor CSharpSecuritySensor [security]
Reading type hierarchy from: /home/circleci/project/app/build/ucfg_cs2
Read 0 type definitions
Reading UCFGs from: /home/circleci/project/app/build/ucfg_cs2
No UCFGs have been included for analysis.
Sensor CSharpSecuritySensor [security] (done) | time=0ms
Sensor PhpSecuritySensor [security]
Reading type hierarchy from: /home/circleci/project/app/build/sonar/ucfg2/php
Read 0 type definitions
Reading UCFGs from: /home/circleci/project/app/build/sonar/ucfg2/php
No UCFGs have been included for analysis.
Sensor PhpSecuritySensor [security] (done) | time=0ms
Sensor PythonSecuritySensor [security]
Reading type hierarchy from: /home/circleci/project/app/build/sonar/ucfg2/python
Read 0 type definitions
Reading UCFGs from: /home/circleci/project/app/build/sonar/ucfg2/python
No UCFGs have been included for analysis.
Sensor PythonSecuritySensor [security] (done) | time=0ms
Sensor JsSecuritySensor [security]
Reading type hierarchy from: /home/circleci/project/app/build/sonar/ucfg2/js
Read 0 type definitions
Reading UCFGs from: /home/circleci/project/app/build/sonar/ucfg2/js
No UCFGs have been included for analysis.
Sensor JsSecuritySensor [security] (done) | time=0ms
------------- Run sensors on project
Sensor Analysis Warnings import [csharp]
Sensor Analysis Warnings import [csharp] (done) | time=0ms
Sensor Zero Coverage Sensor
Sensor Zero Coverage Sensor (done) | time=4ms
SCM Publisher SCM provider for this project is: git
SCM Publisher 281 source files to be analyzed
Blaming files using native implementation
SCM Publisher 281/281 source files have been analyzed (done) | time=586ms
CPD Executor CPD calculation finished (done) | time=40ms
> Task :app:sonarqube
CPD Executor 41 files had no CPD blocks
CPD Executor Calculating CPD for 87 files
Analysis report generated in 116ms, dir size=2 MB
Analysis report compressed in 334ms, zip size=983 KB
Analysis report generated in /home/circleci/project/app/build/sonar/scanner-report
Analysis report uploaded in 848ms
------------- Check Quality Gate status
Waiting for the analysis report to be processed (max 300s)
> Task :app:sonarqube FAILED
:app:sonarqube (Thread[Execution worker for ':' Thread 3,5,main]) completed. Took 1 mins 14.581 secs.
AAPT2 aapt2-4.2.2-7147631-linux Daemon #0: shutdown
AAPT2 aapt2-4.2.2-7147631-linux Daemon #1: shutdown
FAILURE: Build failed with an exception.
* What went wrong:
Execution failed for task ':app:sonarqube'.
> QUALITY GATE STATUS: FAILED - View details on https://sonarcloud.io/dashboard?id=xyz_android&branch=master
* Try:
Run with --stacktrace option to get the stack trace. Run with --debug option to get more log output. Run with --scan to get full insights.
* Get more help at https://help.gradle.org
Deprecated Gradle features were used in this build, making it incompatible with Gradle 8.0.
Use '--warning-mode all' to show the individual deprecation warnings.
See https://docs.gradle.org/7.0.2/userguide/command_line_interface.html#sec:command_line_warnings
BUILD FAILED in 1m 45s
39 actionable tasks: 39 executed
Not watching anything anymore
Watching 0 directories to track changes
Some of the file system contents retained in the virtual file system are on file systems that Gradle doesn't support watching. The relevant state was discarded to ensure changes to these locations are properly detected. You can override this by explicitly enabling file system watching.
Watching 0 directories to track changes
Exited with code exit status 1
CircleCI received exit code 1
Yes, I think there wasn’t in BB since it is using only sonar pipe. Though I haven seen it is detecting one code smell which shows last year. But it is not detecting any new while grade sonar scan in CircleCI detects 3 Code Smells, 1 vulnerability and few security hotspots.
Kotlin analysis requires the compiled class files. If you weren’t compiling on BB and you weren’t getting issues on BB, then that’s more than likely the reason.