Limit SonarQube scan only for code changes for the release

Dear Team,
I am working on a Proof of Concept for SonarQube code quality automation with Community Edition. I have suggested to go for a scan after code freeze for every release. But customer requested to limit scan only for the changes for the release due to huge code base. I have gone through the documentation and observed that there are options to narrow the focus. Does this approach (scanning only changes for the release) is practical when considering the quality of my code? Is there any way we can dynamically pass the code changes (specific paths) from BitBucket to SonarQube? Currently I have only Community Edition for the POC and requesting your help at the earliest. Also please suggest if there is any other option available in community edition to overcome this issue.

Hi,

It sounds like what your customer needs is a focus on the New Code period, which is actually what we recommend as a best practice. With this approach, you’ll analyze everything on a regular basis - not just after code freeze - and your Quality Gate will be focused on ‘on New Code’ metrics. I’ve written a blog post about this. Let me know if you need more detail.

 
HTH,
Ann

1 Like

Thank You Ann for the response.
The request from customer also focus on reducing the time taking for the analysis. For a huge code base, they need to scan only changes for the release and is it practical approach in Community Edition? Also I want to understand if we are doing scan only for a specific path (using .properties file), does it cover all the issues associated with it?

Hi,

To be honest, it’s not a practical approach in any edition. Even in commercial editions, PR analysis still analyzes everything (it’s just how analysis works) and only reports the PR issues.

Out of curiosity, how big are we talking here? And if the code base is so big that analyzing the whole thing even only before analysis (much less after every commit to main branch - which is really best practice) maybe it’s time to modularize it into the main project and some libraries…?

 
Ann

1 Like

Thank You for the quick response Ann.
The size is around 2.2GB and it is taking around 45 min to complete a scan. If we are planning based on commits to main branch also it will be scanning the entire repo and will take same duration to complete scan right?

Hi,

Yes. In general, I’m not an advocate of changing the project to make the tools happy. At the same time, I suspect that dealing with a 2.2GB code base is Not Fun for the developers and everyone’s lives would be easier/faster/smoother if you looked into pulling some libraries out of this. After all, in 2.2GB there are surely some areas that don’t see regular development and/or are owned by different teams…

 
:woman_shrugging:
Ann

1 Like

Yes Ann. You are right. I did some analysis on this part and planned to define my sonar property file accordingly. So my concern is, if we are defining a specific path in sonar.sources, does it scan all the associated dependencies and give accurate result? Also is there any possible way to define sonar.properties dynamically?

Hi,

I’m not entirely clear what you’re asking here. So hopefully this is relevant: Java analysis does reference the libraries you point to in your analysis (sonar.java.libraries) to give you better results. I’m not sure to what extent that impacts analysis time though. Similarly, C, C++ and Objective-C analyses read the header files referenced in your code. I’m pretty sure C# references your libs as well, but I don’t have details on that. (I’m just realizing you never specified the language).

I guess you’re aware that you could script the creation of the file, right? Alternately, you can pass your configuration values on the command like like so:

sonar-scanner -Dsonar.host.url=http://my.sonarqube:9000

 
HTH,
Ann