Main branch analysis stopped running ~10 days ago

SonarQube Cloud
1

Template for a good new topic, formatted with Markdown:

  • ALM used (GitHub)
  • CI system used (GitHub Actions)
  • Scanner command used when applicable (private details masked)
  • Languages of the repository (JS/TS)

Hello,

I noticed that over the last 10 days, I’ve not had any analysis against my long-term/main branches run. I’m the only admin so I’d be aware if something changed. Analysis on PR’s works just fine. I have double-checked the regex, and it includes staging (the name of our long-term branch). There have been several PRs that have been merged into staging over the last 10 days.

We are not using automatic analysis, but GitHub Actions. I’ve studied my GitHub actions workflow while investigating this issue, and I don’t see any problems (it also hasn’t changed from when this was working to not working).

I’ve also combed through this community heavily too looking for answers, but I’m stumped.

2

Might be related to this one.
Also PR level analysis is fine, results are ok in branches, but Overall Code for master got dropped to almost 10-15%.
Do you see anything in master “Overall code”, or it’s totally empty/not updated even when PRs are merged?

3

It just shows the results of the most recent analysis from 10 days ago whenever code gets merged–so it doesn’t update.

4

Digging some more looking at the background tasks, I noticed recently this plugin is missing: - JavaScript/TypeScript/CSS Code Quality and Security 10.10.0.24774 (javascript)

It used to look like this:

SonarCloud plugins:
  - License for SonarLint 8.0.0.52135 (license)
  - Python Code Quality and Security 4.14.0.14263 (python)
  - Java Code Quality and Security 7.29.0.34131 (java)
  - XML Code Quality and Security 2.10.0.4108 (xml)
  - JaCoCo 1.3.0.1538 (jacoco)
  - IaC Code Quality and Security 1.25.0.8192 (iac)
  - Text Code Quality and Security 2.7.1.1388 (text)
  - JavaScript/TypeScript/CSS Code Quality and Security 10.10.0.24774 (javascript)

Now I only see:

SonarCloud plugins:
  - License for SonarLint 8.0.0.52363 (license)
  - Python Code Quality and Security 4.14.0.14263 (python)
  - Java Code Quality and Security 7.29.0.34131 (java)
  - XML Code Quality and Security 2.10.0.4108 (xml)
  - JaCoCo 1.3.0.1538 (jacoco)
  - IaC Code Quality and Security 1.26.0.8471 (iac)
  - Text Code Quality and Security 2.8.0.1635 (text)
5

Hi,

The “missing” plugin is on purpose and not a cause for alarm. We recently optimized analysis to only download the plugins relevant for your project. You apparently have no JS/TS/CSS in your project, so that one’s not needed.

Regarding your OP,

Can you expand on this? Are you saying the pipeline isn’t triggered? That the pipeline is properly triggered by the analysis step isn’t executed? That analysis is executed but errors out? That analysis succeeds but you don’t see the results in SonarCloud?

 
Ann

6

Hi Ann, thanks for your reply.

The “missing” plugin is on purpose and not a cause for alarm. We recently optimized analysis to only download the plugins relevant for your project. You apparently have no JS/TS/CSS in your project, so that one’s not needed.

This is concerning to hear considering 90% of my project is JS/TS/CSS…please see this screenshot from within SonarCloud itself that shows the breakdown of my project where it shows a majority of my project is JavaScript, TypeScript, and some CSS.

Screenshot 2024-02-07 at 08.24.45
Screenshot 2024-02-07 at 08.24.451306×164 15.3 KB

Can you expand on this? Are you saying the pipeline isn’t triggered? That the pipeline is properly triggered by the analysis step isn’t executed? That analysis is executed but errors out? That analysis succeeds but you don’t see the results in SonarCloud?

Also from my screenshot it says “Last analysisJan 26, 2024” despite several merges of our code. Analysis runs just fine when I open a PR, but no analysis is run once we merge the PR like it used to do prior to January 26th. I don’t see any errors, but it appears like it’s not being triggered to do analysis on my long-lived branch.

There seems to be a connection to when the JS/TS/CSS plugin was removed from my project and the analysis running on merge. Maybe it’s a coincidence, but the timelines match up.

7

Hi,

It seems that there are two different questions here:

  • analysis not running
  • analysis running without JS/TS/CSS analysis

Can you create a new thread for the second one, please?

Regarding the first, are you using automatic analysis, or is this (supposed to be) running from your CI?

 
Thx,
Ann

8

Sure, I will create a new thread.

No, we are not using automatic analysis, but we use GitHub Actions. We have not changed our GitHub Actions workflow recently, so I don’t believe it’s a problem with our CI as an explanation why analysis stopped running when we merged our code.

For clarity, I’m talking about how it does analysis on our whole code base whenever we merge. It used to do this, but no longer does as of 1/26 when it last did.

Screenshot 2024-02-07 at 09.03.54
Screenshot 2024-02-07 at 09.03.541101×158 18.5 KB

9

Hi,

Again, are you saying that:

  • the pipeline isn’t triggered?
  • the pipeline is properly triggered by the analysis step isn’t executed?
  • analysis is executed but errors out?
  • analysis succeeds but you don’t see the results in SonarCloud?

 
Ann

10

Are you referring to my GitHub actions pipeline or something on SonarCloud?

-We have no explicit post-merge pipelines configured in GitHub actions.
-Ditto, no post-merge pipeline to trigger
-I do not see any errors in our GitHub actions pipeline, or in SonarCloud.
-I do not think analysis succeeds because it’s not being ran as far as I can tell.

When I merge a PR into my long-lived staging branch–which is also our “main” branch, I expect SonarCloud to run analysis on my whole project which it stopped doing between 1/26 and 1/29 through no changes on our end. My understanding of how SonarCloud works is it looks for updates to long-lived branches and runs an analysis on the long-lived branch whenever a change is detected. Is this assumption wrong?

I see this in the documentation:

image
image930×334 52.2 KB

Main branch analysis is what has stopped working. Pull request analysis still runs (via GitHub actions).

11

Hi,

If you’re using automatic analysis, then this is how it works. However, if you’re using CI-based analysis then SonarCloud doesn’t trigger anything; it’s all based on your CI noticing the updates to your branches and triggering the pipeline.

So let’s back up: can you check your pipeline to make sure it includes analysis?

 
Thx,
Ann

12

Yes, our CI pipeline does include analysis. Please keep in mind–we changed nothing related to SonarCloud nor our pipeline between 1/26 (when it was working) and 1/29 (and when it stopped working). It used to be that when code got merged to our staging branch (a.k.a. our main branch) it would trigger an analysis of our whole project.

Here is what our GitHub Actions look like:

name: Sonar Cloud

on:
  push:
    branches:
      - staging
  workflow_call:

jobs:
  sonarcloud:
    name: Sonar Cloud
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repo
        uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
      - name: SonarCloud Scan
        uses: SonarSource/sonarcloud-github-action@master
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
13

Hi,

Can you check your logs for 1/29 to see what did / did not happen that day?

 
Thx,
Ann

14

Here are the logs from SonarCloud. The bottom one from 1/26 was the last time it did a full analysis and the top one from 1/29 is the first one where it didn’t do a full analysis. It appears something changed over the weekend (1/27 and 1/28).

Screenshot 2024-02-07 at 12.46.37
Screenshot 2024-02-07 at 12.46.371573×152 26.1 KB

When I click the 3 dots on the right, I see the following:

For the 1/26 scan:

SonarCloud plugins:
  - License for SonarLint 8.0.0.52135 (license)
  - Python Code Quality and Security 4.14.0.14263 (python)
  - Java Code Quality and Security 7.29.0.34131 (java)
  - XML Code Quality and Security 2.10.0.4108 (xml)
  - JaCoCo 1.3.0.1538 (jacoco)
  - IaC Code Quality and Security 1.25.0.8192 (iac)
  - Text Code Quality and Security 2.7.1.1388 (text)
  - JavaScript/TypeScript/CSS Code Quality and Security 10.10.0.24774 (javascript)
Project server settings:
  - sonar.abap.file.suffixes=.abap,.ab4,.flow,.asprog
  - sonar.apex.file.suffixes=.cls,.trigger
  - sonar.autoscan.enabled=false
  - sonar.azureresourcemanager.file.suffixes=.bicep
  - sonar.branch.longLivedBranches.regex=(prod|staging)
  - sonar.c.file.suffixes=.c,.h
  - sonar.cpp.file.suffixes=.cc,.cpp,.cxx,.c++,.hh,.hpp,.hxx,.h++,.ipp
  - sonar.cs.file.suffixes=.cs,.razor
  - sonar.css.file.suffixes=.css,.less,.scss,.sass
  - sonar.docker.file.patterns=Dockerfile,*.dockerfile
  - sonar.flex.file.suffixes=as
  - sonar.go.file.suffixes=.go
  - sonar.html.file.suffixes=.html,.xhtml,.cshtml,.vbhtml,.aspx,.ascx,.rhtml,.erb,.shtm,.shtml,.cmp,.twig
  - sonar.java.file.suffixes=.java,.jav
  - sonar.javascript.file.suffixes=.js,.jsx,.cjs,.mjs,.vue
  - sonar.json.file.suffixes=.json
  - sonar.jsp.file.suffixes=.jsp,.jspf,.jspx
  - sonar.kotlin.file.suffixes=.kt,.kts
  - sonar.objc.file.suffixes=.m
  - sonar.php.file.suffixes=php,php3,php4,php5,phtml,inc
  - sonar.pli.file.suffixes=.pli
  - sonar.plsql.file.suffixes=sql,tab,pkb
  - sonar.project.monorepo.enabled=false
  - sonar.python.file.suffixes=py
  - sonar.rpg.file.suffixes=.rpg,.rpgle,.sqlrpgle,.RPG,.RPGLE,.SQLRPGLE
  - sonar.ruby.file.suffixes=.rb
  - sonar.scala.file.suffixes=.scala
  - sonar.swift.file.suffixes=.swift
  - sonar.terraform.file.suffixes=.tf
  - sonar.tsql.file.suffixes=.tsql
  - sonar.typescript.file.suffixes=.ts,.tsx,.cts,.mts
  - sonar.typescript.tsconfigPaths=tsconfig.json
  - sonar.vb.file.suffixes=.bas,.frm,.ctl
  - sonar.vbnet.file.suffixes=.vb
  - sonar.xml.file.suffixes=.xml,.xsd,.xsl,.config
  - sonar.yaml.file.suffixes=.yaml,.yml
Project scanner properties:
  - sonar.exclusions=**/*.java, **/*.cs, src/graphql/**
  - sonar.host.url=https://sonarcloud.io
  - sonar.organization=REDACTED
  - sonar.projectBaseDir=/github/workspace
  - sonar.projectKey=REDACTED
  - sonar.scanner.app=ScannerCLI
  - sonar.scanner.appVersion=5.0.1.3006
  - sonar.sourceEncoding=UTF-8
  - sonar.working.directory=/github/workspace/.scannerwork

From the 1/29 scan:

SonarCloud plugins:
  - License for SonarLint 8.0.0.52293 (license)
  - Python Code Quality and Security 4.14.0.14263 (python)
  - Java Code Quality and Security 7.29.0.34131 (java)
  - XML Code Quality and Security 2.10.0.4108 (xml)
  - JaCoCo 1.3.0.1538 (jacoco)
  - IaC Code Quality and Security 1.25.0.8192 (iac)
  - Text Code Quality and Security 2.7.1.1388 (text)
Project server settings:
  - sonar.abap.file.suffixes=.abap,.ab4,.flow,.asprog
  - sonar.apex.file.suffixes=.cls,.trigger
  - sonar.autoscan.enabled=false
  - sonar.azureresourcemanager.file.suffixes=.bicep
  - sonar.branch.longLivedBranches.regex=(prod|staging)
  - sonar.c.file.suffixes=.c,.h
  - sonar.cpp.file.suffixes=.cc,.cpp,.cxx,.c++,.hh,.hpp,.hxx,.h++,.ipp
  - sonar.cs.file.suffixes=.cs,.razor
  - sonar.css.file.suffixes=.css,.less,.scss,.sass
  - sonar.docker.file.patterns=Dockerfile,*.dockerfile
  - sonar.flex.file.suffixes=as
  - sonar.go.file.suffixes=.go
  - sonar.html.file.suffixes=.html,.xhtml,.cshtml,.vbhtml,.aspx,.ascx,.rhtml,.erb,.shtm,.shtml,.cmp,.twig
  - sonar.java.file.suffixes=.java,.jav
  - sonar.javascript.file.suffixes=.js,.jsx,.cjs,.mjs,.vue
  - sonar.json.file.suffixes=.json
  - sonar.jsp.file.suffixes=.jsp,.jspf,.jspx
  - sonar.kotlin.file.suffixes=.kt,.kts
  - sonar.objc.file.suffixes=.m
  - sonar.php.file.suffixes=php,php3,php4,php5,phtml,inc
  - sonar.pli.file.suffixes=.pli
  - sonar.plsql.file.suffixes=sql,tab,pkb
  - sonar.project.monorepo.enabled=false
  - sonar.python.file.suffixes=py
  - sonar.rpg.file.suffixes=.rpg,.rpgle,.sqlrpgle,.RPG,.RPGLE,.SQLRPGLE
  - sonar.ruby.file.suffixes=.rb
  - sonar.scala.file.suffixes=.scala
  - sonar.swift.file.suffixes=.swift
  - sonar.terraform.file.suffixes=.tf
  - sonar.tsql.file.suffixes=.tsql
  - sonar.typescript.file.suffixes=.ts,.tsx,.cts,.mts
  - sonar.typescript.tsconfigPaths=tsconfig.json
  - sonar.vb.file.suffixes=.bas,.frm,.ctl
  - sonar.vbnet.file.suffixes=.vb
  - sonar.xml.file.suffixes=.xml,.xsd,.xsl,.config
  - sonar.yaml.file.suffixes=.yaml,.yml
Project scanner properties:
  - sonar.exclusions=**/*.java, **/*.cs, src/graphql/**
  - sonar.host.url=https://sonarcloud.io
  - sonar.organization=REDACTED
  - sonar.projectBaseDir=/github/workspace
  - sonar.projectKey=REDACTED
  - sonar.scanner.app=ScannerCLI
  - sonar.scanner.appVersion=5.0.1.3006
  - sonar.sourceEncoding=UTF-8
  - sonar.working.directory=/github/workspace/.scannerwork

Like in the other thread I started, the only difference I see between these logs is that the JavaScript/TypeScript/CSS Code Quality and Security 10.10.0.24774 (javascript) plugin is not included.

Here is proof we changed nothing without CI configuration during this timeframe as well (from GitHub):

Screenshot 2024-02-07 at 12.52.06
Screenshot 2024-02-07 at 12.52.06741×784 84.4 KB

Another clue I have looking in SonarCloud is that it doesn’t seem to be detecting when code is merged. Looking at the icons in the below screenshot where the arrows are pointing–I don’t see any recent ones like where the bottom arrow is pointing which seems to align with triggering an analysis on the main branch.

Screenshot 2024-02-07 at 13.03.37

15

Hi,

I see two different questions here:

  • over the last 10 days, I’ve not had any analysis against my long-term/main branches run

  • this plugin is missing: - JavaScript/TypeScript/CSS Code Quality and Security

You’ve created a new thread for the second one. Thank you.

The first one is where this thread started, but - as you point out in your OP - you’re not using automatic analysis. So it’s not a question of SonarCloud “not detecting” when code is merged. SonarCloud doesn’t trigger your analyses. That happens (or not) on the GH Actions side. And I believe that means it needs to be diagnosed on the GH Actions side.

 
Ann

17

Looking at all the GitHub Actions for merges since this started failing I see them failing with:

INFO: 0 / 20019 UCFGs simulated, memory usage: 586 MB
INFO: 324 / 20019 UCFGs simulated, memory usage: 786 MB
INFO: 692 / 20019 UCFGs simulated, memory usage: 963 MB
INFO: 1050 / 20019 UCFGs simulated, memory usage: 1147 MB
INFO: 1371 / 20019 UCFGs simulated, memory usage: 1368 MB
INFO: 1693 / 20019 UCFGs simulated, memory usage: 629 MB
INFO: 1865 / 20019 UCFGs simulated, memory usage: 1255 MB
INFO: 2209 / 20019 UCFGs simulated, memory usage: 685 MB
INFO: 2524 / 20019 UCFGs simulated, memory usage: 788 MB
INFO: 2822 / 20019 UCFGs simulated, memory usage: 866 MB
INFO: 3084 / 20019 UCFGs simulated, memory usage: 1002 MB
INFO: 3308 / 20019 UCFGs simulated, memory usage: 1138 MB
INFO: 3514 / 20019 UCFGs simulated, memory usage: 1022 MB
INFO: 3715 / 20019 UCFGs simulated, memory usage: 1094 MB
INFO: 3940 / 20019 UCFGs simulated, memory usage: 1363 MB
INFO: 4151 / 20019 UCFGs simulated, memory usage: 1431 MB
INFO: 4323 / 20019 UCFGs simulated, memory usage: 1307 MB
INFO: 4549 / 20019 UCFGs simulated, memory usage: 1330 MB
INFO: 4752 / 20019 UCFGs simulated, memory usage: 1545 MB
INFO: 4951 / 20019 UCFGs simulated, memory usage: 1577 MB
INFO: 5196 / 20019 UCFGs simulated, memory usage: 1672 MB
Exception in thread "HttpClient-1-Worker-5" java.lang.OutOfMemoryError: Java heap space
ERROR: isAlive was interrupted
java.lang.InterruptedException: null
	at java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:386)
	at java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:2073)
	at java.net.http/jdk.internal.net.http.HttpClientImpl.send(HttpClientImpl.java:553)
	at java.net.http/jdk.internal.net.http.HttpClientFacade.send(HttpClientFacade.java:123)
	at org.sonar.plugins.javascript.bridge.BridgeServerImpl.isAlive(BridgeServerImpl.java:433)
	at org.sonar.plugins.javascript.bridge.BridgeServerImpl.heartbeat(BridgeServerImpl.java:145)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
	at java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305)
	at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:833)

INFO: ------------------------------------------------------------------------
INFO: EXECUTION FAILURE
INFO: ------------------------------------------------------------------------
INFO: Total time: 22:01.491s
INFO: Final Memory: 1716M/1732M
INFO: ------------------------------------------------------------------------
ERROR: Error during SonarScanner execution
java.lang.OutOfMemoryError: Java heap space
ERROR: 
ERROR: Re-run SonarScanner using the -X switch to enable full debug logging.
18

Hi,

Thanks for the log; that’s useful. So the pipeline is triggered, and analysis is executed, but it errors out.

A deployment last week increased the memory requirement for some JS/TS analyses. The strange thing for me is that it’s the Java heap that’s running out of room. I’m not a GH Actions expert, and my searches are not turning up how to increase the Java heap in GH Actions, but that’s what I think the next step is.

 
Ann

21

While the increase to Java memory is concerning, I was able to resolve the issue by making 2 changes to my GH Actions:

  1. Upgraded from the free GitHub Actions runner which has 7GB of RAM for private repos, to their 4 core runner which has 16GB of RAM

  2. Added SONAR_SCANNER_OPTS to the env to allocate 8GB of RAM for the Java heap (this should be WAY more than I need, but I’m covering my bases here):

- name: SonarCloud Scan
  uses: SonarSource/sonarcloud-github-action@master
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
    SONAR_SCANNER_OPTS: "-Xmx8192m" # Increase memory allocated to Java heap space to prevent java.lang.OutOfMemoryError: Java heap space error

It will now cost my org money to run this analysis each time on merge since I’m using a premium GH runner, so if SonarCloud had recommendations on the appropriate amount of RAM needed, I may be able to fine-tune it to use less.

Advice from SonarCloud about how much RAM is sufficient would be appreciated.

22

Hi,

I’m glad you worked through this.

This is entirely project-dependent. I suggest stepping it down bit by bit.

 
HTH,
Ann