Manual analysis not reported correctly to sonarqube cloud

SonarQube Cloud
, ,
1

Hello,

I’m trying to switch from automatic analysis to manual analysis as we need code coverage of our Swift Project in sonar. I’m using Github Actions for this. I get no error messages and the workflow runs successful. My problem is, that the code coverage report is not uploaded to sonar and sonar always reports 0% code coverage.

It also seems that the scanner analyzes only the last commit, not the full pull request. When the last commit contains swift files to analyze it says:

Sensor Swift Code Quality and Security [swift]
14:48:58.932 INFO  Sensor Swift Code Quality and Security is restricted to changed files only
14:48:59.125 INFO  2 source files to be analyzed
14:49:00.626 INFO  2/2 source files have been analyzed

but when I commit something, that doesn’t contain swift files. nothing get’s analyzed although the PR contains changed swift files:

Sensor Swift Code Quality and Security [swift] (done) | time=1695ms
08:50:53.877 INFO  Sensor IaC Docker Sensor [iac]
08:50:53.877 INFO  Sensor IaC Docker Sensor is restricted to changed files only
08:50:53.926 INFO  0 source files to be analyzed
08:50:53.927 INFO  0/0 source files have been analyzed

The workflow file is separated into multiple jobs:

  • build_and_test: builds, tests and creates reports of the project. Runs on macOS and uses fast lane and puts all reports in a reports/ folder
    scan(
      code_coverage: true,
      derived_data_path: options[:derivedDataPath],
      output_directory: options[:reportsPath]
    )
    slather(
      cobertura_xml: true,
      github: true,
      scheme: "App",
      build_directory: options[:derivedDataPath],
      output_directory: options[:reportsPath],
      proj: "./App.xcodeproj"
    )
    lizard(
      source_folder: "./",
      language: "swift",
      export_type: "xml",
      report_file: "reports/lizard-report.xml"
    )
    swiftlint(
      output_file: "reports/swiftlint.json",
      ignore_exit_status: true
   )

The actual sonarqube job looks like the following:

  sonarqube:
    runs-on: ubuntu-latest
    needs:
      - build_and_test

    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Download Reports
        uses: actions/download-artifact@v4
        with:
          name: reports
          path: reports

      # See `sonar-project.properties` in project root folder for options
      - name: 👀 SonarQube Scan
        uses: SonarSource/sonarqube-scan-action@v5
        env:
          SONAR_TOKEN: ${{ secrets.ORG_SONARCLOUD_TOKEN }}

Finally the sonar-project.properties looks as follows:

sonar.projectKey=[PROJECT_KEY]
sonar.organization=[ORGANIZATION]
sonar.filesize.limit=30

# Reports
sonar.junit.reportsPath=reports/
sonar.junit.include=*.junit
sonar.swift.lizard.report=reports/lizard-report.xml
sonar.swift.coverage.reportPattern=reports/cobertura.xml
sonar.swift.swiftlint.report=reports/*swiftlint.json

# Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows.
sonar.sources=.

What is wrong with the configuration, that it doesn’t report the code coverage correctly?

  • Analyzing all swift files of the PR, not only last commit
  • Report code coverage correctly to sonar?
2

Hi,

To be clear, we’re talking about a multi-commit PR?

That’s the log for the IaC portion of analysis, only. What kind of files were changed in the commit in question?

I suspect the culprit is this:

The paths in coverage reports need to match the paths analysis is seeing. Since the coverage reports were run on a different system, I suspect they don’t. We’ll probably get more from the logging if you add sonar.verbose=true to your properties, or -Dsonar.verbose=true to the analysis command line.

 
Ann

3

Thank you for your feedback.
Yes, most if not all of our PRs are multi-commit. As I’m trying to get this to work for a while now the PR has around 50 commits.

In most of the commits I only change the GitHub workflow and fastfile configuration. Among those 50 commits is one where I’ve actually written dummy Swift code with full code coverage to see if it gets reported correctly in sonar.

The reason I run the sonarqube job on a different system is that SonarSource/sonarqube-scan-action@v5 is not supported under macOS. I’ve now changed the configuration to not use the action but instead use fastlane for it:

  sonarqube:
    runs-on: macos-15-xlarge
    needs:
      - build_and_test
      - linting

    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4

      - name: Download Reports
        uses: actions/download-artifact@v4
        with:
          name: reports
          path: reports

      - name: Download Swiftlint Report
        uses: actions/download-artifact@v4
        with:
          name: swiftlint.json
          path: reports

      - name: Install Gem Dependencies
        run: bundle install

      - name: Install Sonar Scanner
        run: brew install sonar-scanner

      # See `sonar-project.properties` in project root folder for options
      - name:  SonarQube Scan
        run: bundle exec fastlane sonar_scan
        env:
          SONAR_TOKEN: ${{ secrets.ORG_SONARCLOUD_TOKEN }}

I’ve now enabled verbose logging. But as it is very large and may contain sensitive data I may not share in full here. Let me know which parts you are interested in.
The job went through, but sonarqubecloud bot reports “Please retry analysis of this Pull-Request directly on SonarQube Cloud”

Regarding code coverage I get the following:

[08:38:14]: ▸ 08:38:14.404 INFO  Sensor IaC Docker Sensor [iac] (done) | time=26ms
[08:38:14]: ▸ 08:38:14.404 INFO  Sensor Generic Coverage Report
[08:38:14]: ▸ 08:38:14.405 INFO  Parsing /Users/runner/work/project/reports/sonarqube-generic-coverage.xml
[08:38:14]: ▸ 08:38:14.616 INFO  Imported coverage data for 1194 files
[08:38:14]: ▸ 08:38:14.617 INFO  Coverage data ignored for 1133 unknown files, including:

BTW: I get two interesting WARNs

WARN Failed to analyze file {File}.swift. This is likely an error in the Swift analyzer, please report it. To workaround the issue you can exclude the file from the analysis.

Should I report it to you or apple?

08:38:15.039 INFO  148 source files to be analyzed
[08:38:15]: ▸ 08:38:15.903 INFO  148/148 source files have been analyzed
[08:38:15]: ▸ 08:38:15.903 INFO  Sensor EnterpriseTextAndSecretsSensor [textenterprise] (done) | time=1286ms
[08:38:15]: ▸ 08:38:15.904 INFO  ------------- Run sensors on project
[08:38:15]: ▸ 08:38:15.958 DEBUG 'Import external issues report from SARIF file.' skipped because of missing configuration requirements.
[08:38:15]: ▸ Accessed configuration:
[08:38:15]: ▸ - sonar.sarifReportPaths: <empty>
[08:38:15]: ▸ 08:38:15.958 DEBUG 'Java CPD Block Indexer' skipped because there is no related file in current project
[08:38:15]: ▸ 08:38:15.958 DEBUG Sensors : Zero Coverage Sensor
[08:38:15]: ▸ 08:38:15.958 INFO  Sensor Zero Coverage Sensor
[08:38:15]: ▸ 08:38:15.971 INFO  Sensor Zero Coverage Sensor (done) | time=13ms
[08:38:15]: ▸ 08:38:15.974 INFO  SCM Publisher SCM provider for this project is: git
[08:38:15]: ▸ 08:38:15.974 INFO  SCM Publisher 150 source files to be analyzed
[08:38:15]: ▸ 08:38:15.976 WARN  Shallow clone detected, no blame information will be provided. You can convert to non-shallow with 'git fetch --unshallow'.
[08:38:15]: ▸ 08:38:15.977 INFO  SCM Publisher 0/150 source files have been analyzed (done) | time=2ms
[08:38:15]: ▸ 08:38:15.977 WARN  Missing blame information for the following files:
{148 files}

Although all files (except the generated reports/* files) have blame information in git. I wonder how those 148 came to be, because the project has 1.563 swift files alone.

08:38:15.028 DEBUG Files untracked by git:
[08:38:15]: ▸ reports/lizard-report.xml
[08:38:15]: ▸ reports/sonarqube-generic-coverage.xml
[08:38:15]: ▸ reports/swiftlint.json

Final logs:

[08:38:20]: ▸ 08:38:20.383 DEBUG Upload report
[08:38:20]: ▸ 08:38:20.387 DEBUG --> POST https://sonarcloud.io/api/ce/submit?organization=***&projectKey=***&characteristic=pullRequest%3D2900 (12327657-byte body)
[08:38:27]: ▸ 08:38:27.432 DEBUG <-- 200 https://sonarcloud.io/api/ce/submit?organization=***&projectKey=***&characteristic=pullRequest%3D2900 (7044ms, 44-byte body)
[08:38:27]: ▸ 08:38:27.438 INFO  Analysis report uploaded in 7055ms
[08:38:27]: ▸ 08:38:27.443 DEBUG Report metadata written to /Users/runner/work/project/.scannerwork/report-task.txt
[08:38:27]: ▸ 08:38:27.443 INFO  ANALYSIS SUCCESSFUL, you can find the results at: https://sonarcloud.io/dashboard?id=***&pullRequest=2900
[08:38:27]: ▸ 08:38:27.443 INFO  Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
[08:38:27]: ▸ 08:38:27.443 INFO  More about the report processing at https://sonarcloud.io/api/ce/task?id=***
[08:38:27]: ▸ 08:38:27.448 DEBUG Post-jobs :
[08:38:27]: ▸ 08:38:27.448 DEBUG Closing monitoring resources of Helm evaluator
[08:38:27]: ▸ 08:38:27.454 INFO  Analysis total time: 50.010 s
[08:38:27]: ▸ 08:38:27.456 INFO  SonarScanner Engine completed successfully
[08:38:27]: ▸ 08:38:27.463 DEBUG Cleanup org.eclipse.jgit.util.FS$FileStoreAttributes$$Lambda$293/0x00000008003dcb28@885e7ff during JVM shutdown
[08:38:29]: ▸ 08:38:29.646 INFO  EXECUTION SUCCESS
[08:38:29]: ▸ 08:38:29.648 INFO  Total time: 1:02.796s
4

Hi,

Okay, we generally try to keep it to one question per thread. Otherwise, it gets messy, fast - as it has done here.

I let it ride at first because it wasn’t clear to what degree the multiple topics in your thread were intertwined, but it’s time to start picking this apart into multiple threads if you have followups.

This is why not all your commits are being picked up. There’s a reason the docs and the wizards tell you to use fetch-depth: 0. :slight_smile:

This is your mis-matched paths problem. As I said, the paths in the coverage report need to match the paths analysis is seeing.

 
Ann