Hi,
The current setup is described here Automatic analyze all submodules of the current project.
Currently, the submodule code is being scanned. However, the vulnerabilities found in the submodules have not been assigned to the author. They still remain “unassigned”. I hope there is a way to get them assigned to the users? Thanks in advance.
Hey there.
If you click on the line number, is any blame data (author, last commit) being populated at all?
Since SonarQube v9.0, blame data should be collected for submodules.
Blame data is not being populated for submodules as they are in the main module.
Upon checking the analysis log, I found these log lines. It says “Missing blame information”. However, I still don’t see the reason for missing blame information.
I understand that a shallow clone of git repo results in missing blame information. However, I don’t see the log lines suggesting any shallow clones.
INFO: Importing 52 Roslyn reports
INFO: Found 52 MSBuild C# projects: 49 MAIN projects. 3 TEST projects.
INFO: Sensor C# [csharp] (done) | time=9820ms
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=504ms
INFO: SCM Publisher SCM provider for this project is: git
INFO: SCM Publisher 313 source files to be analyzed
INFO: SCM Publisher 0/313 source files have been analyzed (done) | time=2602ms
WARN: Missing blame information for the following files:
WARN: * backoffice.net/PermissionCode.cs
WARN: * pbapiadapter/Command/pbCancelOrder.cs
###...many other files names; probably all the files for all the submodules...
WARN: This may lead to missing/broken features in SonarQube
INFO: CPD Executor 49 files had no CPD blocks
INFO: CPD Executor Calculating CPD for 432 files
INFO: CPD Executor CPD calculation finished (done) | time=1010ms
INFO: Load New Code definition
INFO: Load New Code definition (done) | time=27ms
INFO: Analysis report generated in 1616ms, dir size=20.6 MB
INFO: Analysis report compressed in 2692ms, zip size=5.2 MB
INFO: Analysis report uploaded in 38313ms
INFO: ANALYSIS SUCCESSFUL, you can browse https://codescan.tradex.com.sg/dashboard?id=tradex2010_tms_AX8clEAFoPJyhy3WnmFX&branch=master
Hey there.
It looks like you’re using Gitlab CI. Can you share your gitlab-ci.yml?
Here is the yml. I omitted the code for the test stage, since it’s not quite relevant.
stages:
- build
- test
build:
stage: build
variables:
GIT_SUBMODULE_STRATEGY: recursive
GIT_DEPTH: 99999
script:
#- echo $ErrorActionPreference
#- $ErrorActionPreference = "Stop"
#- try { git fetch --unshallow 2>&1 } catch { echo "Normal" }
#- $ErrorActionPreference = "Continue"
#- git submodule update --init --recursive --depth 999999
- echo "Building"
#- '& "$env:MSBUILD_PATH" AssetManagerl\trunk\TradingPlatform.sln /t:build /restore /property:Configuration=Debug /property:Platform="Any CPU"'
- "C:\\sonar-scanner-msbuild-5.4.0.40033-net46\\SonarScanner.MSBuild.exe begin /k:\"$SONAR_PROJECT_KEY\" /d:sonar.login=\"$SONAR_TOKEN\" /d:\"sonar.host.url=$SONAR_HOST_URL\" /d:\"sonar.exclusions=**/*.cpp,**/*.h\" /d:\"sonar.scm.exclusions.disabled=true\""
- '& "$env:MSBUILD_PATH" AssetManagerl\trunk\TradingPlatform.sln /t:Rebuild /restore /property:Configuration=Release /property:Platform="Any CPU"'
- "C:\\sonar-scanner-msbuild-5.4.0.40033-net46\\SonarScanner.MSBuild.exe end /d:sonar.login=\"$SONAR_TOKEN\""
test:
stage: test
needs: [build]
#......
#the test stage is irrelevant.
hi Colin,
is there any update on this one?
@ganncamp
Hi Ann, can you help with this issue? Thanks in advance.
The setup (SonarQube versions, and environments) is the same as per described in the previous ticket.
The analysis log and the relevant section of the yml code are attached.
Appreciate your kind help.
Hi @Quan_Yu ,
Currently SonarQube doesn’t support importing blame information from submodules.
I created a ticket for it: [SONAR-16473] Collect blame information from git submodules - SonarSource
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.