Missing blame information on AWS CodeBuild

Hey folks, :wave:

We are using SonarQube Enterprise with a Gradle-based build with SonarScanner for Gradle 3.3 on AWS CodeBuild.

Everything is working fine except recording the Git blame information in this project.

Each analysis of the respective project has this warning attached:

Missing blame information for XXXX files. This may lead to some features not working correctly. Please check the analysis logs and refer to the documentation.

I hope that you can help us here because it all seems to be configured correctly as far as I understand.

Details below: :arrow_down:

The Scanner Context is as follows:

SonarQube plugins:
  - CSS Code Quality and Security (cssfamily)
  - PL/SQL Code Quality and Security (plsql)
  - Scala Code Quality and Security (sonarscala)
  - C# Code Quality and Security (csharp)
  - Vulnerability Analysis (security)
  - Java Code Quality and Security (java)
  - HTML Code Quality and Security (web)
  - Flex Code Quality and Security (flex)
  - XML Code Quality and Security (xml)
  - VB.NET Code Quality and Security (vbnet)
  - Swift Code Quality and Security (swift)
  - CFamily Code Quality and Security (cpp)
  - Python Code Quality and Security (python)
  - Go Code Quality and Security (go)
  - JaCoCo (jacoco)
  - Kotlin Code Quality and Security (kotlin)
  - RPG Code Quality (rpg)
  - PL/I Code Quality and Security (pli)
  - T-SQL Code Quality and Security (tsql)
  - VB6 Code Quality and Security (vb)
  - Apex Code Quality and Security (sonarapex)
  - JavaScript/TypeScript Code Quality and Security (javascript)
  - Ruby Code Quality and Security (ruby)
  - Vulnerability Rules for C# (securitycsharpfrontend)
  - Vulnerability Rules for Java (securityjavafrontend)
  - License for SonarLint (license)
  - Vulnerability Rules for JS (securityjsfrontend)
  - COBOL Code Quality (cobol)
  - Vulnerability Rules for Python (securitypythonfrontend)
  - PHP Code Quality and Security (php)
  - ABAP Code Quality and Security (abap)
  - Vulnerability Rules for PHP (securityphpfrontend)
Global server settings:
  - sonar.core.serverBaseURL=https://sonarqube.example.com
  - sonar.core.startTime=2021-08-11T21:20:06+0000
  - sonar.forceAuthentication=true
  - sonar.plugins.risk.consent=ACCEPTED
Project server settings:
  - sonar.dbcleaner.branchesToKeepWhenInactive=master,develop,trunk,release-.*
Project scanner properties:
  - sonar.branch.name=develop
  - sonar.coverage.jacoco.xmlReportPaths=/codebuild/output/src173083004/src/github.com/my-organization/my-repository/target/reports/jacoco/report.xml
  - sonar.host.url=https://sonarqube.example.com
  - sonar.language=java
  - sonar.links.scm=https://github.com/my-organization/my-repository
  - sonar.login=******
  - sonar.modules=[list of submodules]
  - sonar.projectBaseDir=/codebuild/output/src173083004/src/github.com/my-organization/my-repository
  - sonar.projectKey=my-project
  - sonar.projectName=my-project
  - sonar.projectVersion=1.2.3
  - sonar.scanner.app=ScannerGradle
  - sonar.scanner.appVersion=3.2.0/Gradle 6.8.3
  - sonar.scm.exclusions.disabled=true
  - sonar.scm.forceReloadAll=true
  - sonar.scm.provider=git
  - sonar.sourceEncoding=UTF-8
  - sonar.sources=
  - sonar.working.directory=/codebuild/output/src173083004/src/github.com/my-organization/my-repository/target/sonar

The AWS CodeBuild project is using the aws/codebuild/standard:5.0 build image and has been configured to fetch the complete Git history (gitCloneDepth=0):

source/ gitCloneDepth

Optional. The depth of history to download. Minimum value is 0. If this value is 0, greater than 25, or not provided, then the full history is downloaded with each build project. If your source type is Amazon S3, this value is not supported.

In the build project output, we see the following warning when running the sonarqube task:

Missing blame information for the following files:
* path/to/src/main/java/com/example/some/package/some/MyClass.java
[...All other Java source files]

I have added a few “debug” commands to the build to check the status of the .git directory and verify that blame information could indeed be accessed:

2021/08/12 15:13:30 Running command ls -l .git
-rw-r-xr-x 1 root root 110 Aug 12 15:06 .git

2021/08/12 15:13:30 Running command git status
Not currently on any branch.
nothing to commit, working tree clean

2021/08/12 15:13:30 Running command git blame build/gradle.bash
e10d6580d739 (Contributor One 2020-10-14 13:11:59 +0200  1) #!/usr/bin/env bash
e10d6580d739 (Contributor One 2020-10-14 13:11:59 +0200  2) 
e10d6580d739 (Contributor One 2020-10-14 13:11:59 +0200  3) set -eo pipefail
e10d6580d739 (Contributor One 2020-10-14 13:11:59 +0200  4) 
8f3de57f49d5 (Contributor Two 2021-06-04 12:59:36 -0500  5) if [[ "$RUN_SCAN" == "true"* ]]; then
8f3de57f49d5 (Contributor Two 2021-06-04 12:59:36 -0500  6)   ./gradlew \
8f3de57f49d5 (Contributor Two 2021-06-04 12:59:36 -0500  7)     --stacktrace \

So the Git repository seems to be in a valid condition and Git blame information can be retrieved, also for the Java source files listed in the warning message emitted by the sonarqube task of the SonarScanner for Gradle plugin.

Is this a known limitation with SonarScanner and AWS CodeBuild or is this a bug?
Do you have any hints how to continue here to get the blame information?

There’s a discussion topic describing a similar problem but without any resolution:

SCM Integration | SonarQube Docs also says:

  • “Missing blame information…” and “Could not find ref…” can be caused by checking out with a partial / shallow clone, or using Git submodules.

We are using Git submodules in this build. Does this also apply if the source files to be scanned are not part of any Git submodule?