Need help with pull request decorating view

SonarQube
, ,
1

Hi,
I’m using SonarQube Developer edition 8.4 and integrate it to self managed Gitlab instance.

So I need help with pull request decorating. In comment in my Gitlab I see analyse result of changed files. It’s almost always empty.

image
image1029×553 32.3 KB

But I wanna see analyse of all files in merge request result(of all sources in target branch after merge). Because there actually are problems.
image
image1445×287 26.6 KB

How can I get it?

3

Hi @riu.daineko

Welcome to the Community :smiley:

A SonarQube analysis of a PR is, by definition, only the new code – only the code you want to merge. Once you’ve performed the merge, you can analyze the target branch using branch analysis to get the full picture, but this can’t be done as part of the PR analysis.

I hope this clarifies; let me know if you need more details.

Regards,

Cameron.

4

Hi, Cameron!

Look at this.

image
image1223×664 19.9 KB

This PR has a critical vulnerability that found in source branch analyse

image
image1447×653 26.4 KB

And that what I see in my PR decoration:

image
image998×559 32.2 KB

Is it ok in your opinion?

5

BTW
Before we purchase a license we used sonar 7.6 community with plugin from GitHub. So there was a property sonar.gitlab.all_issues that cover my case. Don’t understand why github plugin works better then newest licensed instance.

6

Hi @riu.daineko

Was this vulnerability already in the branch? Or was it introduced by the PR? That’s the critical question in understanding whether it should be found by PR analysis.

Regards,

Cameron.

7

Hi, @Cameron
Vulnerability introduced by the PR. It’s a gitlab merge request screenshot. Green background means new code addition.
image

8

Hi @riu.daineko,

Can you zip up the scanner-side logs from the scan of the MR and post them? Feel free to redact any sensitive data. Could you also post a screen shot of the vulnerability on that line of code as shown in the branch scan?

Regards,

Cameron.

9

Hi, @Cameron

image
image1197×528 25 KB

scanner logs.zip (2.5 KB)

10

Hi @riu.daineko,

Apologies for the delay on this. I’m seeing the following in your log file:

INFO: SCM collecting changed files in the branch
WARN: No merge base found between HEAD and refs/remotes/origin/master
INFO: SCM collecting changed files in the branch (done) | time=215ms

which makes me suspect you’re seeing something similar to this thread where (in a GitHub context rather than GitLab) SonarQube is not able to determine what are new files. To check this:

  • Can you go to the Code tab of the PR analysis in SonarQube and check the files there. Do you see consul.py?

Is there anything special about the way you’re configuring GitLabCI to check out your branches?

Regards,

Cameron.