'New Code' shows issues introduced on Reference Branch

SonarSource Developer Edition 8.6
Embedded database (for evaluation)
Maven scanner (3.4.0.905)

I am attempting to use a reference branch to filter out issues introduced on our master branch.

  1. Create a new project by doing a scan of an existing git repo on the master branch
  2. This isn’t required, but should put the system in a known state
  3. Set the “New Code” to reference the master branch
  4. Scan master branch
  5. Make a new branch locally from the same commit as master
  6. Scan the new branch
  7. Make a new commit that adds issues on the new branch
  8. Scan the new branch
  9. Issues are visible in the “New Code” as expected
  10. Switch back to the master branch
  11. Make a commit with an issue in a different file on the master branch
  12. Scan the master branch
  13. Merge the master branch into the new branch
  14. Scan the new branch

Expected behavior: The new branch would still only see the the issues introduced on that branch in the New Code tab.
Actual behavior: The new branch shows the issues introduced on both the master branch and the new branch in its New Code tab

I have tried this a number of times with slight tweaks to what files were being edited the order that the commits were made and gotten various other permutations of results, though I didn’t record the exact steps to reproduce these:

  • Saw the issues from the master but not the issues from the new branch
  • Saw the issues introduced on master from before the new branch was even created (master had been scanned several times at that point)

Hi @ladaas, welcome to the SonarSource Community!

Is it possible you’re suffering from the same problem as the OP on this thread? If the latest state of the master isn’t also fetched at the time of analysis on the new branch, it could be messing with SonarQube sense of the reference point.

That doesn’t appear to be the exact issue (I am doing all my testing in a small git repo that has all of the branches available), but it might have pointed toward the problem. When I run scans I see “Computing New Code since fork with ‘master’”, but I don’t see anything about “Merge base”, even with “-Dsonar.log.level=TRACE -Dsonar.verbose=true -Dsonar.scm.provider=git”. Do you have any other ideas of what might cause that? One theory is that this is because I am using a fairly old version of the maven scanner plugin (3.4.0), but I didn’t see anything relevant in the patch notes up to the current version.

3.4 is quite old; I’d suggest updating to the latest and trying the scenario over again.