No recognized Code Changes in Sonarcloud


(Hauke) #1

We are using Sonarcloud and the Bitbucket Pipeline Integration. The Sonar call creates an analysis reports and pushes the information successfully to sonarcloud (the report processing task is successful). But there are simply no code changes to be found in the analysis linked to the Pull Request.

The call is done like this:

mvn sonar:sonar -Dsonar.projectKey=... -Dsonar.organization=... -Dsonar.login=$SONAR_TOKEN

If I trigger a code analysis manually via

mvn sonar:sonar -Dsonar.projectKey=... -Dsonar.organization=... -Dsonar.login=... -Dsonar.pullrequest.base=develop -Dsonar.verbose=true -Dsonar.pullrequest.branch=... -Dsonar.pullrequest.key=671 -Dsonar.pullrequest.provider=bitbucketcloud -Dsonar.pullrequest.bitbucketcloud.owner=... -Dsonar.pullrequest.bitbucketcloud.repository=...

it is added correctly to the Pull Request yet we see no code changes. But while doing so I do get a warning grafik
This does not make sense, as the SonarCloud application is already correctly bound. (I can’t attach a screen of this unfortunately as I am not allowed to do so)

There are multiple languages used including Java, Kotlin, Typescript.

(Julien Henry) #3

Hi @hauke

You may know that Bitbucket Pipeline recently added the support of building PRs => a build is triggered on a merge commit each time the PR is updated. Prior to that, there was a workaround consisting in building the branch, but making SonarCloud consider it as a PR.

So my question: are you truly building/analyzing the PR, or are you still in the “old” mode?

Can you share the analysis logs (pipeline console)?


(Hauke) #4

Hi @Julien_HENRY,

thank you for your answer. We are using pipeline branch feature as configured:

    # this runs as default for any branch not elsewhere defined
    - step:
        name: Build
        - maven
        - node
        - node-app
        - git config "..."
        - git config "..."
        - git merge origin/develop
        - mvn -q install
        - mvn sonar:sonar -Dsonar.projectKey=... -Dsonar.organization=... -Dsonar.login=$SONAR_TOKEN

I will send you the log output of the the sonar substep directly. Edit: Apparently I can not do this via the message boards. Any way I can do this here, or could you provide me with an email address?

For now I just attached just the beginning and the end of the log in an anonymous version below:

Output of log (start):

mvn sonar:sonar -Dsonar.projectKey=... -Dsonar.organization=... -Dsonar.login=$SONAR_TOKEN
[INFO] Scanning for projects...
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Build Order:
[INFO] ...                                                    [pom]
[INFO] ...                                                               [jar]
[INFO] ...                                                        [jar]
[INFO] ...                                                        [jar]
[INFO] ...                                                        [jar]
[INFO] ...                                      [jar]
[INFO] ------------< ... >------------
[INFO] Building ... 1.0.0                                      [1/6]
[INFO] --------------------------------[ pom ]---------------------------------
[INFO] --- sonar-maven-plugin: (default-cli) @ ... ---
[INFO] Bitbucket Cloud Pipelines detected
[INFO] User cache: /root/.sonar/cache
[INFO] SonarQube version: 7.7.0
[INFO] Default locale: "en", source code encoding: "UTF-8"
[INFO] Load global settings
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by (file:/root/.sonar/cache/2a2a83a29e18d41fbac546c328f12c8d/sonar-scanner-engine-shaded-developer- to field java.nio.Buffer.address
WARNING: Please consider reporting this to the maintainers of
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
[INFO] Load global settings (done) | time=576ms
[INFO] Server id: BD367519-AWHW8ct9-T_TB3XqouNu
[INFO] User cache: /root/.sonar/cache
[INFO] Load/download plugins
[INFO] Load plugins index
[INFO] Load plugins index (done) | time=139ms
[INFO] Load/download plugins (done) | time=25428ms
[INFO] Loaded core extensions: developer-scanner
[INFO] Process project properties
[INFO] Execute project builders
[INFO] Execute project builders (done) | time=3ms
[INFO] Project key: ...
[INFO] Base dir: /opt/atlassian/pipelines/agent/build
[INFO] Working dir: /opt/atlassian/pipelines/agent/build/target/sonar
[INFO] Load project settings
[INFO] Load project settings (done) | time=155ms
[INFO] Load project branches
[INFO] Load project branches (done) | time=697ms
[INFO] Load project pull requests
[INFO] Load project pull requests (done) | time=132ms
[INFO] Load branch configuration
[INFO] Detected analysis for pull request '698' targeting 'develop'
[INFO] Detected Bitbucket Pipelines
[INFO] Auto-configuring pull request 698
[INFO] Load branch configuration (done) | time=6ms
[INFO] Load project repositories
[INFO] Load project repositories (done) | time=300ms
[INFO] Load quality profiles
[INFO] Load quality profiles (done) | time=122ms
[INFO] Load active rules
[INFO] Load active rules (done) | time=2795ms
[INFO] Load metrics repository
[INFO] Load metrics repository (done) | time=102ms
[INFO] Organization key: ...
[INFO] Pull request 698 for merge into develop from feature/...
[INFO] SCM collecting changed files in the branch
[INFO] SCM collecting changed files in the branch (done) | time=135ms
[INFO] Indexing files...

Output of log (end):

[INFO] Sensor JavaSecuritySensor [security] (done) | time=496ms
[INFO] Sensor CSharpSecuritySensor [security]
[INFO] Reading UCFGs from: /opt/atlassian/pipelines/agent/build/target/ucfg_cs2
[INFO] 11:41:34.252611 Building Type propagation graph
[INFO] 11:41:34.252791 Running Tarjan on 0 nodes
[INFO] 11:41:34.252918 Tarjan found 0 components
[INFO] 11:41:34.253089 Variable type analysis: done
[INFO] UCFGs: 0, excluded: 0, source entrypoints: 0
[INFO] No UCFGs have been included for analysis.
[INFO] Sensor CSharpSecuritySensor [security] (done) | time=1ms
[INFO] ------------- Run sensors on project
[INFO] Sensor Java CPD Block Indexer
[INFO] Sensor Java CPD Block Indexer (done) | time=145ms
[INFO] 154 files had no CPD blocks
[INFO] Calculating CPD for 223 files
[INFO] CPD calculation finished
[INFO] SCM writing changed lines
[INFO] SCM writing changed lines (done) | time=2ms
[INFO] Analysis report generated in 247ms, dir size=538 KB
[INFO] Analysis report compressed in 316ms, zip size=448 KB
[INFO] Analysis report uploaded in 1043ms
[INFO] Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
[INFO] More about the report processing at

Edit 2:
I should add that this setup was working until 22th of January

(Julien Henry) #5

Can you try to disable shallow clone?

  depth: full

(Hauke) #6

That is already the case. Sorry for cutting this off.

image: ...
  depth: full

  size: 2x

    # this runs as default for any branch not elsewhere defined

(Julien Henry) #7

No worries, I’m just trying to eliminate usual suspects.

Next thing that come to my mind is:

Why do you need that?

(Hauke) #8

That is a check to ensure we have no merge conflicts and the tests run fine after the PR would be merged. Let me remove this and check the result.

(Hauke) #9

That has solved the problem. Still curious why this is now required to be removed so that the code changes are visible again, as like I said there has not been changes on our side.
This line e.g. has been there for about 5 months before it apparently created the problem.

@Julien_HENRY: Do you have any input why this merge is a problem? As we need this functionality to ensure all our test would run without any issues on merging the request.

(Julien Henry) #10

To me, you are kind of duplicating the official support of Bitbucket Pipelines PR support. They are already creating a merge commit between the PR branch and the target branch. If the merge fails, I guess the build will fail.

The official PR support was released few weeks ago, so my guess is that previously your pipeline was configured to rely on branch builds. This manual merge was kind of emulating what is now the default PR support.

(Hauke) #11

They are already creating a merge commit between the PR branch and the target branch.

Good point. They did not do this in the alpha. Still why does a merge which would result in no changes (as it is already up to date) lead to the result of no code changes in sonarcloud?

(Julien Henry) #12

I don’t really know :slight_smile: We are doing various Git operations to get list of changed files + changed lines between current branch and the target one.

If you look at console, Bitbucket don’t exactly run git merge origin/develop, but instead merge a specific commit. Maybe it ends up messing up the history.

(Hauke) #13

Well it is our git merge origin/develop that breaks the functionality, but worked fine in the Pipeline Pull-Request alpha. So I am even more confused. Nevertheless, we now can again get result in sonarcloud so the main issue is solved. Thank you @Julien_HENRY!