Sonarqube version: 9.9.1 (build 69595)
Sonarqube deployed via Docker (in Kubernetes)
We have a quality gate where coverage on new code must be >90%. However, sometimes MRs get scanned and old, untouched code from the codebase (sometimes years old) is included in the “new code”, counts towards the coverage, and if low enough will cause the quality gate to fail.
Our new code behavior is defined as “Previous version”. This post was prompted by one MR in particular, where the previous version of the project is the commit SHA immediately preceding the MR’s commits (it says this at the top right of the project view), so it doesn’t really make sense and is frustrating that these old lines of code are included and causing our quality gates to fail.
The first thing we need to look at is the “changed” lines themselves. SonarQube (presumably) marks them new in the UI with a yellow highlight. When you click in the margin next to them, do you see a change date that’s actually new? If so, the problem is happening before analysis, and the question is what’s causing those new dates. If not, then it’s a problem with the detection of new code during analysis and that’s going to be about the checkout and what’s available in the local Git repository.
Yep the “new” lines are yellow, and clicking the margin shows they are from old commits.
So it’s the second problem. How exactly is it making the comparison? The lines of code already exist if I switch to the main branch and inspect the current code as well.
The analysis / scanner log is what’s output from the analysis command. Hopefully, the log you provide - redacted as necessary - will include that command as well.
+ /opt/sonar-scanner/bin/sonar-scanner -Dsonar.host.url=***** -Dsonar.login=[MASKED] -Dsonar.projectVersion=***** -Dsonar.qualitygate.wait=true
INFO: Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties
INFO: Project root configuration file: *****
INFO: SonarScanner 4.8.0.2856
INFO: Java 11.0.19 Alpine (64-bit)
INFO: Linux ***** amd64
INFO: User cache: *****
INFO: Analyzing on SonarQube server 9.9.1.69595
INFO: Default locale: "en_US", source code encoding: "UTF-8"
INFO: Load global settings
INFO: Load global settings (done) | time=161ms
INFO: Server id: *****
INFO: User cache: *****
INFO: Load/download plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=61ms
INFO: Load/download plugins (done) | time=2422ms
INFO: Loaded core extensions: developer-scanner
INFO: Process project properties
INFO: Process project properties (done) | time=8ms
INFO: Execute project builders
INFO: Execute project builders (done) | time=1ms
INFO: Project key: *****
INFO: Base dir: *****
INFO: Working dir: *****
INFO: Load project settings for component key: *****
INFO: Load project settings for component key: ***** (done) | time=24ms
INFO: Load project branches
INFO: Load project branches (done) | time=21ms
INFO: Load branch configuration
INFO: Detected branch/PR in *****
INFO: Auto-configuring pull request '688'
INFO: Load branch configuration (done) | time=9ms
INFO: Auto-configuring with CI *****
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=87ms
INFO: Load active rules
INFO: Load active rules (done) | time=1652ms
INFO: Load analysis cache
INFO: Load analysis cache | time=32ms
INFO: Pull request 688 for merge into master from *****
INFO: Load project repositories
INFO: Load project repositories (done) | time=25ms
INFO: SCM collecting changed files in the branch
INFO: Merge base sha1: *****
INFO: SCM collecting changed files in the branch (done) | time=452ms
INFO: Indexing files...
INFO: Project configuration:
INFO: Included sources: *****
INFO: 77 files indexed
INFO: 199 files ignored because of inclusion/exclusion patterns
INFO: 0 files ignored because of scm ignore settings
INFO: Quality profile for py: Default
INFO: ------------- Run sensors on module *****
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=31ms
INFO: Sensor C# Project Type Information [csharp]
INFO: Sensor C# Project Type Information [csharp] (done) | time=2ms
INFO: Sensor C# Analysis Log [csharp]
INFO: Sensor C# Analysis Log [csharp] (done) | time=14ms
INFO: Sensor C# Properties [csharp]
INFO: Sensor C# Properties [csharp] (done) | time=1ms
INFO: Sensor HTML [web]
INFO: Sensor HTML is restricted to changed files only
INFO: Sensor HTML [web] (done) | time=4ms
INFO: Sensor TextAndSecretsSensor [text]
INFO: Sensor TextAndSecretsSensor is restricted to changed files only
INFO: 47 source files to be analyzed
INFO: 47/47 source files have been analyzed
INFO: Sensor TextAndSecretsSensor [text] (done) | time=519ms
INFO: Sensor VB.NET Project Type Information [vbnet]
INFO: Sensor VB.NET Project Type Information [vbnet] (done) | time=1ms
INFO: Sensor VB.NET Analysis Log [vbnet]
INFO: Sensor VB.NET Analysis Log [vbnet] (done) | time=14ms
INFO: Sensor VB.NET Properties [vbnet]
INFO: Sensor VB.NET Properties [vbnet] (done) | time=0ms
INFO: Sensor Python Sensor [python]
WARN: Your code is analyzed as compatible with python 2 and 3 by default. This will prevent the detection of issues specific to python 2 or python 3. You can get a more precise analysis by setting a python version in your configuration via the parameter "sonar.python.version"
INFO: Using cached data to retrieve global symbols.
INFO: Cached information of global symbols will be used for 11 out of 29 main files. Global symbols will be recomputed for the remaining files.
INFO: Fully optimized analysis can be performed for 26 out of 77 files.
INFO: Partially optimized analysis can be performed for 11 out of 77 files.
INFO: Starting global symbols computation
INFO: 18 source files to be analyzed
INFO: 18/18 source files have been analyzed
INFO: Starting rules execution
INFO: 77 source files to be analyzed
INFO: 77/77 source files have been analyzed
INFO: The Python analyzer was able to leverage cached data from previous analyses for 30 out of 77 files. These files were not parsed.
INFO: Sensor Python Sensor [python] (done) | time=4146ms
INFO: Sensor Cobertura Sensor for Python coverage [python]
INFO: Python test coverage
INFO: Parsing report '*****/coverage.xml'
INFO: Sensor Cobertura Sensor for Python coverage [python] (done) | time=149ms
INFO: Sensor PythonXUnitSensor [python]
INFO: Processing report '*****/nosetests.xml'
INFO: Sensor PythonXUnitSensor [python] (done) | time=1224ms
INFO: Sensor Import of Bandit issues [python]
ERROR: No issues information will be saved as the report file '*****/bandit.json' can't be read. FileNotFoundException: *****/bandit.json (No such file or directory)
INFO: Sensor Import of Bandit issues [python] (done) | time=1ms
INFO: Sensor Import of Flake8 issues [python]
ERROR: No issues information will be saved as the report file '*****/flake8.txt' can't be read. NoSuchFileException: *****/flake8.txt
INFO: Sensor Import of Flake8 issues [python] (done) | time=1ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: 'sonar.coverage.jacoco.xmlReportPaths' is not defined. Using default locations: target/site/jacoco/jacoco.xml,target/site/jacoco-it/jacoco.xml,build/reports/jacoco/test/jacocoTestReport.xml
INFO: No report imported, no coverage information will be imported by JaCoCo XML Report Importer
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=1ms
INFO: Sensor CSS Rules [javascript]
INFO: Sensor CSS Rules is restricted to changed files only
INFO: No CSS, PHP, HTML or VueJS files are found in the project. CSS analysis is skipped.
INFO: Sensor CSS Rules [javascript] (done) | time=0ms
INFO: Sensor ThymeLeaf template sensor [securityjavafrontend]
INFO: Sensor ThymeLeaf template sensor [securityjavafrontend] (done) | time=1ms
INFO: Sensor Python HTML templates processing [securitypythonfrontend]
INFO: pythonsecurity:S5131 is not activated in quality profile: skipping execution of Python HTML templates sensor.
INFO: Sensor Python HTML templates processing [securitypythonfrontend] (done) | time=0ms
INFO: Sensor IaC Docker Sensor [iac]
INFO: Sensor IaC Docker Sensor is restricted to changed files only
INFO: 0 source files to be analyzed
INFO: 0/0 source files have been analyzed
INFO: Sensor IaC Docker Sensor [iac] (done) | time=63ms
INFO: Sensor Serverless configuration file sensor [security]
INFO: 0 Serverless function entries were found in the project
INFO: 0 Serverless function handlers were kept as entrypoints
INFO: Sensor Serverless configuration file sensor [security] (done) | time=9ms
INFO: Sensor AWS SAM template file sensor [security]
INFO: Sensor AWS SAM template file sensor [security] (done) | time=1ms
INFO: Sensor AWS SAM Inline template file sensor [security]
INFO: Sensor AWS SAM Inline template file sensor [security] (done) | time=0ms
INFO: Sensor javabugs [dbd]
INFO: Reading IR files from: *****/.scannerwork/ir/java
INFO: No IR files have been included for analysis.
INFO: Sensor javabugs [dbd] (done) | time=1ms
INFO: Sensor pythonbugs [dbd]
INFO: Reading IR files from: *****/.scannerwork/ir/python
INFO: No IR files have been included for analysis.
INFO: Sensor pythonbugs [dbd] (done) | time=2ms
INFO: Sensor JavaSecuritySensor [security]
INFO: Reading type hierarchy from: *****/.scannerwork/ucfg2/java
INFO: Read 0 type definitions
INFO: No UCFGs have been included for analysis.
INFO: Sensor JavaSecuritySensor [security] (done) | time=5ms
INFO: Sensor CSharpSecuritySensor [security]
INFO: Reading type hierarchy from: *****/ucfg_cs2
INFO: Read 0 type definitions
INFO: No UCFGs have been included for analysis.
INFO: Sensor CSharpSecuritySensor [security] (done) | time=1ms
INFO: Sensor PhpSecuritySensor [security]
INFO: Reading type hierarchy from: *****/.scannerwork/ucfg2/php
INFO: Read 0 type definitions
INFO: No UCFGs have been included for analysis.
INFO: Sensor PhpSecuritySensor [security] (done) | time=0ms
INFO: Sensor PythonSecuritySensor [security]
INFO: No taint analysis rules have been enabled, will not execute taint analysis.
INFO: Sensor PythonSecuritySensor [security] (done) | time=1ms
INFO: Sensor JsSecuritySensor [security]
INFO: Reading type hierarchy from: *****/.scannerwork/ucfg2/js
INFO: Read 0 type definitions
INFO: No UCFGs have been included for analysis.
INFO: Sensor JsSecuritySensor [security] (done) | time=1ms
INFO: ------------- Run sensors on project
INFO: Sensor Analysis Warnings import [csharp]
INFO: Sensor Analysis Warnings import [csharp] (done) | time=1ms
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=0ms
INFO: SCM Publisher SCM provider for this project is: git
INFO: SCM Publisher 47 source files to be analyzed
INFO: SCM Publisher 47/47 source files have been analyzed (done) | time=1939ms
INFO: CPD Executor 6 files had no CPD blocks
INFO: CPD Executor Calculating CPD for 23 files
INFO: CPD Executor CPD calculation finished (done) | time=27ms
INFO: SCM writing changed lines
INFO: Merge base sha1: *****
INFO: SCM writing changed lines (done) | time=283ms
INFO: Analysis report generated in 353ms, dir size=1.5 MB
INFO: Analysis report compressed in 96ms, zip size=483.1 kB
INFO: Analysis report uploaded in 49ms
INFO: ------------- Check Quality Gate status
INFO: Waiting for the analysis report to be processed (max 300s)
INFO: ------------------------------------------------------------------------
INFO: EXECUTION FAILURE
INFO: ------------------------------------------------------------------------
INFO: Total time: 26.067s
INFO: Final Memory: 44M/150M
INFO: ------------------------------------------------------------------------
ERROR: Error during SonarScanner execution
ERROR: QUALITY GATE STATUS: FAILED - View details on https://*****&pullRequest=688
ERROR:
ERROR: Re-run SonarScanner using the -X switch to enable full debug logging.
Let’s back up. Can I have a screenshot of this, redacted as necessary, please?
BTW,
For MRs, “new code” is what’s changed in the MR, without regard to the project or branch’s new code definition.
So… let’s also go back to your checkout. Per the docs
Before analyzing your pull requests, make sure that:
The pull request source branch is checked out in the local repository.
The branch being targeted by the pull request is fetched and present in the local repository.
The analysis is being run on a local repository with valid repository metadata (e.g. the .git folders have not been removed). Avoid any attempt at previewing the merge or actions involving your main branch.
The code in the local repository matches the code in the remote repository (e.g once a PR is issued, no code is added to the local branch on the CI side before analysis).