We are using SonarQube 7.6 version and mainly to scan C# and .Net projects.
We did set up multiple projects successfully and also able to scan the project to see various bugs, vulnerabilities and code smell being reported.
But the issue we see is when we ran the Sonar scan on the same project without changing anything on the same, it is weird that this time we are seeing “NEW” Bugs/Vulnerabilities/Code smell reported on the same code which is not modified since ages. Attaching the image of the same here.
Also if these are being reported as new issues, why only specific issues and not all of them? We are using default C# Quality Profile and changed Quality Gate according to our project needs.
Could you please let us know if we are missing some unknown configuration/administration setting/tweak which is the probable reason behind this.
Your screenshot shows that your New Code Period started 2 months ago and it appears that you analyze once a week. Your screenshot doesn’t include the Coverage domain, but usually at the bottom of that New Code block it shows New Lines to Cover. Do you have a positive number there? If so, that indicates that there have been code changes in the last 2 months.
Yes like you mentioned, we do see “25k” as new lines to cover in Coverage Domain but even that seems to be a wrong number which is displayed here as we don’t have 25000 lines of codes written in last two months. Any reason why this is being incorrectly reported over here?
Also, wanted to reiterate my question that why are certain issues (12 bugs, 50 vulnerabilities in this case) being reported as “New” despite the code being old?
Expecting an earlier reply as we need to publish certain metrics accordingly.
As you say, there are 25k new lines of code (at least) in your project. Issues raise in new code are generally going to be “new” issues.
If you’d really like to pursue why lines are marked new when you don’t think the project has been changed (then why analyze it every week?) the easiest thing to do is click through on the New Lines to Cover value. That will take you to a drilldown listing the files with new lines, where you can look for the yellow highlights to understand which lines in the file are new. If you click in the margin, you should see the details for the most recent commits on these new lines.
Thanks for the details around identifying the “new” lines of code .
But the issue which we wanted to understand here is, why are the issues 12 “New” bugs and 50 “New” vulnerabilities in above screen shot are referred as “New” bugs even though the code in which these issues are pointed out is “Old” code.
