Scanner command used when applicable (private details masked): mvn org.sonarsource.scanner.maven:sonar-maven-plugin:RELEASE:sonar --fail-fast
Languages of the repository: Java
Only if the SonarCloud project is public, the URL: N/A, as the Project is private
And if you need help with pull request decoration, then the URL to the PR too
Error observed: Old issues are getting detected as a part of PR decoration
Steps to reproduce: Use the RELEASE (3.10.0.2594) version of Sonar scanner > Sonar Scanner is detected as a part of PR > Old issues detected and PR gets decorated with old issues.
Potential workaround: When using 1 old version of Sonar Scanner i.e. 3.9.1.2184 scans the code and gets the PR decorated in a correct/expected way.
We would like to know if the latest version of Sonar Scanner (3.10.0.2594) is having issues while decorating PRs.
The current version of SonarScanner is 5.0.1. The SonarCloud docs are a bit behind, but you can find it in the SonarQube docs.
Regarding old issues in new code, when you click in the margin to the left of one of these issues, is the SCM ‘blame’ date shown for the issue recent (in the New Code period) or old?
The blame data as well as the issues detected within the SonarCloud says that the issues detected are old. Apart from that we’ve seen some instances where the issues detected are false positives.
Below are the version information for Sonar Scanner for Maven:
So you’re saying that with the latest version of the SonarScanner for Maven, you get old issues in PRs, but when you revert to version 3.9 you don’t?
Could you provide the analysis log from the 3.10 run?
The analysis / scanner log is what’s output from the analysis command. Hopefully, the log you provide - redacted as necessary - will include that command as well.
I’m not sure why the logs says that it is branch analysis, but the pipeline from which the above logs are extracted is doing the PR decoration. And yes, we’re doing same thing while using the 3.10.x and 3.9.x version of Sonar Scanner for Maven.
I can assure you that only the Sonar Scanner’s version is getting changed in the Sonar Scanning command which we’re using to scan the Maven’s Project code against SonarCloud.
The command which is having issues (Pulling up the old issues as well as part of PR decoration): mvn org.sonarsource.scanner.maven:sonar-maven-plugin:RELEASE:sonar --fail-fast
The command which is working fine: mvn org.sonarsource.scanner.maven:sonar-maven-plugin:3.9.1.2184:sonar --fail-fast
So the only difference you’ll see here is the version of the Sonar Scanner for Maven.
One more thing I would like to mention here is - There was an instance we gone through the PR decoration for 1 of our Pull Request using the Sonar Scanner for Maven’s 3.10.x version, so it detected the old issues (which is not expected within PR decoration) and it dumped all the old issues it detected into the PR, then we just downgrade the version of Sonar Scanner for Maven to 1 step back (to version 3.9.1.2184) and re-ran the PR decoration pipeline and then we found that the issues reported previously (by latest version of Sonar Scanner for Maven) have gone! This all happened within the same PR.
Please let me know if anything else is needed for the same.
In the Release 3.10.0.2594, the default sources option is updated from src/main/java to src/main. This means that the scanner may now include files that were previously ignored.
Can you please check this?
Please provide me a way to check the sources option which the latest version of Sonar Scanner is including and also let me know if there is a way to override it.
