On a PR quality gate, seeing "new code" that is not in the Pull Request

  • ALM used: Azure DevOps
  • CI system used: Azure DevOp
  • Languages of the repository; C#

Hi, we have an Azure DevOps GIT project that we are analyzing using SonarCloud on Pull Requests.
we however see that the analysis of the PR includes changes of previous pull requests. What are we doing wrong?
under the settings in sonarcloud, under “new code”, we have set Number of days 30, but as I understood your documentation, this will only apply to mainline branch, and the PR will always look at only the PR changes?

Our yaml pipeline contains the following part of code


- task: SonarSource.sonarcloud.14d9cde6-c1da-4d55-aa01-2965cd301255.SonarCloudPrepare@1
  displayName: 'Prepare SonarCloud Code Analysis'
  inputs:
    SonarCloud: 'XXX-SonarCloud'
    organization: 'xxxx'
    projectKey: '$(projectname)'
    projectName: '$(projectname)'
    extraProperties: |
     sonar.cs.vstest.reportsPaths=$(Agent.TempDirectory)/*.trx
     sonar.cs.opencover.reportsPaths=$(Agent.TempDirectory)/**/coverage.opencover.xml

- task: build
- task dot net test

- script: |
   reportgenerator -reports:$(Agent.TempDirectory)/**/coverage.cobertura.xml -targetdir:$(Build.SourcesDirectory)/coverlet/reports -reporttypes:"Cobertura"
  displayName: 'Create reports'
- task: PublishCodeCoverageResults@1
  displayName: 'Publish code coverage from $(Build.SourcesDirectory)/coverlet/reports/Cobertura.xml'
  inputs:
    codeCoverageTool: Cobertura
    summaryFileLocation: '$(Build.SourcesDirectory)/coverlet/reports/Cobertura.xml'

- task: SonarSource.sonarcloud.ce096e50-6155-4de8-8800-4221aaeed4a1.SonarCloudAnalyze@1
  displayName: 'Run SonarCloud Code Analysis'

- task: SonarSource.sonarcloud.38b27399-a642-40af-bb7d-9971f69712e8.SonarCloudPublish@1
  displayName: 'Publish SonarCloud Quality Gate Result'

for a PR with these changes

we get this quality gate result

with changes that were not in the PR

Hey @peter.derwa,

Welcome to the community!

under the settings in sonarcloud, under “new code”, we have set Number of days 30, but as I understood your documentation, this will only apply to mainline branch, and the PR will always look at only the PR changes?

Yes, this should not reflect the changes done in the PR as they are compared with the reference branch.

Can you tell me what warnings did you get? It looks you have: “Last analysis had 2 warnings” popup at the top of the screen.

Do you have the “Shallow fetch” option enabled for your Azure Pipeline? And if you do, can you disable it and make sure the full repository gets checked out:?

Best,
Marcin

Hi Marcin,

Thanks for the reply.

We actually have a custom checkout procedure because our repository has so many tags because all of the pull request, that it was taking much longer to checkout.

- task: CmdLine@2
  displayName: 'Checkout repository'
  inputs:
    script: |
      if DEFINED SYSTEM_PULLREQUEST_PULLREQUESTID ( SET pullRequestArgs=+refs/heads/*:refs/remotes/origin/* +refs/pull/%SYSTEM_PULLREQUEST_PULLREQUESTID%/merge:refs/remotes/pull/%SYSTEM_PULLREQUEST_PULLREQUESTID%/merge )
      git init    
      git remote add origin https://xxx.visualstudio.com/Project/_git/Repo
      git config gc.auto 0
      git config --get-all http.https://cgk-qpark.visualstudio.com/C2C-Pass-Digital/_git/Pass.extraheader
      git config --get-all http.proxy
      git config http.version HTTP/1.1
      echo "Fetching origin %pullRequestArgs%"
      git -c http.extraheader="AUTHORIZATION: bearer %SYSTEM_ACCESSTOKEN%" fetch --force --no-tags --prune --progress --depth 1 --no-recurse-submodules origin %pullRequestArgs%
      git checkout --progress --force $(Build.SourceVersion)
  env:
    SYSTEM_ACCESSTOKEN: $(System.AccessToken)

I think I can add one extre detail: we don’t run a new analysis on the mainline branch after a PR succeeds, to save some build time. It does look that it checks the PR analysis versus the last analysis of the mainline in which we are merging, is that possible?

Hi @peter.derwa,

Not analyzing the target branch should not cause this issue.

I think this line is exactly the problem:

git -c http.extraheader="AUTHORIZATION: bearer %SYSTEM_ACCESSTOKEN%" fetch --force --no-tags --prune --progress --depth 1 --no-recurse-submodules origin %pullRequestArgs%

It looks like you are fetching the pull-request branch with --depth set to 1 and you only checkout the pull request branch. I reproduced your case and was able to make it work, by checking out the target branch and increasing depth. You have to tweak the depth parameter so the scanner can know merge-base between branches.

Do you have this error:

Could not find ref: master in refs/heads, refs/remotes/upstream or refs/remotes/origin

or

WARN: No merge base found between HEAD and refs/remotes/origin/master

in the logs of the scanner?

Best,
Marcin

Hi Marcin,

I didn’t find “could not find ref:”
but I did find “WARN: No merge base found between HEAD and refs/remotes/origin/develop”

after adding a depth of 100 I didn’t see that warning anymore, so I’ll be monitoring the analysis for the upcoming week and I’ll let you know if that fixed it.

Thank you for the support

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.