PR analysis show files not changed in the Pull Request

Hi,

We have integrated SonarQube 8.9.3 (build 48735) with Jenkins and sometimes after analysis on the Jenkins we observe that SonarQube shows incorrect files which are not part of the patchset and not expected to be in the report. This issue happens sporadically. Sometimes re-triggering the analysis or rebase helps to resolve it. This might be related that we use the Gerrit/patchset model instead of PR branches and we use git reference instead of branch name for “sonar.pullrequest.branch”

Could you please advise?

Checkout logs

 > git fetch --tags --force --progress -- ssh://... refs/changes/*:refs/changes/* # timeout=10
 > git rev-parse refs/changes/84/51684/7^{commit} # timeout=10
 > git rev-parse refs/remotes/origin/refs/changes/84/51684/7^{commit} # timeout=10
Checking out Revision 32db98c08c707aeae8d4c3ea8eea7bc62a36f2cf (refs/changes/84/51684/7)
 > git checkout -f 32db98c08c707aeae8d4c3ea8eea7bc62a36f2cf # timeout=10
 > git rev-parse --verify HEAD # timeout=10
 > git reset --hard # timeout=10

Analysis command

./gradlew --info --stacktrace  
 -Dsonar.login=...
 -Dsonar.host.url=...
 -Dsonar.pullrequest.key=51684
 -Dsonar.pullrequest.branch=refs/changes/84/51684/7
 -Dsonar.pullrequest.base=master
 -Dsonar.qualitygate.wait=true
 -Dsonar.projectVersion=32db98c08c7@2022-12-12-09:52
  bip_entities:sonarqube

Analysis logs

> Task :bip_entities:sonarqube
JaCoCo report task detected, but XML report is not enabled or it was not produced. Coverage for this task will not be reported.
Caching disabled for task ':bip_entities:sonarqube' because:
  Build cache is disabled
Task ':bip_entities:sonarqube' is not up-to-date because:
  Task has not declared any outputs despite executing actions.
JaCoCo report task detected, but XML report is not enabled or it was not produced. Coverage for this task will not be reported.
User cache: /home/tomcat/.sonar/cache
Default locale: "en_US", source code encoding: "UTF-8"
SonarScanner will require Java 11 to run, starting in SonarQube 9.x
Load global settings
Load global settings (done) | time=1188ms
Server id: E42A49CB-AWfN3BbkCYqlOlKpsvso
User cache: /home/tomcat/.sonar/cache
Load/download plugins
Load plugins index
Load plugins index (done) | time=233ms
Load/download plugins (done) | time=359ms
Loaded core extensions: developer-scanner
JavaScript/TypeScript frontend is enabled
Process project properties
Process project properties (done) | time=9ms
Execute project builders
Execute project builders (done) | time=1ms
Project key: ...
Base dir :..
Working dir: /opt/data/payon/bip_entities/gradle_build/sonar
Load project settings for component key:...
Load project settings for component key:.. | time=208ms
Load project branches
Load project branches (done) | time=220ms
Load project pull requests
Load project pull requests (done) | time=344ms
Load branch configuration
Found manual configuration of branch/PR analysis. Skipping automatic configuration.
Load branch configuration (done) | time=2ms
Load quality profiles
Load quality profiles (done) | time=243ms
Load active rules
Load active rules (done) | time=9764ms
Pull request 51684 for merge into master from refs/changes/84/51684/7
SCM collecting changed files in the branch
SCM collecting changed files in the branch (done) | time=190ms
Indexing files...
Project configuration:

396 files indexed

> Task :bip_entities:sonarqube
0 files ignored because of scm ignore settings
Quality profile for java: ....
------------- Run sensors on module ...
JavaScript/TypeScript frontend is enabled
Load metrics repository
Load metrics repository (done) | time=233ms
Sonargraph Integration: Created 55 predefined and 0 custom metric(s)
Sensor JavaSquidSensor [java]
Configured Java source version (sonar.java.source): 8
JavaClasspath initialization
JavaClasspath initialization (done) | time=30ms
JavaTestClasspath initialization
JavaTestClasspath initialization (done) | time=18ms
Java Main Files AST scan

375 source files to be analyzed
...
21 source files to be analyzed

> Task :bip_entities:sonarqube
Slowest analyzed files:
...
Unresolved imports/types have been detected during analysis. Enable DEBUG mode to see them.
Java Main Files AST scan (done) | time=44953ms
Java Test Files AST scan

21/21 source files have been analyzed
0 source files to be analyzed
0/0 source files have been analyzed
0/0 source files have been analyzed

> Task :bip_entities:sonarqube
Java Test Files AST scan (done) | time=1596ms
Java Generated Files AST scan
Java Generated Files AST scan (done) | time=3ms
Sensor JavaSquidSensor [java] (done) | time=46974ms
Sensor HTL [aemrules]
0 source files to be analyzed
Sensor HTL [aemrules] (done) | time=8ms
Sensor CoberturaSensor [cobertura]
Sensor CoberturaSensor [cobertura] (done) | time=1ms
Sensor CSS Rules [cssfamily]
No CSS, PHP, HTML or VueJS files are found in the project. CSS analysis is skipped.
Sensor CSS Rules [cssfamily] (done) | time=4ms
Sensor PmdSensor [pmd]
Sensor PmdSensor [pmd] (done) | time=0ms
Sensor C# Project Type Information [csharp]
Sensor C# Project Type Information [csharp] (done) | time=1ms
Sensor C# Properties [csharp]
Sensor C# Properties [csharp] (done) | time=1ms
Sensor SurefireSensor [java]
Sensor SurefireSensor [java] (done) | time=1ms
Sensor Removed properties sensor [java]
Property 'sonar.jacoco.reportPaths' is no longer supported. Use JaCoCo's xml report and sonar-jacoco plugin.
Sensor Removed properties sensor [java] (done) | time=0ms
Sensor CheckstyleSensor [checkstyle]
Checkstyle charset: UTF-8
Sensor CheckstyleSensor [checkstyle] (done) | time=1797ms
Sensor SmellMeasuresSensor [smells]
Sensor SmellMeasuresSensor [smells] (done) | time=83ms
Sensor Clover Coverage Analysis [clover]
Clover XML report not found
Sensor Clover Coverage Analysis [clover] (done) | time=4ms
Sensor ThymeLeaf template sensor [securityjavafrontend]
javasecurity:S5131 is not activated in quality profile: skipping execution of thymeleaf sensor.
Sensor ThymeLeaf template sensor [securityjavafrontend] (done) | time=0ms


> Task :bip_entities:sonarqube
Sensor FindBugs Sensor [findbugs] (done) | time=96846ms
Sensor HTML [web]
Sensor HTML [web] (done) | time=6ms
Sensor VB.NET Project Type Information [vbnet]
Sensor VB.NET Project Type Information [vbnet] (done) | time=1ms
Sensor VB.NET Properties [vbnet]
Sensor VB.NET Properties [vbnet] (done) | time=1ms
Sensor JaCoCo XML Report Importer [jacoco]
'sonar.coverage.jacoco.xmlReportPaths' is not defined. Using default locations: target/site/jacoco/jacoco.xml,target/site/jacoco-it/jacoco.xml,build/reports/jacoco/test/jacocoTestReport.xml
No report imported, no coverage information will be imported by JaCoCo XML Report Importer
Sensor JaCoCo XML Report Importer [jacoco] (done) | time=6ms
Sensor Packages sensor [jdepend]
Sensor Packages sensor [jdepend] (done) | time=7ms
Sensor JavaSecuritySensor [security]
Read 934 type definitions
13:58:23.43 Building Runtime Type propagation graph
13:58:23.522 Running Tarjan on 15574 nodes
13:58:23.544 Tarjan found 15534 components
13:58:23.578 Variable type analysis: done
13:58:23.583 Building Runtime Type propagation graph
13:58:23.65 Running Tarjan on 15619 nodes
13:58:23.666 Tarjan found 15579 components
13:58:23.696 Variable type analysis: done
Analyzing 3697 ucfgs to detect vulnerabilities.
All rules entrypoints : 0 Retained UCFGs : 0
rule: S2076, entrypoints: 0
rule: S2076 done
rule: S2091, entrypoints: 0
rule: S2091 done
rule: S2631, entrypoints: 0
rule: S2631 done
rule: S5135, entrypoints: 0
rule: S5135 done
rule: S2083, entrypoints: 0
rule: S2083 done
Sensor JavaSecuritySensor [security] (done) | time=2132ms
Sensor CSharpSecuritySensor [security]
Read 0 type definitions
No UCFGs have been included for analysis.
Sensor JsSecuritySensor [security] (done) | time=0ms
Process Dependency-Check report (done) | time=3ms
Sensor Dependency-Check [dependencycheck] (done) | time=4ms
Sensor Zero Coverage Sensor
Sensor Zero Coverage Sensor (done) | time=72ms
Sensor Java CPD Block Indexer
Sensor Java CPD Block Indexer (done) | time=243ms
SCM Publisher SCM provider for this project is: git
SCM Publisher 2 source files to be analyzed

SCM Publisher 2/2 source files have been analyzed (done) | time=258ms
CPD Executor CPD calculation finished (done) | time=97ms

> Task :bip_entities:sonarqube
CPD Executor 114 files had no CPD blocks
CPD Executor Calculating CPD for 261 files
SCM writing changed lines
SCM writing changed lines (done) | time=118ms
Analysis report generated in 233ms, dir size=691 KB
Analysis report compressed in 315ms, zip size=426 KB
Analysis report uploaded in 2587ms
------------- Check Quality Gate status
Waiting for the analysis report to be processed (max 300s)
QUALITY GATE STATUS: PASSED - View details on https:/.../dashboard?id=....bip_entities&pullRequest=https%3A%2F%2F.....com%2F51684
Analysis total time: 3:04.967 s
:bip_entities:sonarqube (Thread[Execution worker for ':' Thread 3,5,main]) completed. Took 3 mins 8.705 secs.

Hi,

We did some work in the 9-series on improving the detection of new code. But if you’re seeing this intermittently on the same PRs, I have to guess it’s caused by external factors & I’m not sure how to help.

 
Ann

Hi,

I guess there is only one external factor: new commits on master branch.
Can you please elaborate on how SonarQube detects changed files for PR?
Is it something like ‘git diff master…feature_branch’?
What will be in case if feature branch does not exist?

Hi,

Are those new commits in master rebased into your branches? Because that’s what we worked on.

 
Ann

Based on our observations, the problem is reproducible for both when new commits rebased on feature branch and NOT reabased.

But could you please help with my questions above regarding missing feature branch and changed files detection git command? It will help to understand the issue deeper.

I guest this method is used, but not sure

Hi,

I’ll be honest: I don’t know.

What I do know is that we improved detection of new code, especially related to rebasing on the main branch, early-ish in the 9-series and if you were to upgrade to the latest version (9.8 due on Monday) you would probably experience fewer problems.

I just don’t understand this question. If the feature branch doesn’t exist… then there’s nothing to analyze?

 
Ann

Hi,

Thank you for the honest answer.

As I explained at the beginning, due to Gerrit model we don’t use branches for PRs. We use git refs for that purpose. Basically, git refs are aliases for commit hashes.
So we use it instead of the branch name for “sonar.pullrequest.branch” and it works in most cases.

How would PR analysis work in such a scenario?

Hi,

I’m out of my depth. I’ve flagged this for more expert eyes.

 
Ann

Can anyone look at this issue and advice, please?

Hello @eugene.kurbatov, thanks for sharing this.
It feels like something very specific to your Gerrit/patchset setup.

I am trying to understand your question about missing feature branch. Which feature branch is missing? The feature branch is supposed to be the core of the analysis against the main branch of your repository.

I’m not OP, but we’re on 9.9 with the latest sonar-scanner at this time, 4.8.2856, and experiencing the same issue with standard git/GitHub Enterprise PRs.

We’re running our main CI pipeline on the merge result of a specific branch commit onto a specific target commit (usually on master). When looking at the sonar-scanner options there’s only 3 things we can specify for PRs

sonar.pullrequest.key, sonar.pullrequest.branch, sonar.pullrequest.base as per Pull Request analysis

We routinely have many “new issues” on code that wasn’t changed in these PRs. And while changes in, e.g. configuration options may cause this, it seems far too common that only other sources changed than the ones that are affected by the PR.

But at whatever point we compare, these are never files that are in git diff $(git merge-base --fork-point origin/master)... --name-only, so I’m not sure where this diff comes from.

It would maybe be helpful if we could specify the exact source version and target version to sonar-scanner so it can get an exact merged files as a result. This could be optional, but since we know the exact commits, it seems pointless to let SonarQube guess.