SonarQube uses the scan at E and consider only K and L as new code/leak on this PR branch.
I have validated the heck out of this. I tried to break it and couldn’t. I’ve tested rebasing on multiple previous (and scanned) versions of Develop. I’ve tested rebasing on versions of Release and Master that are not scanned, but have direct descendants on Develop that are.
If you are encountering this issue, you should consider upgrading to 7.4 and making sure that the base branch is long-lived and scanned on each commit.
Thanks @AlainODea for taking the time and effort for the extensive (re-)testing, and for the kind words!
(Awesome diagram-hack too, making the thread highly informative and insightful in a very effective way.)
There are Sonar scans for Develop at D, E, and F.
I have PR-4321 at L.
F is merged to Develop including fixes for existing Sonar issues I-123 and I-321 on Develop.
The Sonar scan for PR-4321 shows I-123 and I-321 as introduced by PR-4321.
I would expect the PR-4321 scan to diff against the scan at E, rather than the scan at F.
This is expected. The issue exists in the PR and not it’s base. The assumption is that you’ll either rebase to pick up those fixes (which you’ll need to do before merge anyway) or merge your PR/SLB before it becomes a problem.
While this makes sense and it’s good to know, it will complicate our process.
Merges to the equivalent of Develop happen multiple times a day and developers understandably don’t want to merge or rebase work in progress multiple times a day to keep up with that.
Most of our developers don’t rebase prior to merge. This has rarely caused issues and would be a substantial process change for us. If they rebase, all reviews are dismissed, and they need to wait 40 minutes for the regression suite to run. If a new merge gets into Develop in the mean time, they’re back to square one.
Will a future version of SonarQube use the scan at the branchpoint (E) instead of the latest scan on the base branch as the reference for new issues?
No. We can only compare to current state, not previous states.
At the same time, I have to ask: why not rebase before L is analyzed? Surely L triggered the regression suite on its own? And if they simply don’t want to rebase, then just mark those issues as Won’t Fix.