PR decoration comments are getting added for the files that are Not Part of PR Changes

  • SonarQube Version: 8.5
  • Get only the appropriate comments (enabled PR decoration feature)
  • SonarQube Developer edition.

Problem Statement: When someone merges the code into master (from pull request say PR1) and right after that if a gated build triggers on other PR (let’s say PR2); after PR analysis as part of PR decoration, we get some additional comments in PR2 (about SonarQube reported bugs, code smell, etc.) for source code changes merged to master in PR1.

Information:
We have enabled the below features on Azure DevOps and SonarQube instance:

We have also configured a full SonarQube scan on the master branch and it gets triggered whenever something gets merged to the master.

Can you please look into the issue and provide us the solution asap?

Thanks,
Sandy

HI @Sandy,

Welcome to our community forum.

I’d like to ask you for more information before investigating further.

  1. Is what you described reproducible? How often?
  2. Are PR-1 & PR-2 modifying the same files?
  3. Does PR-2 contains PR-1’s issues on the SonarQube side?

Cheers

Hi @Philippe_Perrin

Thanks for looking into it.

  1. Is what you described reproducible? How often?
    Ans: Yes it is reproducible. Actually, this happens as per the PR builds frequency i.e. quite frequently during the sprint closure days.

  2. Are PR-1 & PR-2 modifying the same files?
    Ans: No, it is not necessary, this issue occurs even if there are different files updated in PR-1 and PR-2.

  3. Does PR-2 contains PR-1’s issues on the SonarQube side?
    Ans: Yes, they are visible on the SonarQube side as well.

I hope this helps. Please let me know if further info required.

Regards,
Sandy

Hi @Sandy

Are the lines detected as “changed” by SonarQube in PR-2 correct?
Changed lines have a yellow background color.
In P/Rs, SonarQube will only display issues that involve a line changed in the PR.

Hi @dmeneses

No, Sonar shows the added/changed lines of PR-1 in PR-2 as well in the above-mentioned scenario.

Ok. So I think there might be a problem on the scanner side.
Are you using git? If you’re using git, the scanner should use a git client to determine what changed in the P/R compared to its target.
Could you please post the scanner logs with debug enabled?

1 Like

Hi @dmeneses,

Sorry for the delayed response.

Yes, we are using git. Please find the attached logs of Sonar Scanner. sonarqube_ce_15-12.log (32.5 KB)
This log file was generated while Sonar was scanning the PR-2 (as described in the main query). And, we got the additional comment in the same i.e. PR-2 shows comments related to the changes which were done in PR-1.

Hope this helps in further looking into the issue.

1 Like

The file you posted is from the CE process of the server. Do you have the logs of the scanner (that is probably running in your CI)?

With git we are pretty confident that the scanner is able to find the correct changes in the P/R.
Sometimes what happens is that the clone/checkout is done in a way that doesn’t leave all git branches correctly available to the scanner. If the logs include the cloning process we can check if there’s any problem there.

We are using three tasks in CI pipeline i.e Sonar Prepare, run analysis (build in between these two) and publish. By scanner logs, you mean logs that are getting generated in the run analysis task?

Hi @Sandy,

Please provide:

  • A snapshot of the configuration of the “Get sources” pre-step of your pipelines
  • Logs of the “Checkout” step of your pipeline run
  • Logs of the “Run analysis” or “Run code analysis” step of your pipeline run (make sure you enabled first the debug mode on the scanner: add sonar.log.level=DEBUG to the Additional properties of your pipeline’s “Prepare analysis on SonarQube” step)

=> this would help us understand how the git checkout is done and how the scanner interacts with the sources.