PR scans not detecting code changes that branch scans do

We are having an issue with every PR we create, we get a comment from the sonarcloud bot saying there is no coverage/duplication info and 0 issues even when there are some in the branch. This then causes the checks to go green when they should be red as there are issues in the code that need resolving.

The differences between the PR run and the branch are lack of coverage/duplicated code info, and no code changes are picked up with the PR run (I’m guessing causing the lack of coverage/duped code) but I can’t get to the bottom of why this would happen when running basically the same command in the same environment. The only differences in our CI runs at the moment is in the script where we run sonar-scanner, checking on the $PR_NUMBER env var, running a PR scan if it exists.

• ALM: Github
• CI: semaphoreCI with sonar-scanner
• Scanner command:

if [ -z "$PR_NUMBER" ]; then
# Regular branch running through the CI.
/root/sonar-scanner/bin/sonar-scanner                                                   \
-Dsonar.projectKey=<key>                                                                 \
-Dsonar.organization=<org>                                                                 \
-Dsonar.projectBaseDir=<base_dir>                                              \
-Dsonar.sources=<base_dir>													\
-Dsonar.host.url=https://sonarcloud.io                                                  \
-Dsonar.login=$SONAR_KEY                                                                \
-Dsonar.password=                                                                       \
-Dsonar.branch.name=$TARGET_BRANCH                                                      \
-Dsonar.python.coverage.reportPaths=<base_dir>/coverage.xml                     \
-Dsonar.javascript.lcov.reportPaths=<base_dir>/lcov.info                        \
-Dsonar.cfamily.build-wrapper-output.bypass=true                                        \
-Dsonar.exclusions=<some_files_and_folders>

else
# Pull request run through the CI.

/root/sonar-scanner/bin/sonar-scanner                                                   \
-Dsonar.projectKey=<key>                                                                 \
-Dsonar.organization=<org>                                                                 \
-Dsonar.projectBaseDir=<base_dir>                                              \
-Dsonar.sources=<base_dir>                                                     \
-Dsonar.host.url=https://sonarcloud.io                                                  \
-Dsonar.login=$SONAR_KEY                                                                \
-Dsonar.password=                                                                       \
-Dsonar.python.coverage.reportPaths=<base_dir>/coverage.xml                     \
-Dsonar.javascript.lcov.reportPaths=<base_dir>/lcov.info                        \
-Dsonar.cfamily.build-wrapper-output.bypass=true                                        \
-Dsonar.exclusions=<some_files_and_folders>									\
-Dsonar.pullrequest.provider=github                                                     \
-Dsonar.pullrequest.github.repository=$PR_SLUG                                          \
-Dsonar.pullrequest.branch=$CI_BRANCH                                                   \
-Dsonar.pullrequest.key=$PR_NUMBER                                                      \
-Dsonar.pullrequest.base=$TARGET_BRANCH

For my testing, the env_vars used were:

$SONAR_KEY = 40 character long sonar key.
$PR_SLUG = <org>/<repo_name> the same as found in github.
$CI_BRANCH = bugfix/2130
$PR_NUMBER = 2421
$TARGET_BRANCH=develop

• Languages: Python (2 and 3), TypeScript, PL/SQL, HTML/CSS, Rust
• Both the sonar project and github project are closed source.

Pull request run through, showing green:

image1542×715 29.2 KB

Branch run through on the same branch, showing code issues:

image1571×763 37.4 KB

Bot on the github PR showing green:

As new users can only post 3 things in a post, here are the warnings we have in the sonar dashboard:

And the log for the pull request scan:

INFO: Scanner configuration file: /root/sonar-scanner/conf/sonar-scanner.properties
INFO: Project root configuration file: <base_dir>/sonar-project.properties
INFO: SonarScanner 4.5.0.2216
INFO: Java 17-ea Oracle Corporation (64-bit)
INFO: Linux 4.15.0-151-generic amd64
INFO: User cache: /root/.sonar/cache
INFO: Scanner configuration file: /root/sonar-scanner/conf/sonar-scanner.properties
INFO: Project root configuration file: <base_dir>/sonar-project.properties
INFO: Analyzing on SonarCloud
INFO: Default locale: "en", source code encoding: "UTF-8" (analysis is platform dependent)
INFO: Load global settings
INFO: Load global settings (done) | time=129ms
INFO: Server id: 1BD809FA-AWHW8ct9-T_TB3XqouNu
INFO: User cache: /root/.sonar/cache
INFO: Load/download plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=32ms
INFO: Load/download plugins (done) | time=3139ms
INFO: Loaded core extensions: developer-scanner
INFO: Load project settings for component key: '<key>'
INFO: Load project settings for component key: '<key>' (done) | time=28ms
INFO: Process project properties
INFO: Execute project builders
INFO: Execute project builders (done) | time=1ms
INFO: Project key: <key>
INFO: Base dir: <base_dir>
INFO: Working dir: <base_dir>/.scannerwork
INFO: Load project branches
INFO: Load project branches (done) | time=38ms
INFO: Check ALM binding of project '<key>'
INFO: Detected project binding: NOT_BOUND
INFO: Check ALM binding of project '<key>' (done) | time=13ms
INFO: Load project pull requests
INFO: Load project pull requests (done) | time=83ms
INFO: Load branch configuration
INFO: Load branch configuration (done) | time=2ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=69ms
INFO: Load active rules
INFO: Load active rules (done) | time=1173ms
INFO: Organization key: rs
INFO: Pull request 2421 for merge into develop from bugfix/2130
INFO: SCM collecting changed files in the branch
INFO: SCM collecting changed files in the branch (done) | time=190ms
INFO: Indexing files...
INFO: Project configuration:
INFO:   Excluded sources: <some_files_and_folders>
INFO: 1626 files indexed
INFO: 1974 files ignored because of inclusion/exclusion patterns
INFO: 193 files ignored because of scm ignore settings
INFO: Quality profile for css: Sonar way
INFO: Quality profile for js: Sonar way Recommended
INFO: Quality profile for json: SonarQube Way
INFO: Quality profile for plsql: Sonar way
INFO: Quality profile for py: <...> - This is the way
INFO: Quality profile for terraform: Sonar way
INFO: Quality profile for ts: <...> - This is the way
INFO: Quality profile for web: Sonar way
INFO: Quality profile for xml: Sonar way
INFO: Quality profile for yaml: Sonar way
INFO: ------------- Run sensors on module <key>
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=16ms
INFO: Sensor CSS Metrics [cssfamily]
INFO: Sensor CSS Metrics [cssfamily] (done) | time=228ms
INFO: Sensor CSS Rules [cssfamily]
INFO: 175 source files to be analyzed
INFO: 175/175 source files have been analyzed
INFO: Sensor CSS Rules [cssfamily] (done) | time=3106ms
INFO: Sensor IaC Terraform Sensor [iac]
INFO: Sensor IaC Terraform Sensor [iac] (done) | time=0ms
INFO: Sensor IaC CloudFormation Sensor [iac]
INFO: Sensor IaC CloudFormation Sensor [iac] (done) | time=0ms
INFO: Sensor PL/SQL Sensor [plsql]
WARN: The Data Dictionary is not configured for PLSQL analyzer which prevents rule(s) S3641, S3921, S3618, S3651 to raise issues. See https://sonarcloud.io/documentation/analysis/languages/plsql/
INFO: 3 source files to be analyzed
WARN: 
WARN: Unable to fully parse: <base_dir>/<dirs>/sql/10.sql
WARN: Parse error starting from line 1659
WARN: 
WARN: 
WARN: Unable to fully parse: <base_dir>/<dirs>/sql/10.sql
WARN: Parse error starting from line 1680
WARN: 
INFO: 3/3 source files have been analyzed
INFO: Sensor PL/SQL Sensor [plsql] (done) | time=787ms
INFO: Sensor C# Project Type Information [csharp]
INFO: Sensor C# Project Type Information [csharp] (done) | time=2ms
INFO: Sensor C# Properties [csharp]
INFO: Sensor C# Properties [csharp] (done) | time=1ms
INFO: Sensor JavaXmlSensor [java]
INFO: 3 source files to be analyzed
INFO: 3/3 source files have been analyzed
INFO: Sensor JavaXmlSensor [java] (done) | time=126ms
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=398ms
INFO: Sensor XML Sensor [xml]
INFO: 3 source files to be analyzed
INFO: 3/3 source files have been analyzed
INFO: Sensor XML Sensor [xml] (done) | time=89ms
INFO: Sensor VB.NET Project Type Information [vbnet]
INFO: Sensor VB.NET Project Type Information [vbnet] (done) | time=1ms
INFO: Sensor VB.NET Properties [vbnet]
INFO: Sensor VB.NET Properties [vbnet] (done) | time=1ms
INFO: Sensor Python Sensor [python]
WARN: Your code is analyzed as compatible with python 2 and 3 by default. This will prevent the detection of issues specific to python 2 or python 3. You can get a more precise analysis by setting a python version in your configuration via the parameter "sonar.python.version"
INFO: Starting global symbols computation
INFO: 382 source files to be analyzed
INFO: 382/382 source files have been analyzed
INFO: Starting rules execution
INFO: 382 source files to be analyzed
INFO: 236/382 files analyzed, current file: <random_file>.py
INFO: 382/382 source files have been analyzed
INFO: Sensor Python Sensor [python] (done) | time=22005ms
INFO: Sensor Cobertura Sensor for Python coverage [python]
INFO: Python test coverage
INFO: Parsing report '<base_dir>/coverage.xml'
INFO: Sensor Cobertura Sensor for Python coverage [python] (done) | time=183ms
INFO: Sensor PythonXUnitSensor [python]
INFO: Sensor PythonXUnitSensor [python] (done) | time=131ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: 'sonar.coverage.jacoco.xmlReportPaths' is not defined. Using default locations: target/site/jacoco/jacoco.xml,target/site/jacoco-it/jacoco.xml,build/reports/jacoco/test/jacocoTestReport.xml
INFO: No report imported, no coverage information will be imported by JaCoCo XML Report Importer
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=5ms
INFO: Sensor JavaScript analysis [javascript]
INFO: Deploying custom rules bundle jar:file:/root/.sonar/cache/d56f116051dbab33b2a9e2aee8b0502b/sonar-securityjsfrontend-plugin.jar!/js-vulnerabilities-rules-1.0.0.tgz to <base_dir>/.scannerwork/.sonartmp/eslint-bridge-bundle/package/custom-rules9720987599330888898
WARN: You are using Node.js version 10, which reached end-of-life. Support for this version will be dropped in future release, please upgrade Node.js to more recent version.
INFO: 2 source files to be analyzed
INFO: 2/2 source files have been analyzed
INFO: Sensor JavaScript analysis [javascript] (done) | time=4447ms
INFO: Sensor TypeScript analysis [javascript]
INFO: Found 3 tsconfig.json file(s): [<base_dir>/<some_dirs>/tsconfig.json, <base_dir>/<some_dirs>/tsconfig.json, <base_dir>/<some_dirs>/tsconfig.json]
INFO: Analyzing 309 files using tsconfig: <base_dir>/<some_dirs>/tsconfig.json
INFO: 336 source files to be analyzed
INFO: 123/336 files analyzed, current file: <some_dirs>/index.tsx
INFO: Analyzing 27 files using tsconfig: <base_dir>/<some_dirs>/tsconfig.json
INFO: 331/336 files analyzed, current file: <some_dirs>/index.tsx
INFO: 336/336 source files have been analyzed
INFO: Sensor TypeScript analysis [javascript] (done) | time=20598ms
INFO: Sensor JavaScript/TypeScript Coverage [javascript]
WARN: No coverage information will be saved because LCOV file cannot be found.
WARN: Provided LCOV file path: <base_dir>/lcov.info. Seek file with path: <base_dir>/lcov.info
WARN: No coverage information will be saved because all LCOV files cannot be found.
INFO: Sensor JavaScript/TypeScript Coverage [javascript] (done) | time=1ms
INFO: Sensor ThymeLeaf template sensor [securityjavafrontend]
INFO: Sensor ThymeLeaf template sensor [securityjavafrontend] (done) | time=4ms
INFO: Sensor Python HTML templates processing [securitypythonfrontend]
INFO: Found no 'settings.py' files in the project. We will consider 'autoescape' project option enabled.
INFO: Sensor Python HTML templates processing [securitypythonfrontend] (done) | time=86ms
INFO: Sensor Serverless configuration file sensor [securityjsfrontend]
INFO: 0 Serverless function entries were found in the project
INFO: 0 Serverless function handlers were kept as entrypoints
INFO: Sensor Serverless configuration file sensor [securityjsfrontend] (done) | time=38ms
INFO: Sensor JavaSecuritySensor [security]
INFO: Reading type hierarchy from: <base_dir>/.scannerwork/ucfg2/java
INFO: Read 0 type definitions
INFO: Reading UCFGs from: <base_dir>/.scannerwork/ucfg2/java
INFO: No UCFGs have been included for analysis.
INFO: Sensor JavaSecuritySensor [security] (done) | time=3ms
INFO: Sensor CSharpSecuritySensor [security]
INFO: Reading type hierarchy from: <base_dir>/ucfg_cs2
INFO: Read 0 type definitions
INFO: Reading UCFGs from: <base_dir>/ucfg_cs2
INFO: No UCFGs have been included for analysis.
INFO: Sensor CSharpSecuritySensor [security] (done) | time=0ms
INFO: Sensor PhpSecuritySensor [security]
INFO: Reading type hierarchy from: <base_dir>/.scannerwork/ucfg2/php
INFO: Read 0 type definitions
INFO: Reading UCFGs from: <base_dir>/.scannerwork/ucfg2/php
INFO: No UCFGs have been included for analysis.
INFO: Sensor PhpSecuritySensor [security] (done) | time=1ms
INFO: Sensor PythonSecuritySensor [security]
INFO: Reading type hierarchy from: <base_dir>/.scannerwork/ucfg2/python
INFO: Read 1429 type definitions
INFO: Reading UCFGs from: <base_dir>/.scannerwork/ucfg2/python
INFO: 11:59:44.351445163 Building Runtime Type propagation graph
INFO: 11:59:44.639331764 Running Tarjan on 50263 nodes
INFO: 11:59:44.724819724 Tarjan found 50111 components
INFO: 11:59:44.945506007 Variable type analysis: done
INFO: 11:59:44.947586022 Building Runtime Type propagation graph
INFO: 11:59:45.257937258 Running Tarjan on 48631 nodes
INFO: 11:59:45.298686757 Tarjan found 48495 components
INFO: 11:59:45.444947433 Variable type analysis: done
INFO: Analyzing 8221 ucfgs to detect vulnerabilities.
INFO: All rules entrypoints : 0 Retained UCFGs : 0
INFO: rule: S5334, entrypoints: 0
INFO: rule: S5334 done
INFO: rule: S5135, entrypoints: 0
INFO: rule: S5135 done
INFO: rule: S3649, entrypoints: 0
INFO: rule: S3649 done
INFO: rule: S5146, entrypoints: 0
INFO: rule: S5146 done
INFO: rule: S2083, entrypoints: 0
INFO: rule: S2083 done
INFO: rule: S2091, entrypoints: 0
INFO: rule: S2091 done
INFO: rule: S2078, entrypoints: 0
INFO: rule: S2078 done
INFO: rule: S5145, entrypoints: 0
INFO: rule: S5145 done
INFO: rule: S5167, entrypoints: 0
INFO: rule: S5167 done
INFO: rule: S5144, entrypoints: 0
INFO: rule: S5144 done
INFO: rule: S2076, entrypoints: 0
INFO: rule: S2076 done
INFO: rule: S5131, entrypoints: 0
INFO: rule: S5131 done
INFO: rule: S2631, entrypoints: 0
INFO: rule: S2631 done
INFO: Sensor PythonSecuritySensor [security] (done) | time=5400ms
INFO: Sensor JsSecuritySensor [security]
INFO: Reading type hierarchy from: <base_dir>/.scannerwork/ucfg2/js
INFO: Read 0 type definitions
INFO: Reading UCFGs from: <base_dir>/.scannerwork/ucfg2/js
INFO: 11:59:49.182533524 Building Runtime Type propagation graph
INFO: 11:59:49.224428866 Running Tarjan on 11987 nodes
INFO: 11:59:49.232054084 Tarjan found 11983 components
INFO: 11:59:49.24099193 Variable type analysis: done
INFO: 11:59:49.241150872 Building Runtime Type propagation graph
INFO: 11:59:49.299934101 Running Tarjan on 11987 nodes
INFO: 11:59:49.305391741 Tarjan found 11983 components
INFO: 11:59:49.312891519 Variable type analysis: done
INFO: Analyzing 1575 ucfgs to detect vulnerabilities.
INFO: rule: S5146, entrypoints: 340
INFO: Running symbolic analysis
INFO: rule: S5146 done
INFO: rule: S5883, entrypoints: 340
INFO: Running symbolic analysis
INFO: rule: S5883 done
INFO: rule: S6105, entrypoints: 340
INFO: Running symbolic analysis
INFO: rule: S6105 done
INFO: rule: S5144, entrypoints: 340
INFO: Running symbolic analysis
INFO: rule: S5144 done
INFO: rule: S5131, entrypoints: 340
INFO: Running symbolic analysis
INFO: rule: S5131 done
INFO: rule: S2631, entrypoints: 340
INFO: Running symbolic analysis
INFO: rule: S2631 done
INFO: rule: S6096, entrypoints: 340
INFO: Running symbolic analysis
INFO: rule: S6096 done
INFO: rule: S5696, entrypoints: 340
INFO: Running symbolic analysis
INFO: rule: S5696 done
INFO: rule: S5334, entrypoints: 340
INFO: Running symbolic analysis
INFO: rule: S5334 done
INFO: rule: S2076, entrypoints: 340
INFO: Running symbolic analysis
INFO: rule: S2076 done
INFO: rule: S3649, entrypoints: 340
INFO: Running symbolic analysis
INFO: rule: S3649 done
INFO: rule: S2083, entrypoints: 340
INFO: Running symbolic analysis
INFO: rule: S2083 done
INFO: rule: S5147, entrypoints: 340
INFO: Running symbolic analysis
INFO: rule: S5147 done
INFO: Sensor JsSecuritySensor [security] (done) | time=5496ms
INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=45ms
INFO: CPD Executor 73 files had no CPD blocks
INFO: CPD Executor Calculating CPD for 755 files
INFO: CPD Executor CPD calculation finished (done) | time=165ms
INFO: SCM writing changed lines
INFO: SCM writing changed lines (done) | time=8ms
INFO: Analysis report generated in 156ms, dir size=1 MB
INFO: Analysis report compressed in 576ms, zip size=964 KB
INFO: Analysis report uploaded in 144ms
INFO: ANALYSIS SUCCESSFUL, you can find the results at: https://sonarcloud.io/dashboard?id=<key>&pullRequest=2421
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at <sonarcloud_api_addr>
INFO: Analysis total time: 1:19.172 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: -----------------------------------------------------------------------

A few last things to add, git rev-parse --is-shallow-repository returns false, and we are using 4.5.0.2216-linux version of the sonar-scanner cli, I also just tried running the latest 4.6.2.2472, and got the same results.

Occasionally we will get PR runs that go through and produce the same quality gate as the branch run, however they are not very frequent as most get 0 code changes as described above.

image1527×759 37 KB

image1586×764 37 KB

This quality gate is also incorrect, flagging a file that has not been touched in this branch as needing more test coverage.

image1630×423 23.3 KB

This PR changed only Rust code in the repo, which Sonarcloud doesn’t handle.

image579×718 20.4 KB

Edit: The above changes were from another PR made (and merged) before #2443 was run through sonarcloud. I guess this could indicate a caching issue with our CI/CD pipeline, which I will try and do some investigation into.

Hi @Rowan_Harrison , thanks for all provided information.

Could i ask you to setup your script based on this documentation page, then give it another try? Basically, restrict to setup the following attributes regarding pull request configuration:

sonar.pullrequest.base=master
sonar.pullrequest.branch=feature/my-new-feature
sonar.pullrequest.key=5

I am asking this because your scanner log output claims about a NOT BOUND project, which does not make sense to me:

INFO: Check ALM binding of project '<key>'
INFO: Detected project binding: NOT_BOUND
INFO: Check ALM binding of project '<key>' (done) | time=13ms

In a short sentence, just remove those settings from your CI script:

-Dsonar.pullrequest.provider=github                                                     \
-Dsonar.pullrequest.github.repository=$PR_SLUG 

Hey Alexandre thanks for the reply,

I’ve removed those two lines and got the same Detected project binding: NOT_BOUND

I just want to double check that the lines above/below should contain the name of the Sonarcloud project? I also just went and checked the branch pipeline for that commit and it also shows as NOT_BOUND.

I’ve also since spotted some irregularities in the git reflog on our CI, so I’ve contacted them for clarification.

Thanks for trying that!

The NOT_BOUND status is probably because you didn’t created the project using SonarCloud UI. I guess it was created by some automation tool/script, could you confirm? This status means that at SonarCloud the project does not have any association with the ALM (GitHub in your case) and that is why i am surprised that you get the PR decorations and checks, maybe am i missing something.

Below are the properties that properly identify the project at SonarCloud:

-Dsonar.projectKey=<key>                                                                 \
-Dsonar.organization=<org>

I think yours are correct.

Please let me know if you find something at your CI provided, since this intermittent behavior you mentioned also is strange to me.

Could you check if our branches configuration are correct? SonarCloud uses some patterns (configurable) to establish long and short living branches and the new code period will be applied at the short lived ones. This could lead to the failed QG at your develop branch.

Other thing that could help: add debug information at your CI script to get the environment values used. We assume that the scrips handle properly a PR or a branch analysis. For example: can we double check that PR_NUMBER is always valid to check for those scenarios (sorry, i don’t know about semaphoreCI).

I’m having a similar issue to this and my configuration is almost the same (see below). The problem I have specifically is that the Pull Request decorator always shows 0 bugs, smells etc. and no coverage or duplication information. Unsure if it is related but when selecting the pull request in the SonarCloud UI I am unable to see any code whereas if I look at the master branch I can see code.

The changes in this specific PR reduces the coverage to below the quality gate of 80%, introduces a bug and security hotspot (all just for testing) so should flag something.

Note: Detected project binding: BOUND shows up in the logs, if that makes the issue any different to the original poster.

Any help would be greatly appreciated!

Screenshot 2021-08-13 at 11.57.35813×217 5.68 KB

PROJECTKEY="${ORGANIZATION}_${_PROJECT_NAME}"

if [[ -z "$_PR_NUMBER" ]]; then
    echo "1"
    sonar-scanner \
    -Dsonar.organization=$ORGANIZATION \
    -Dsonar.projectKey=$PROJECTKEY \
    -Dsonar.projectName=$_PROJECT_NAME \
    -Dsonar.projectVersion=$VERSION \
    -Dsonar.sources=. \
    -Dsonar.host.url=$_SONARQUBE_SERVER \
    -Dsonar.login=$_SONARQUBE_ACCESS_TOKEN \
    -Dsonar.branch.name=$BRANCH_NAME \
    -Dsonar.branch.target=$BASE \
    "$@"
else
    sonar-scanner \
    -Dsonar.organization=$ORGANIZATION \
    -Dsonar.projectKey=$PROJECTKEY \
    -Dsonar.projectName=$_PROJECT_NAME \
    -Dsonar.projectVersion=$VERSION \
    -Dsonar.sources=. \
    -Dsonar.host.url=$_SONARQUBE_SERVER \
    -Dsonar.login=$_SONARQUBE_ACCESS_TOKEN \
    -Dsonar.pullrequest.base=$BASE \
    -Dsonar.pullrequest.branch=$BRANCH_NAME \
    -Dsonar.pullrequest.key=$_PR_NUMBER \
    "$@"
fi

Turns out my problem was because of Google Cloud Build doing shallow clones. Meaning that when it came to comparing branches it was comparing it to itself.

Solutions here were to either workaround Google Cloud Build and do an unshallow clone or use GitHub Actions.

Hey, turns out it was our CICD system caching out git repo that was causing this issue, as soon as we were able to remove that caching our issues went away and everything worked correctly. Their git clone does a shallow clone as well (which probably didn’t help things) but we are able to get the PR stuff working.

Thanks for your time @Alexandre_Holzhey, even if it wasn’t a Sonar issue.

Thanks both @Scott_MacLeod and @Rowan_Harrison for sharing your findings here! This can help others users in the future!

I see the same symptoms as Rowan and Scott describe: while the main branch analysis performs correctly, the PR analysis is unable to detect any bugs nor provide coverage/duplication information. It seems that Sonar (in this case SonarCloud) does not see any code changes; if I take a look at the results of the PR analysis and open the “Code” tab, it’s empty.

A bit of a context:

• Java project built by Maven; the analysis uses the sonar-maven-plugin
• main branch is analyzed via GitHub Actions after push
• PRs are analyzed via Jenkins
• Detected project binding: BOUND (in both main branch and PR analysis)
• The analysis is reported as successful and the “Administration → Background Tasks” shows no warnings
• I use the following properties to identify the PR:
  sonar.pullrequest.base
  sonar.pullrequest.branch
  sonar.pullrequest.github.repository (added only during the investigation; does not seem to have any effect on this issue)
  sonar.pullrequest.key
  sonar.pullrequest.provider=GitHub

As for the root causes suggested above in this thread:

• I am not aware of any sort of caching in the CI
• shallow cloning does not seem to be the problem (see my reasoning below)

I tried to clone the repo locally (normal deep clone) and executed analysis on the PR branch twice:
A) without supplying sonar.pullrequest properties, resulting in a correct main branch analysis that showed all expected bugs and coverage information
B) with supplying sonar.pullrequest properties, resulting in empty analysis of the PR

I appreciate any suggestions about what else to investigate.

Thank you,
Radek

The problem was caused by a CI system that merged the PR branch into the main branch before the project build started, making it impossible for SonarCloud to detect any changes.