Pull request analysis from sonar-scanner not detecting changes

matt-mercer · September 4, 2022, 9:29pm

I’m using sonarcloud + github on a private repo, mainly a python project. analysis worked well enough, but I wanted to get coverage too so I’ve switched to the sonar-scanner-cli … (after trying the action and having a number of issues).
But I can’t get pull request analysis to correctly detect changes:

sonar-project.properties looks like this

sonar.projectKey=XXXXX
sonar.organization=XXXX
sonar.host.url=https://sonarcloud.io
sonar.python.version=3.9
sonar.exclusions=scripts/**/*,docker/locust/**/*,**/*_tests.py
sonar.test.inclusions=**/*_tests.py,**/test_*.py,features/*.feature
sonar.cpd.exclusions=**/*_tests.py,features/**/*,**/conftest.py
sonar.testExecutionReportPaths=sonar/tests.xml
sonar.python.coverage.reportPaths=sonar/coverage.xml
sonar.coverage.exclusions=./scripts/**
sonar.python.file.suffixes=.py

running sonar with sonar-scanner -X -Dsonar.projectBaseDir=${GITHUB_WORKSPACE}

here’s some key info from the debug logs for a recent build

switching to ‘pull/554/merge’.

git branch:

*(HEAD detached at pull/554/merge)
develop

git log --oneline -n 3

deb8b944 Merge 87a990b0d11f26a40384330487af1605dddfe4a5 into 94ba4dfd5c1cfbade5ef7a16837dde89c4afd5df
87a990b0 mesh-663: sound-proofing
94ba4dfd Merge pull request #543

so 94ba4dfd5c1cfbade5ef7a16837dde89c4afd5df is the base/target branch SHA
there are 62 modified files in the change …
but …

in the scanner logs I see:

21:10:27.503 INFO: Load branch configuration
21:10:27.504 INFO: Github event: pull_request
21:10:27.522 INFO: Auto-configuring pull request 554

and then

21:10:51.885 DEBUG: Merge base sha1: 87a990b0d11f26a40384330487af1605dddfe4a5
21:10:51.888 DEBUG: SCM reported changed lines for 0 files in the branch
21:10:51.888 INFO: SCM writing changed lines (done) | time=21ms
21:10:53.830 INFO: Analysis report generated in 2115ms, dir size=219 KB
21:10:53.980 INFO: Analysis report compressed in 149ms, zip size=92 KB

I’ve also tried running the scanner with specific params:

 sonar-scanner -X -Dsonar.projectBaseDir=${GITHUB_WORKSPACE} -Dsonar.pullrequest.branch=${GITHUB_HEAD_REF} -Dsonar.pullrequest.base=${GITHUB_BASE_REF} -Dsonar.pullrequest.key=${{ github.event.number }}

but still I see ‘no changes’ coverage / or affected files in the PR analysis

additionally, given the prerequisites in Pull Request Analysis | SonarQube Docs
Before analyzing your Pull Requests, make sure that:

The Pull Request source branch is checked out in the local repository.
The branch being targeted by the Pull Request is fetched and present in the local repository.

I’ve also tried an explicit checkout to the two branches … e.g.

git checkout "${GITHUB_BASE_REF}"
git checkout "${GITHUB_HEAD_REF}"
sonar-scanner -X

Colin · September 5, 2022, 3:06pm

Hey there.

If the analysis is taking place in the context of a GitHub Actions pipeline, can you include your GitHub Actions YML file?

matt-mercer · September 5, 2022, 4:01pm

Hi Colin …
got to the bottom of it … turned out were we also locally merging into the target branch, to ensure a clean --ff-only merge, so ofc there were no new lines detected, and not resetting before running the scan!

On a similar vein though, when comparing for a pull request, is it possible to just specify the explicit sha1 of the base or head ?

e.g. `-Dsonar.pullrequest.base=“{{ github.event.pull_request.base.sha }}” or does sonar require an actual local branch ?

Colin · September 5, 2022, 6:35pm

Glad you were able to sort it out. Sonar requires an actual local branch.

matt-mercer · September 5, 2022, 8:46pm

Sonar requires an actual local branch.

this seems to work fine -Dsonar.pullrequest.base="{{ github.event.pull_request.base.sha }}"

NFT_EL_ARCA · September 10, 2022, 2:05am

need a team of player to havee this finish