I have a question regarding SonarQube’s Pull Request analysis.
I performed an analysis on a Pull Request from the develop branch to the release branch with the following settings:
sonar.pullrequest.branch=develop
sonar.pullrequest.base=release
There is code in the develop branch that should be flagged as an issue,
but the Pull Request analysis did not flag it, and the analysis passed.
However, after merging into the release branch, the branch analysis for release failed and the issue was flagged.
What is the difference in cases where the Pull Request analysis does not flag code as an issue even though it should?
Is there a specification where issues are not reported if the conditions for passing the Quality Gate are met, even if there are issues?
The environment is as follows:
SonarQube: 10.2.1 Deeveloper
Source Code: Java/Kotlin project and Objective-C/Swift project
GitHub Enterprise
The Quality Gate being used is shown in the attached image.
PR analysis only raises issues on changed lines. There are a number of cases where changes in one line can cause new issues to be raised in an untouched line.
Were the issues raised after merge raised on lines that were changed in the PR?
This happened with a line that was changed in a PR.
I think this will become an issue at the PR analysis stage.
The code I changed was not flagged as an issue, so I merged it.
But the branch analysis flagged the changed line as an issue.
As it turns out, I was looking for the Gradle log. Unfortunately Gradle’s default logging level isn’t all that helpful. What this shows is an exception during analysis, but that seems unrelated to the initial report here, which is that PR analysis is missing some issues.
Did this Gradle log come from a PR analysis that missed some issues?
And if so, can you add a --info flag to the Gradle command and provide the resulting log for re-analyzing that PR?
Thanks for the log. With it, I’m revising my earlier opinion that the stacktrace was a red herring. And… you say that after merge, analysis runs without error and raises issues?
At this point I would normally flag this for the language experts, but refreshing myself on your initial post I see that you’re on 10.2.1, which is EOL. Can you upgrade to 10.6 and see if this is still replicable?
you say that after merge, analysis runs without error and raises issues?
Yes.
Since we update based on the LTS (LTA), we cannot update to version 10.6.
The reason we are currently using version 10.2.1 is that there was a critical bug in iOS analysis in version 9.9, and we specially updated to version 10.2.1, which includes the fix to avoid that issue.
The current issue is not critical, but I asked this question because I would like to explain to users whether it is a bug in version 10.2.1 and which version contains the fix.
You’re already not on the LTA. Which means you’re on an EOL version. I urge you to take the 10.6 upgrade. Unfortunately, I’m not sure we can help you with this on the 10.2 version.
And if you really can’t take the upgrade, the new LTA is expected in November.
PR analysis didn’t detect your newly-introduced null-pointer dereference?
No, the issue was not detected.
I am a little concerned about this.
In the GHE PR, the new line is “3 New Lines”.
I am concerned that the new line is “0 New Lines” on SonarQube.
Gradle log outputs “java file 1file” and “kotlin file 1file” as if they were analyzed.
If this log information is correct, it seems strange that the SonarQube screen should show “3 new lines”.
Where, exactly, are you seeing it report “3 New Lines” and where are you seeing 0? (Screenshots might be helpful…)
If 0 new lines were detected, that would explain why your issue wasn’t raised: PRs only report issues raised in new code. So this may just be about getting the checkout right.
Since the experiment was carried out under the same conditions, the PR is the content of the capture.
“0 New Lines” is the part framed in red in this capture.
The analysis / scanner log is what’s output from the analysis command. Hopefully, the log you provide - redacted as necessary - will include that command as well.