Pull Request scan not publishing analysis on new lines

So I am scanning a Java pull request on GitHub with AWS CodeBuild for CI using sonar-scanner-4.4.0.2170-linux and it is not publishing analysis on new lines to SonarCloud PR.
Scanner command used:

sonar-scanner \
 -Dsonar.pullrequest.base=spike/test-base-branch \
  -Dsonar.pullrequest.branch=spike/test-pr-branch \
  -Dsonar.pullrequest.key=*** \
  -Dsonar.pullrequest.provider=github \
  -Dsonar.pullrequest.github.repository=*** \
  -Dsonar.coverage.jacoco.xmlReportPaths=build/reports/coverage/jacoco.xml \
  -Dsonar.projectKey=*** \
  -Dsonar.projectName=*** \
  -Dsonar.organization=*** \
  -Dsonar.sources=src \
  -Dsonar.host.url=https://sonarcloud.io \
  -Dsonar.sourceEncoding=UTF-8 \
  -Dsonar.login=*** \
  -Dsonar.java.source=1.8 \
  -Dsonar.java.binaries=build/classes \
  -Dsonar.java.libraries=build/native-libs \
  -Dsonar.scm.provider=git \
  -Dsonar.scm.exclusions.disabled=true

Output:

INFO: Scanner configuration file: /codebuild/output/src495061989/src/github.com/***/sonar-scanner-4.4.0.2170-linux/conf/sonar-scanner.properties
INFO: Project root configuration file: /codebuild/output/src495061989/src/github.com/***/sonar-project.properties
INFO: SonarScanner 4.4.0.2170
INFO: Java 11.0.3 AdoptOpenJDK (64-bit)
INFO: Linux 4.14.181-108.257.amzn1.x86_64 amd64
INFO: User cache: /root/.sonar/cache
INFO: Scanner configuration file: /codebuild/output/src495061989/src/github.com/***/sonar-scanner-4.4.0.2170-linux/conf/sonar-scanner.properties
INFO: Project root configuration file: /codebuild/output/src495061989/src/github.com/***/sonar-project.properties
INFO: Analyzing on SonarCloud
INFO: Default locale: "en_US", source code encoding: "UTF-8"
INFO: Load global settings
INFO: Load global settings (done) | time=275ms
INFO: Server id: 1BD809FA-AWHW8ct9-T_TB3XqouNu
INFO: User cache: /root/.sonar/cache
INFO: Load/download plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=80ms
INFO: Load/download plugins (done) | time=16854ms
INFO: Loaded core extensions: developer-scanner
INFO: Process project properties
INFO: Execute project builders
INFO: Execute project builders (done) | time=9ms
INFO: Project key: ***
INFO: Base dir: /codebuild/output/src495061989/src/github.com/***
INFO: Working dir: /codebuild/output/src495061989/src/github.com/***/.scannerwork
INFO: Load project settings for component key: '***'
INFO: Load project settings for component key: '***' (done) | time=153ms
INFO: Found an active CI vendor: 'AWS CodeBuild'
INFO: Load project branches
INFO: Load project branches (done) | time=57ms
INFO: Check ALM binding of project '***'
INFO: Detected project binding: NOT_BOUND
INFO: Check ALM binding of project '***' (done) | time=64ms
INFO: Load project pull requests
INFO: Load project pull requests (done) | time=76ms
INFO: Load branch configuration
INFO: The base branch 'spike/test-base-branch' is not a long branch. Using its own base instead: 'master'
INFO: Load branch configuration (done) | time=3ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=108ms
INFO: Load active rules
INFO: Load active rules (done) | time=1658ms
INFO: Exclusions based on SCM info is disabled by configuration
INFO: Organization key: ***
INFO: Pull request *** for merge into spike/test-base-branch from spike/test-pr-branch
INFO: SCM collecting changed files in the branch
INFO: SCM collecting changed files in the branch (done) | time=354ms
INFO: Indexing files...
INFO: Project configuration:
INFO: 151 files indexed
INFO: Quality profile for java: Sonar way
INFO: Quality profile for xml: Sonar way
INFO: ------------- Run sensors on module dip-serverless-motor-pmid
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=52ms
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by net.sf.cglib.core.ReflectUtils$1 (file:/root/.sonar/cache/a89f1943fc75b65becd9fb4ecab8d913/sonar-tsql-plugin.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of net.sf.cglib.core.ReflectUtils$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
INFO: Sensor JavaSquidSensor [java]
INFO: Configured Java source version (sonar.java.source): 8
INFO: JavaClasspath initialization
INFO: JavaClasspath initialization (done) | time=12ms
INFO: JavaTestClasspath initialization
INFO: JavaTestClasspath initialization (done) | time=3ms
INFO: Java Main Files AST scan
INFO: 137 source files to be analyzed
INFO: 82/137 files analyzed, current file: src/main/java/com/theaa/dip/motor/pmid/dto/vo/MainVO.java
INFO: 115/137 files analyzed, current file: src/main/java/com/theaa/dip/motor/pmid/dto/DriverDTO.java
INFO: 137/137 source files have been analyzed
INFO: Java Main Files AST scan (done) | time=25550ms
INFO: Java Test Files AST scan
INFO: 0 source files to be analyzed
INFO: Java Test Files AST scan (done) | time=16ms
INFO: Java Generated Files AST scan
INFO: 0 source files to be analyzed
INFO: Java Generated Files AST scan (done) | time=1ms
INFO: Sensor JavaSquidSensor [java] (done) | time=25798ms
INFO: Sensor SonarCSS Rules [cssfamily]
INFO: No CSS, PHP, HTML or VueJS files are found in the project. CSS analysis is skipped.
INFO: Sensor SonarCSS Rules [cssfamily] (done) | time=1ms
INFO: Sensor SurefireSensor [java]
INFO: 0/0 source files have been analyzed
INFO: parsing [/codebuild/output/src495061989/src/github.com/***/target/surefire-reports]
INFO: Sensor SurefireSensor [java] (done) | time=14ms
INFO: Sensor JavaXmlSensor [java]
INFO: 1 source files to be analyzed
INFO: 0/0 source files have been analyzed
INFO: 1/1 source files have been analyzed
INFO: Sensor JavaXmlSensor [java] (done) | time=370ms
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=4ms
INFO: Sensor XML Sensor [xml]
INFO: 1 source files to be analyzed
INFO: Sensor XML Sensor [xml] (done) | time=134ms
INFO: 1/1 source files have been analyzed
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: Importing 1 report(s). Turn your logs in debug mode in order to see the exhaustive list.
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=154ms
INFO: Sensor ThymeLeaf template sensor [securityjavafrontend]
INFO: Sensor ThymeLeaf template sensor [securityjavafrontend] (done) | time=0ms
INFO: Sensor JavaSecuritySensor [security]
INFO: Reading type hierarchy from: /codebuild/output/src495061989/src/github.com/***/.scannerwork/ucfg2/java
INFO: Read 201 type definitions
INFO: Reading UCFGs from: /codebuild/output/src495061989/src/github.com/***/.scannerwork/ucfg2/java
INFO: 12:55:33.13453 Building Type propagation graph
INFO: 12:55:33.178034 Running Tarjan on 1963 nodes
INFO: 12:55:33.19625 Tarjan found 1963 components
INFO: 12:55:33.208266 Variable type analysis: done
INFO: 12:55:33.210644 Building Type propagation graph
INFO: 12:55:33.241283 Running Tarjan on 1963 nodes
INFO: 12:55:33.2549 Tarjan found 1963 components
INFO: 12:55:33.258726 Variable type analysis: done
INFO: Analyzing 661 ucfgs to detect vulnerabilities.
INFO: All rules entrypoints : 0 Retained UCFGs : 0
INFO: rule: S5131, entrypoints: 0
INFO: rule: S5131 done
INFO: rule: S3649, entrypoints: 0
INFO: rule: S3649 done
INFO: rule: S2076, entrypoints: 0
INFO: rule: S2076 done
INFO: rule: S2091, entrypoints: 0
INFO: rule: S2091 done
INFO: rule: S2078, entrypoints: 0
INFO: rule: S2078 done
INFO: rule: S2631, entrypoints: 0
INFO: rule: S2631 done
INFO: rule: S5135, entrypoints: 0
INFO: rule: S5135 done
INFO: rule: S2083, entrypoints: 0
INFO: rule: S2083 done
INFO: rule: S5167, entrypoints: 0
INFO: rule: S5167 done
INFO: rule: S5144, entrypoints: 0
INFO: rule: S5144 done
INFO: rule: S5145, entrypoints: 0
INFO: rule: S5145 done
INFO: rule: S5146, entrypoints: 0
INFO: rule: S5146 done
INFO: rule: S5334, entrypoints: 0
INFO: rule: S5334 done
INFO: Sensor JavaSecuritySensor [security] (done) | time=1714ms
INFO: Sensor CSharpSecuritySensor [security]
INFO: Reading type hierarchy from: /codebuild/output/src495061989/src/github.com/***/ucfg_cs2
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /codebuild/output/src495061989/src/github.com/***/ucfg_cs2
INFO: No UCFGs have been included for analysis.
INFO: Sensor CSharpSecuritySensor [security] (done) | time=0ms
INFO: Sensor PhpSecuritySensor [security]
INFO: Reading type hierarchy from: /codebuild/output/src495061989/src/github.com/***/.scannerwork/ucfg2/php
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /codebuild/output/src495061989/src/github.com/***/.scannerwork/ucfg2/php
INFO: No UCFGs have been included for analysis.
INFO: Sensor PhpSecuritySensor [security] (done) | time=0ms
INFO: Sensor PythonSecuritySensor [security]
INFO: Reading type hierarchy from: /codebuild/output/src495061989/src/github.com/***/.scannerwork/ucfg2/python
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /codebuild/output/src495061989/src/github.com/***/.scannerwork/ucfg2/python
INFO: No UCFGs have been included for analysis.
INFO: Sensor PythonSecuritySensor [security] (done) | time=0ms
INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=6ms
INFO: Sensor Java CPD Block Indexer
INFO: Sensor Java CPD Block Indexer (done) | time=304ms
INFO: CPD Executor 32 files had no CPD blocks
INFO: CPD Executor Calculating CPD for 105 files
INFO: CPD Executor CPD calculation finished (done) | time=36ms
INFO: SCM writing changed lines
INFO: SCM writing changed lines (done) | time=6ms
INFO: Analysis report generated in 105ms, dir size=279 KB
INFO: Analysis report compressed in 127ms, zip size=151 KB
INFO: Analysis report uploaded in 220ms
INFO: ANALYSIS SUCCESSFUL, you can find the results at: https://sonarcloud.io/dashboard?id=***&pullRequest=***
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at https://sonarcloud.io/api/ce/task?id=***
INFO: Analysis total time: 37.759 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 57.220s
INFO: Final Memory: 37M/127M
INFO: ------------------------------------------------------------------------

Expected

local-scan2607×1086 192 KB

codebuild-scan2209×981 127 KB

I am also facing the same issue.

Hello @taiwo,

If you go to the Code tab of the pull request on SonarCloud, do you see there all the files that were changed in the pull request that are not in the base branch? In other words, is that consistent with what you would see with the command:

git diff --name-only origin/spike/test-base-branch origin/spike/test-pr-branch

Hi Janos,

Thank you for replying to my post. I’m expecting 4 files with additions, I also ran the command in your comment on CodeBuild and saw the 4 files as expected but there are no files in the Code tab of the pull request on SonarCloud. Do you think this is an issue with the state of the local repo in CodeBuild?

This means that the files are excluded from the analysis. In your scanner command I see sonar.sources=src. Are the changed files under src of the project? (More details in what’s included and excluded on the Narrowing the Focus page of our docs.)

@janos - the source files are not excluded from the analysis. The scan output logs suggest 137 files were analysed. Another user contacted me about having exactly the same issue.

INFO: 137 source files to be analyzed
INFO: 82/137 files analyzed, current file: src/main/java/com/theaa/dip/motor/pmid/dto/vo/MainVO.java
INFO: 115/137 files analyzed, current file: src/main/java/com/theaa/dip/motor/pmid/dto/DriverDTO.java
INFO: 137/137 source files have been analyzed

The most common reasons for not seeing changed files in the pull request:

• Incorrect values for sonar.pullrequest.base, sonar.pullrequest.key
• The branch specified by sonar.pullrequest.base cannot be found: in this case you would see a warning about this in the scanner output and also on the UI of the PR (a small box with yellow background in the top-right corner)
• Not enough commit history is fetched (shallow clone), so the scanner cannot find the common ancestor commit of the base branch and the PR’s branch

Please verify the above, as the solution is most likely there.

As I explained in a previous comment, it would be good to verify the list of changed files that you can expect to be included in the analysis output, by executing the appropriate Git command:

If all your parameters look correct, there are no related warnings in the UI, the git command includes the files you expect but they don’t show up in the Code tab, then you might have configuration of exclusions in the SonarCloud UI. A good way to see the effective scanner parameters is on the Background Tasks page, in the Scanner Context option of the task item.

Let me know what you find.

Hi Janos,

I’m the other user Taiwo mentioned with the same issue. Thanks for your response detailing the common reasons. I have a similar set up but with two slightly different branch names and change set. Base branch is develop and PR branch is called sonar-scan.

I have attached 2 images 1 of a scan performed from my local machine, second from the CI machine (which is an AWS Codebuild agent)

Local

local2694×1332 167 KB

CI

ci2604×1304 135 KB

1. I have double checked sonar.pullrequest.base, it is set to develop which is the desired branch name. I have this set on local scans and on the CI scans taking place on AWS Codebuild. What would be an incorrect value for the sonar.pullrequest.key currently we set it to the PR number coming from Github e.g 6? I have also experimented hardcoding it to a unique string - ‘testKey2’ and ‘testKey4’ in the images supplied (both from a local and a CI build) but doesn’t seem to impact the result. Again when executing locally it works but on CI no impact.
2. I have added a git status command on the CI build script to ensure we can see the develop branch on CI. It’s there.
3. We didn’t have a deep clone set up but now we have enabled a full clone but doesn’t resolve the issue.

In addition to the above I have also executed the git diff command you messaged from Aug 20 on the CI machine. I can see the desired files we want in the diff but still no luck with the files showing in the
Code tab.

$ git diff --name-only develop sonar-scan
$ src/main/.../GroupArtifactApplication.java
$ src/test/.../PersonServiceTest.java

PersonServiceTest added to generate some coverage files which you can see successfully getting picked up and one modification to a source file GroupArtifactApplication to force a code smell.

I have looked into the SonarScanner Context in Background Tasks and we don’t have any exclusions set up at the Global or the Project level scopes. One thing I do find odd is how we need to set -Dsonar.scm.exclusions.disabled=true, from local it doesn’t make a difference but on the CI machine it seems to exclude all the files if we don’t have this set which isn’t right as the files are 100% indexed in Git.

I can look to create a sample project I can share source code with you if the above doesn’t help resolve the issue.

Cheers

I just replicated on a sample side project GitHub - rankers/java-sonar-scanner-sample: Sample Java project to show sonar scanner issue and the same sonar settings worked first time therefore came to the conclusion that this isn’t a sonar settings issue.

On further investigation on the AWS Codebuild side of things. I narrowed it down to the build agent cache settings. We currently have the following defined in Cloudformation config that creates our Codebuild project:

      ... more config

      Cache:
        Type: LOCAL
        Modes:
          - LOCAL_SOURCE_CACHE
          - LOCAL_CUSTOM_CACHE

      ... more config

The docs state:

LOCAL_SOURCE_CACHE

Caches Git metadata for primary and secondary sources. After the cache is created, subsequent builds pull only the change between commits. This mode is a good choice for projects with a clean working directory and a source that is a large Git repository. If you choose this option and your project does not use a Git repository (GitHub, GitHub Enterprise, or Bitbucket), the option is ignored.

LOCAL_CUSTOM_CACHE

Caches directories you specify in the buildspec file. This mode is a good choice if your build scenario is not suited to one of the other three local cache modes. If you use a custom cache:

• Only directories can be specified for caching. You cannot specify individual files.
• Symlinks are used to reference cached directories.
• Cached directories are linked to your build before it downloads its project sources. Cached items are overridden if a source item has the same name. Directories are specified using cache paths in the buildspec file

Seems like one of these settings screws up how the file diff is calculated even though based on normal Git commands executed on the build machine things look OK.

On a successful scan in the last part of the log under “Run sensors on project” can see lines 969-971 showing up where before in Taiwos log from above post these were absent.

INFO: ------------- Run sensors on project
965 INFO: Sensor Zero Coverage Sensor
966 INFO: Sensor Zero Coverage Sensor (done) time=2ms
967 INFO: Sensor Java CPD Block Indexer
968 INFO: Sensor Java CPD Block Indexer (done) time=64ms
969 INFO: SCM Publisher SCM provider for this project is: git
970 INFO: SCM Publisher 2 source files to be analyzed
971 INFO: SCM Publisher 2/2 source files have been analyzed (done) time=106ms
972 INFO: CPD Executor 17 files had no CPD blocks
973 INFO: CPD Executor Calculating CPD for 15 files
974 INFO: CPD Executor CPD calculation finished (done) time=21ms
975 INFO: SCM writing changed lines
976 INFO: SCM writing changed lines (done) time=42ms
977 INFO: Analysis report generated in 2327ms, dir size=208 KB
978 INFO: Analysis report compressed in 49ms, zip size=63 KB
979 INFO: Analysis report uploaded in 234ms

I confirm that in this example the correct setting is sonar.pullrequest.key=6.

When you don’t get the same result in local run and CI run, it means that something is different in CI. You need to find out what it is, and then fix it. When you are able to run analysis locally in a way that produces the result that you want, it must be possible to make the CI run work the same way. We can try to give tips for that, but ultimately only you can fully debug and figure out.

I’m not sure what you added, I would add the diff command (git diff --name-only origin/develop sonar-scan) in CI, which will let you verify the list of files matches what you expect.

That’s indeed strange. The only reason I can think of to do this is if you want to analyze some generated code. If you don’t have a good reason to do this, then I think you shouldn’t, and we should try to understand why this setting seems necessary for the desired effect (and then eliminate it).

It could be interesting to check the files that Git excludes in CI. You can find that by running (in CI):

git check-ignore -v *
git status --ignored

The bottomline is, if you can make the CI run see the changed files correctly (output of git diff ...), then the analysis results should be correct too.

Hey Janos, didn’t state it clearly in the previous message but this has been resolved with the changes to the build agent cache settings detailed above. We get successful PR scans removing the cache settings.

Thanks for your responses