I’m running SonarQube Developer Edition 8.4.1 (build35646) in combination with SonarQube.Scanner.MsBuild.exe 4.7.1.2311.
I noticed a strange behavior working with Pull Requests.
I’ve protected the master branch with a simple rule in GitHub:
SonarQube quality gate will fail if there are any bugs, codesmells or other issues.
GitHub’s Pull Request integration is blocked if the SonarQube quality gate fails.
With this rule I would expect that an integrated Pull Request will never create new issues on the master branch.
Pull Request changeset :
The type of the first parameter was changed from IEnumerable to object , which makes the using of System.Collections not necessary anymore.
The Pull Request check of SonarQube is not showing an unused using for System.Collections.
The Pull Request’s QualityGate succeeds and shows no codesmells or any other issues.
Therefor GitHub’s branch protection allows to squash merge the Pull Request into the master branch.
This is just a very simple example of this behavior. It is not only a thing about unused usings but for further codesmells.
Why does the issue appear after the integration and not as expected during the Pull Request SonarQube analysis?
Can you check your analysis summary page to see if there are any analysis warnings? They would be on top right corner of SQ 8.9 (I don’t know if it was on the same place in SQ 8.4).
Can you check your scanner end step for some warnings related to SCM?
Do you see the issues raised during your build in your build output?
Unfortunately there is one SCM issue, but with another file (let’s call it versionInfo.cs).
During our CI pipeline the versionInfo.cs gets patched with the related CI build number and the git commit id. I also would like to fix this SCM warning, but i don’t want to misuse this ticket for this purpose.
Another warning is present during the end step in the build log:
15:31:04 INFO: Load metrics repository
15:31:04 INFO: Load metrics repository (done) | time=21ms
15:31:06 WARNING: WARNING: An illegal reflective access operation has occurred
15:31:06 WARNING: WARNING: Illegal reflective access by net.sf.cglib.core.ReflectUtils$1 (file:/C:/Users/XXX/.sonar/cache/a89f1943fc75b65becd9fb4ecab8d913/sonar-tsql-plugin.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
15:31:06 WARNING: WARNING: Please consider reporting this to the maintainers of net.sf.cglib.core.ReflectUtils$1
15:31:06 WARNING: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
15:31:06 WARNING: WARNING: All illegal access operations will be denied in a future release
15:31:08 INFO: Sensor SonarCSS Rules [cssfamily]
15:31:08 INFO: No CSS, PHP, HTML or VueJS files are found in the project. CSS analysis is skipped.
As i mentioned in the initial post, the new code smell issue is not found during the analysis of the PullRequest’s build but pops up on the masters build analysis.
Since those builds are done with the same pipeline (multibranch pipeline) the build steps are equal.
I’d first like to confirm if the .NET analyzer was embedded in the build. Can you check your build step log of that PR to see if you have the issues raised there?
Did you check the analysis warnings in SQ UI?
The reflective access warning is not related to this problem.
i’ll try to investigate for the SCM warning as soon as possible with increased log levels.
How can I check if the .NET analyzer was embedded in the build?
First lines of SonarScanner output:
SonarScanner for MSBuild 4.7.1
Using the .NET Framework version of the Scanner for MSBuild
Post-processing started.
I’ve excluded the modified file form the analysis to check if the warning is resolved. → No more warnings.
Since there are no more warnings in the PR check, I was unable to reproduce this ticket’s issue.
Eliminating the SCM warning solved the problem so far.
