a dev colleague reported a strange behavior regarding PR analysis.
After an analysis which failed the quality gate, a second analysis passed the quality gate even though they didn’t change anything (see screenshots). The code is getting analyzed during a Azure DevOps build and they’re using the build breaking feature (qualitygate.wait)
We’re using SonarQube 9.9 LTS, the project’s language is C/C++, new code period is set to ‘previous version’.
Maybe there’s some reasonable explanation for this behavior, or could it be a bug?
We are running SQ as PR verification (with sonar.qualitygate.wait=true).
When I create a PR with new changes (bla1.cpp was changed with new sq issues), the first run always fails.
It says:
INFO: Using 16 threads for analysis, according to value of "sonar.cfamily.threads" property.
INFO: Found empty cache on server
INFO: [pool-2-thread-1] C:\b01\_w\13\bla1.cpp
INFO: [pool-2-thread-3] C:\b01\_w\13\bla2.cpp
INFO: [pool-2-thread-2] C:\b01\_w\13\bla3.cpp
INFO: [pool-2-thread-4] C:\b01\_w\13\bla4.cpp
...
ERROR: QUALITY GATE STATUS: FAILED - View details on -url-
(I am not sure why is says empty cache here. bla2-4 are not changed and should have a cache hit, but this is not of concern here!)
The build step becomes red.
But runs after that (not all, but some) do not fail. I did not change the code, I only started the build again. The log looks different:
INFO: Loading cache from: server
INFO: Cache hit for: C:\b01\_w\3\bla1.cpp
INFO: Cache hit for: C:\b01\_w\3\bla2.cpp
INFO: Cache hit for: C:\b01\_w\3\bla3.cpp
INFO: Cache hit for: C:\b01\_w\3\bla4.cpp
...
INFO: QUALITY GATE STATUS: PASSED - View details on -url-
So my suspicion is, that the reason for this are the cache hits.
I will send you the full log in private so you can have a better look.
This may be a red herring, but: Is your quality gate configured to look only at new code, and have you configured your new code definition to be based on Previous Version? Your second run shows a version number, the first one does not. It’s possible that SonarQube sees all the existing issues as legacy code, and finds no issues in your “new” code, hence the quality gate passes.
What version number are you passing on to SonarQube with your PR scan configuration?
It should be clear that this is not PR analysis (as the original post suggested), but branch analysis. Is this intentional?
For giggles, can you see what happens when you stop passing sonar.projectVersion entirely? I think this will help us determine if it’s the cause of resetting the New Code Period.
Can you also try setting the reference branch in the UI rather than via the command line? This again helps us eliminate/point to potential issues.
This is correct. We do a regular branch analysis during PR builds. (Because we have multiple architectures/compilers and you can only build one as a PR analysis. I think this feature is requested somewhere.)
Ok, will take some time though, I am on different Project now