Quality Gate does not fail with new issues

SonarQube Cloud
1

We’ve discovered that our new code no longer fails the quality gate. This used to work perfectly, but stopped a few months ago.

I created a new, short-lived branch and introduced overly complex code so that SonarCloud would raise new issues. We use Sonar’s built-in quality gate, which allows no new issues (A = 0 or more info issues). My new code raises one medium and one high maintainability issue.

While the branch summary page correctly displays the number of new lines and issues, the quality gate shows ‘passed’.

On the ‘Overview’ page, under ‘Latest activity’, the same branch shows zero issues and zero new lines. Perhaps this is because I started the analysis several times?

What I have tried so far:

  • Set new code from “previous version” to “number of days”
  • Update scanner image
  • Setting “Ignore duplication and coverage on small changes” to false

When we introduced SonarQube at the beginning of this year, this worked perfectly, but a few months ago it stopped working. Could there have been some changes in the SonarCloud version that have led to this behaviour?

Here is what we use:

  • CI: Jenkins
  • Languages of the repository: Multiple (Monorepo: TS, Java, phoenix, …)
  • Scanner command used:
docker run --rm -v ${WORKSPACE}:/usr/src 
                -w /usr/src/...
                -e SONAR_SCANNER_OPTS="-Dsonar.branch.name='+env.BRANCH_NAME+'"
                -e SONAR_TOKEN=' + token + ' ' +
                sonarsource/sonar-scanner-cli:11.2

Due to the size of our repository, we use a shallow clone. Perhaps this is the root cause of the problem. However, as I mentioned, it worked previously and we did not change the Git checkout.

2

Hi,

Here you go:

It simply won’t work correctly with a shallow clone. Analysis needs all the SCM metadata to correctly detect new code.

 
HTH,
Ann

3

Hi Ann

I’ve tried checking out the repository without the shallow clone. Now there are no more warnings during the analysis.

The overview page shows the number of new code but the quality gate still does not fail:

{E8FABB2C-75DD-4317-8386-933A111C1B15}
{E8FABB2C-75DD-4317-8386-933A111C1B15}1124×142 12 KB

Here the issues:

grafik
grafik1138×495 48.1 KB

And here our quality gate:

{47560190-05A2-4D31-ACFE-7AFA08E38B8E}
{47560190-05A2-4D31-ACFE-7AFA08E38B8E}1097×743 42 KB

For my understanding the quality gate should fail because there are more than 0 maintainability issues!

I do not know why the quality gate does not fail anymore.

Kind regards,
André

4

When I try to view the new lines of code in the file now, the content does not load and I see an error message in the web console:

grafik
grafik1262×321 29.5 KB

GET https://sonarcloud.io/api/sources/lines?key=XXX:XXX/mobile-download.service.ts&from=1&to=502&branch=feature/DEVOPS-2130[HTTP/2 500  81ms]

   msg	"An unexpected error occurred. Please try again later."

On other branches i can see the changed lines.

5

Hi Andre,

Sorry about the missing accent. AmE keyboard. :flushed_face:

Here’s why:
Selection_204

Quality gate status can’t actually be computed on first analysis since there is no “new” code yet. Depending on your quality gate conditions, it’ll likely fail on the next analysis.

We try to keep it to one topic per thread. Otherwise it can get messy, fast. I’m not going to ask you to open another thread for this though. I’ll just let you know that this should clear soon. We had an incident earlier today that backed up some queues.

 
HTH,
Ann

6

Don’t worry :sweat_smile:

I was just trying to give you more hints to solve the issues. The new lines of code are now shown in the file and was probably related to the incident you had.

Sadly, it didn’t fail:

{49C2223C-79DD-4886-BD8F-29499B07364B}
{49C2223C-79DD-4886-BD8F-29499B07364B}1692×214 19.5 KB

Another thing I discovered (hint) is, that with SonarQube for IDE the issue is not marked as “already detected by SonarQube Cloud analysis”

grafik
grafik902×171 65.3 KB

I have tried to do the analysis now with the following scanners:

  • docker-image: sonarsource/sonar-scanner-cli:12.0 (& v11.2)
  • SonarScanner 8.0.1
  • npm module: @sonar/scan:4.3.4

All with the same result.

Kind regards,
André

7

Hi Andre,

At a guess, you’re creating a new branch with each analysis. Can you share your analysis configuration, as well as your analysis log?

The analysis / scanner log is what’s output from the analysis command. Hopefully, the log you provide - redacted as necessary - will include that command as well.

This guide will help you find them.

 
Thx,
Ann

8

Hi Ann,

Here is our sonar.properties file and the analysis log. I had to redact file and directory names. To make this easier for me I replaced similar debug lines with “…”.

(I renamed sonar-project to txt in order to upload it here)

sonar-project.txt (830 Bytes)

analysis.txt (74.4 KB)

And like this we start the scan:

docker run --rm -v /daten/jenkins/workspace/x_feature_DEVOPS-2130:/usr/src -w /usr/src/x/client -e 'SONAR_SCANNER_OPTS=-Dsonar.branch.name=feature/DEVOPS-2130 -Dsonar.branch.target=develop-change' -e SONAR_TOKEN=***** sonarsource/sonar-scanner-cli:12.0

One odd thing I’ve noticed is that when I introduce code duplication, the quality gate fails. The same thing happens if I switch to the built-in SonarWay quality gate (with code coverage). Only issues are ignored by the quality gate.

{D946121D-2216-4E05-823C-28E0B387994D}
{D946121D-2216-4E05-823C-28E0B387994D}1727×1279 149 KB

And the same thing happens to different projects (same monorepo).

Kind regards,
André

9

Hi Andre,

To refresh myself on your context before I dove into your logs, I took another look at your previous set of screenshots. I need to point out that the “New Analysis” flag is different from the “First Analysis” flag.

I’ve raised the point internally that if every analysis gets a “New Analysis” flag (which it does, after the first one) then there’s no real point in having the flag at all. But that’s a discussion for a different day. :face_without_mouth:

So, leaving that flag aside, your failed quality gate shows the mechanism is working. Now I need to ask what’s in your quality gate. Can you share a screenshot of the conditions that are applied?

 
Thx,
Ann

10

Hi Ann,

Yes, I found this confusing too because, at first glance, I thought the error was that every analysis was marked as ‘First Analysis’, which was wrong.

See this screenshot i posted earlier for the quality gate: Quality Gate does not fail with new issues - #3 by nis-buan

Kind regards,
André

11

Okay I think I found the problem.

My understanding was that the rating of all categories (security, reliability, maintainability …) are the same. For example:

Reliability rating

A = 0 bug
B = at least one minor bug
C = at least one major bug
D = at least one critical bug
E = at least one blocker bug

But the maintainability rating is different:

A ≤ 5%
B ≥ 5% to <10%
C ≥ 10% to <20%
D ≥ 20% to < 50%
E ≥ 50%

And the percentage is calculate as follow:

sqale_debt_ratio = technical debt /(cost to develop one line of code * number of lines of code)

In my example that would be 2.13 % = 183 min / (287 new lines * 30 min)

Can you confirm this? And my follow up questions:

  • Did this change in the past year?
  • Is it possible to change the maintainability rating for SonarQube Cloud?

Kind regards,
André

12

Hi Andre,

Yes, unfortunately the maintainability rating is calculated differently than the other ratings. You’re not the first to stumble on this. If you want your Quality Gate to fail for any and all new issues then the criterion you need to set is New Issues > 0.

 
HTH,
Ann