Languages of the repository:
Maven project, mostly java, but also contains, css, JS, HTML and docker files.
1 - the quality gate pass on some branches and fail on others.
2 - the report on the branch seems to report only new vulnerabilities and not the overall vulnerabilities, despite the Quality gate configuration
On the projects, i have 4 different branches:
- main : the default branch
- from-main branch taken from the main branch with NO additional commit = exactly same as main
- develop branch taken from the main branch with few additional commits
- from-develop branch taken from the develop branch with NO additional commit = exactly same as develop
The quality gate pass on some branches but fail on some branches:
main QUALITY GATE STATUS: FAILED
from-main QUALITY GATE STATUS: PASSED
develop QUALITY GATE STATUS: FAILED
from-develop QUALITY GATE STATUS: FAILED
I am expecting the maven sonar scanner to report a “QUALITY GATE STATUS: FAILED” for all branches.
However, as you can see, the analyse pass on the branch from-main where i am expecting it to fail since it’s exactly the same as the main branch
Thank you for clarifying and your detailed response.
After reading in details Branch Analysis | SonarCloud Docs i have have a better understanding. And it does make sens now.
However, is it possible to force sonarcloud to consider the current branch analysed to be a long-lived branch by passing some parameter to the scanner ?
I know i could go to sonarcloud and changes the “Long-lived branches pattern” in the project.
But i m facing two issues with this approach:
1 - We have a lot of projects and unfortunately it looks like there is no way to change this value globally and each new project will need to be updated after being imported (permission that is not available in our setup for the person who imported the project)
2 - It enforce to have a naming convention for our branches, which we should have but we do not have at the moment unfortunately.