Quality Gate passed on PR branch but failed on main


We recently encountered a strange situation, where Quality Gate would pass on feature or PR branch, but fail on the main branch.

So, for example, on PR-1 branch, Quality Gate passed with no issues. When PR was merged and a build was triggered on main branch, Quality Gate failed on “New Code”

and the issue is related to a npm package

The settings on “New Code” are as follows

We use:

  • SonarQube Developer Edition
  • Bitbucket v7.17.4
  • Jenkins latest version

The question is, why Quality Gate did not fail during the development on feature branch (we are running analysis there as wel) or PR branch?

Thank you in advance,

Quality Gate conditions

Hey there.

This appears to be a file-level issue raised by the community-supported GitHub - dependency-check/dependency-check-sonar-plugin: Integrates Dependency-Check reports into SonarQube.

File-level issues are not raised on pull requests, as SonarQube only reports issues on changed lines of changed files.

Hi Colin, may I ask what the rationale behind this design decision is? If whatever file level issue causes my QG to fail on the main branch, I would prefer that the same condition is applied to the PR. Otherwise it is too easy to merge a “defective” state. Is there a workaround? A vulnerability failing the gate on main is still recognized/reported in the PR. Is there maybe a way to use that info to induce a failure somehow?

Hey @pri

There are a few reasons – mostly to do with analyzing pull requests where the target branch hasn’t been analyzed (and therefore the only way to know what issues are new or not is to consider issues raised on changed lines of changed files). Previous attempts resulted in a lot of false positives being raised on pull requests (issues related to unchanged code).

And, this is something on our roadmap to improve. You can vote here: https://portal.productboard.com/sonarsource/3-sonarqube/c/295-new-pull-request-issues-on-unchanged-code