Question about SonarCloud Usage

SonarCloud
,
1

We have some questions about using SonarCloud.

We made adjustments only to the following section of the Code (Picture 2).

  1. However, the Code Smells section is displaying unrelated parts to this particular modification, as shown in the red box in (Picture 3).
    We would like to know how to display only the modified part of the code in Code Smells.

  2. In the top left corner of (Picture 1), it also shows 2.2k New Lines, but we only added 6 lines of code.

  3. How can we achieve a Pass status for the Quality Gate?
    We have only made modifications that added 6 lines of code, so how can we meet the requirements for Coverage and Duplications?

  4. Can we define the conditions for a Quality Gate Pass ourselves?

(Picture1)

thumbnail_image
thumbnail_image1139×682 46.7 KB

(Picture2)
thumbnail_image (1)
thumbnail_image (1)935×422 18.8 KB

(Picture3)
thumbnail_image (2)
thumbnail_image (2)1670×896 132 KB

3

Hi,

Can you share your analysis log? This is most likely a problem with the (in)correct identification of New Code, and your analysis log should tell the tale.

The analysis / scanner log is what’s output from the analysis command. Hopefully, the log you provide - redacted as necessary - will include that command as well.

This guide will help you find them.

 
Ann

4

Hello Ann,

Thank you for your assistance.

According to the information provided in the link, we using Scanner - SonarScanner for (.NET Framework) and we add the flag “/d:sonar.verbose=true”

We triggering the Sonar Scan through Jenkins, so we can also find the log in Jenkins console output right?

5

Hi,

Yes. This should be in the Jenkins job logs.

 
Ann

6

Hi Ann,

We have issue when add the log flag “/d:sonar.verbose=true” , and the sonar scan won’t successful.

Which part did we do wrong and can be adjusted?

image
image1448×236 12.5 KB

7

Hi,

The message is pretty clear. You can’t use /d:sonar.verbose=true in the end step. So remove it and you should be good.

 
Ann

8

Hi Ann,

I removing “/d:sonar.verbose=true” does make it work, but if we remove it, how can we generate logs? According to the link you provided earlier, without adding this part, the Jenkins console output still doesn’t provide the crucial information for querying (C# Tests Coverage Report Import [csharp]).

Here is the console output in Jenkins after finish sonar scan.
Jenkins Console Output.txt (9.5 MB)

9

Hi,

I’ve just taken another look at the guide I sent you too. It incorrectly told you to add sonar.verbose to the end step. It should be added to the begin step instead. I’ve corrected the guide. Sorry for the confusion!

 
Ann

10

Hi Ann,

Thank you for your assistance.

I add in the begin step instead, and work find, can reach the keywords (C# Tests Coverage Report Import), as you can see below picture

image
image1119×373 19.8 KB

The message show missing one of the required properties, but I don’t know which propertie.

Here is the Jenkins pipeline script, for trigger sonar scanner, which specific part do I still need to adjust?

..\SonarScanner-5.11.0.60783\SonarScanner.MSBuild.exe begin /k:"dimercoexpress_value-3.0" /o:"dimercoexpress" /d:sonar.host.url="https://sonarcloud.io" /d:sonar.login="XXX" /d:sonar.branch.name="%branch%" /d:sonar.verbose=true

"%MSBUILD_PATH_2022%\msbuild.exe" /t:Rebuild 

..\SonarScanner-5.11.0.60783\SonarScanner.MSBuild.exe end /d:sonar.login="XXX"
11

Hi,

This thread started out as being about

and

The log line about coverage import you’ve highlighted is unrelated. Please provide the full text of your analysis log.

 
Ann

12

Hi Ann,

I understand this thread is for those 2 topic for coverage, the highlighted part the keywords “Tests Coverage Report Import” are displayed, but it is uncertain whether the log is fully shown.

Here is the analysis log.
Analysis log.txt (16.4 MB)

13

Hi,

Your initial screenshot shows “2.2k New Lines” but the log you’ve provided only shows

10:53:39.223 DEBUG: SCM reported changed lines for 24 files in the branch

Going back to that first picture, we’re looking at a short-lived branch. According to the docs, for a short-lived branch we’re going to see:

the new code consists of all those files which have been modified or added relative to the target branch. Modified files are determined by comparing checksums between the sonar.branch.target branch and the short-lived branch to be analyzed.

Now, that comparison is done locally on the build agent, so it could be a question of the version of master available on the agent for comparison.

But if you only changed 6 files and expect to only see the changes on those 6 files, then it sounds like you want PR analysis rather than short-lived branch analysis. Again, the docs:

Instead, short-lived branch analysis is about analyzing feature and bug-fix branches that are not part of a pull request. These usually occur in projects that, for whatever reason, do not use pull requests at all, but want to achieve the same objective as pull request analysis, namely, ensuring only clean code is merged.

In short, if you already use PRs in your project, then you don’t need short-lived branch analysis. Pull request analysis offers more features (pull request decoration, for example) and requires no configuration. Short-lived branch analysis is only useful in the special case where you want to have (some of) the functionality of pull request analysis, but you do not use PRs in your project workflow.

 
HTH,
Ann

14

Hello Ann,

The diagram below shows the flow branches currently being developed by our team on Git.

We need to update SonarCloud (Long-lived branches: master) every other version, which is actually our Develop Branch.
For example, “sonar.branch.target = master” is our project’s develop branch which is “0627_dev”.

SonarCloud (Short-lived branch) corresponds to our local branch from develop branch,
For example, “0627_dev_TaskA”. When we complete “0627_dev_TaskA”, we trigger the Jenkins flow to create a pull request on BitBucket Cloud, and SonarScanner scans the “0627_dev_TaskA” branch.

image
image865×326 15.4 KB

Based on document, it seem “short-lived branch analysis” and “pull request analysis” very difference, and we should use pull request analysis instead of short-lived branch analysis.
If we use pull request analysis, we need to integrate BitBucket Cloud’s pipeline with SonarCloud right?

Are there any relevant documents or sample that we can refer to?

15

Hi,

Yes, I would recommend using PR analysis instead of short-lived branch analysis. And according to the docs, setting it up shouldn’t be much more involved than the branch analysis configuration you’ve already got.

 
HTH,
Ann

16

Hi Ann,

Using PR analysis with .Net Project, is it necessary to build with Azure pipeline?

using Azure incurs significant costs for us.

17

Hi,

Are you asking whether it’s required to build, or whether it’s required to use Azure? Because it’s not required to use Azure. But you do need to build for C# analysis.

 
HTH,
Ann

18

Hi Ann,

Yes, my question is whether it’s required to use Azure? I would like to use existing resources, for example, utilize Jenkins to help me build a C# project and perform Pull Request analysis. I need reference examples in this area.

19

Hi,

As I said, it’s not required to use Azure. Jenkins should work just fine. Just make sure you use SonarScanner for .NET.

 
HTH,
Ann