Regulatory Report / API report Customization

Hello I’m running Sonarqube 9.6 and have some questions about the report available to download. I didn’t see any entries regarding to issues that have been marked as resolved (won’t fix). Is this part of the downloadable regulatory reports? I also would like the report to contain the person who changed the status of a findings, either issues or security hotspots. Is that only doable through api?

Hi,

When you download the “Regulatory Report” you get a zip bundle. Inside that (and linked from the PDF) you’ll find two ‘resolved_findings*’ CSV files. Those are your False-positive/Won’t-fix issues. What you won’t get from that is who resolved them. You’ll need to use the UI (or the API) for that.

And the best way to master the API is to perform the desired action via the UI and eavesdrop to see which calls the UI made to accomplish the action.

You may also find this guide helpful.

 
HTH,
Ann

Thanks for the quick response. Before digging deeper into using the API, I want to ask the question: Is there a built-in way to generate reports for PR findings and changes?

For some reason only the main branch is available under generate regulatory reports.

Hello

This isn’t available for PRs, only for branches. Since PRs are ephemeral, there didn’t seem to be a need.

 
Ann

Is it possible to have a trace of what has been changed because of the scan results? For example, the first scan returned 3 issues and someone fixed 2 of them and the new MR scan showed only 1 of them. Is it possible through Sonarqube api?

Hi,

It doesn’t look like we keep previous metric values for PRs. However, we do keep resolved issues, so it should be possible with the Issues search API to find them.

Would you mind sharing why you want to do this?

 
Ann

Hi,

I want to have a proof that a specific issue has indeed been fixed.

Hi,

The proof is that they no longer show up in the PR. If you’re trying to make sure they didn’t disappear because they were marked False-positive or Won’t-fix, that - specifically - is what you ought to be looking at.

 
HTH,
Ann

If I want to know which PR removes the issue, what is the best way to combine the api? Is there one api that can do it directly?

Hi,

SonarQube really isn’t built to do that. I doubt you’ll find the right combination of APIs to accomplish it.

 
Ann

If possible, can you explain what portion of what I want to achieve is not feasible for Sonarqube?

Hi,

The part where you track down which PR fixed an issue.

The best you can do:

  • pull the full issues list (available in Enterprise Edition($$)) from each analysis and compare it to the previous one to find the issues that were just Closed
  • Trace back - probably via your CI or perhaps to your SCM - to the PR merge that triggered the analysis.

 
:woman_shrugging:
Ann

What if it’s another scenario? Assume instead of creating a new MR, we commit the fixed codes to the branch of a previously sonarscan-failed MR. Will there be traces of old scans?

Hi,

I urge you to explore the UI. If you can find the data in the UI, then you can use the underlying web services to pull the data for your automations / reports.

 
Ann

Okay I will explore and experiment with the UI. Thanks so much for your help!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.