Tool versions:
- SonarQube Server Enterprise Edition v10.7 (96327)
- sonar-scanner-cli-6.2.1.4610-linux-x64 deployed using zip
The goal:
Without SonarQube server connected to a GitLab server (e.g. without using the Devops Platform Integration feature), I want to scan a merge request in automated GitLab pipeline.
I know that without the integration, SQ won’t be able to push messages to GitLab, which is fine for me, as I only care about the Quality Gate status after finishing the scan.
What I tried:
I am prototyping this workflow locally on my machine, for now, before productizing it into the GitLab pipelines. My local setup is the same environment as will be in the pipeline. I download scanner and run the analysis like in the snippet below.
$SCANNER_PATH/sonar-scanner/bin/sonar-scanner \
-Dsonar.scanner.javaOpts=-Xmx4096m -Xms4096m \
-Dsonar.sourceEncoding=UTF-8 \
-Dsonar.host.url=https://xxxxxxx.com \
-Dsonar.verbose=false \
-Dsonar.exclusions=**Tests**,**tests** \
-Dsonar.projectKey=$PROJECT_KEY \
-Dsonar.token=$SONAR_ANALYSIS_TOKEN \
-Dsonar.sources=$REPO_ROOT \
-Dsonar.projectBaseDir=$REPO_ROOT \
-Dsonar.qualitygate.wait=true \
-Dsonar.qualitygate.timeout=300 \
-Dsonar.pullrequest.key=$MERGE_REQUEST_IID \
-Dsonar.pullrequest.base=$TARGET_BRANCH \
-Dsonar.pullrequest.branch=$SOURCE_BRANCH \
-Dsonar.cfamily.variants.names=XXX,YYY \
-Dsonar.cfamily.variants.dir=$SCANNER_PATH/compile_commands
The issue:
The scan correctly detects the only modified file, correctly detects which lines are new code, but is unable to detect any issues within that code. See a screenshot below from “Code” tab of the pull request from SonarQube server.
The “main” branch of the very same SonarQube project does have Quality Profile with rules that should detect the issues in sample code above.