which versions are you using : SonarQube Server / Enterprise Edition
how is SonarQube deployed: Docker
what are you trying to achieve: Clean code on a new branch
what have you tried so far to achieve this: Run a scan on a parent branch, create a new feature branch off this parent branch, run a scan on the feature branch, compare issues found between the two branches
We are seeing major discrepancies between issues reported on a parent branch (e.g. a release branch) and a just-created branch off this parent branch (e.g. a feature branch) even though the code should be exactly the same between the two branches. For example, let’s say the release branch has 10 High, 20 Medium and 30 Low issues. We create a feature branch off this release branch and run a scan on the newly created feature branch. SonarQube server shows completely different issue count (e.g. 0 High, 15 Medium, 0 Lows) even though we have not made any code changes to the feature branch yet.
Can you share the analysis parameters for the two branches, and/or the analysis logs?
The analysis / scanner log is what’s output from the analysis command. Hopefully, the log you provide - redacted as necessary - will include that command as well.
Hi Ann,
I compared the Sonar logs for the builds for both branches. The logs (except for the timestamp) are EXACTLY the same, except for the following three lines that show up for the feature branch scan towards the end of the scan:
INFO SCM Publisher SCM provider for this project is: git
INFO SCM Publisher 268 source files to be analyzed
INFO SCM Publisher 268/268 source files have been analyzed (done) | time=7506ms
These three lines don’t show up in the scan for the parent release branch from which the feature branch was cut.
The Sonar analysis parameters are the same for both branches:
-Dsonar.projectKey=xxx -Dsonar.projectName=xxx -Dsonar.projectVersion=xx.yy.zz -Dsonar.nodejs.executable=/opt/node/node-v18.20.7/bin/node -Dsonar.sourceEncoding=UTF-8 -Dsonar.ws.timeout=1800 -Dsonar.sources=src/java,src/webcontent,config -Dsonar.java.libraries=build/classes/java/main -Dsonar.tests=src/test -Dsonar.java.binaries=build/classes/java/main -Dsonar.binaries=build/classes/java/main
Are you building with Maven? And if so, is analysis run on the same commandline as the build? I’ve learned recently that these two* can have different analysis results:
mvn clean install sonar:sonar
mvn clean install
mvn sonar:sonar
Ann
You’re not supposed to use sonar:sonar anymore, but a longer form I’m too lazy to type
We are using Gradle through Jenkins. The Jenkins pipeline is set up exactly the same for the two branches so the build & analysis steps/commands are also exactly the same for both branches.
