We are currently using sonar-6.7.3 with Java JDK1.8. Due to some vulnerabilities like log4j, etc., we decided to upgrade to sonar-9.2.4 with java JDK11 being the minimum prerequisite.
Out of 1500 rules, only 106 were active and zero vulnerabilities were used across all our projects as shown above. So when the sonar analysis Is performed, it’s happening on the delta code only as of today.
As part of the migration, we would like to enable all the vulnerabilities and we did the same in our dev sonar and tested that. However, we found the analysis is spitting out a lot of code smells and issues. That is because the entire code is being analyzed instead of from the last build, the delta code. It would be difficult for the developers to fix all of them in a shot. We want it to spit the code smells or issues for the delta code from the last build. Could someone please advise if there is a way to do that?