Sonar analysis - Entire code Analysis happening instead of delta code

We are currently using sonar-6.7.3 with Java JDK1.8. Due to some vulnerabilities like log4j, etc., we decided to upgrade to sonar-9.2.4 with java JDK11 being the minimum prerequisite.

Out of 1500 rules, only 106 were active and zero vulnerabilities were used across all our projects as shown above. So when the sonar analysis Is performed, it’s happening on the delta code only as of today.

As part of the migration, we would like to enable all the vulnerabilities and we did the same in our dev sonar and tested that. However, we found the analysis is spitting out a lot of code smells and issues. That is because the entire code is being analyzed instead of from the last build, the delta code. It would be difficult for the developers to fix all of them in a shot. We want it to spit the code smells or issues for the delta code from the last build. Could someone please advise if there is a way to do that?


Welcome to the community!

Congrats on upgrading from 6.7.3. However, you’re not done. SonarQube 9.2.4 is also EOL, and you should continue your upgrade path on to 9.9 at your earliest convenience.

You seem to have multiple questions here and we try to

We try to keep it to one topic per thread. Otherwise it can get messy, fast.

Regarding your rule counts, that looks like a bad Elasticsearch index. After you finish your upgrade path, your ES indices should all be regenerated and that should be taken care of. Please create new threads for your other questions.