Sonar Analysis issue

Details about sonar server we are using,

  • Developer Edition, Version 9.2.4 (build 50792)
  • SonarQube is deployed in a azure VM (IIS server)

Issue we are facing:-
Whenever a new merge request is raised for the master code, SonarQube analysis will run.
So basically two build’s will run for a master merge,

  • Based on the PR (pull request)
  • Based on the master, after the code is merged

Sonar analysis will run for both the builds, analysis gets passed on the PR build.
But, after the code is merged to master the analysis shows the code is vulnerable.

In this case, the analysis should throw error during the PR (pull request) build only. This has been occurring frequently in the recent times.

Kindly help out on this issue, Sonaranalysis should pass on both the builds.
If the code is vulnerable it should fail in both builds.


1 Like


Your version is past EOL. You should upgrade to either the latest version or the current LTS at your earliest convenience. Your upgrade path is:

9.2.4 → 9.9 → 10.1 (last step optional)

You may find these resources helpful:

If you have questions about upgrading, feel free to open a new thread for that here.

If your error persists after upgrade, please come back to us.

Hi, we have upgraded to 9.9 LTS as suggested. But, still we face this issue at times.

SonarAnalysis gate passed during the PR merge, but the code shows vulnerable during the master build. Guess, the issue still persist in 9.9 LTS too.

Can you help out on this?


Hey there.

Looking at your post with fresh eyes – I have a few questions:

  • Is the Quality Gate for your project green before the PR is merged?
  • If yes, can you provide an example of a vulnerability that was raised after merge (that should have been raised as a part of the pull request)?
  • Are other issues raised as part of the pull request (and you see the proper changed code in the Code tab of the PR)?

Remember that a PR will only contain issues on changed lines of code.

To answer your questions:

  1. Yes, quality gate is green before merging the PR
  2. Attached an sample image on the vulnerability. But, the vulnerability differs for each projects.
  3. No other issues as part of PR, whenever the analysis runs for the PR. the quality gate passes successfully.

So, I checked out this “new code” in the sonar UI. How does these options work?

  • Previous version
  • Number of days

I need the sonar to stop analyze on showing the vulnerability on the old code (which is months and years back). can you help on that?


Hi @Colin Any update on the above reply.

Please let us know on the fix for this ASAP.


Hey there.

It doesn’t look like any image is attachd.

I’m a bit confused here – I thought you expected this issue to be raised on the pull request, which would only be related to new code?

This is a free community forum. Sometimes it requires time to look through everything, while managing the rest of the Community. Please do not bump threads daily and familiarize yourself with the FAQ.

I created a topic, when can I expect a response?

This is an open community with people volunteering their free time to provide assistance. We’re eager to contribute to the community, but you are not guaranteed a fast response.

Be patient

  • Wait a few days before bumping a topic that hasn’t received a response.
  • Do not @name mention individuals not involved in the topic.

Contribute as much as you expect to receive

  • Contribute to the community (helping others) as much as you expect to receive help.

Hey there,

Sorry I forgot to achieve the image.

It’s just analysis the code that we tries to merge to the master (PR build).
After the code is merged, a new build will run based on the master code, at that time only it analyzes the overall code and shows up the vulnerability for past years (2years, 10months etc…)


Does anyone faced the above issue which I reported?

Please let me know, if anyone know the fix for this.