Issue we are facing:-
Whenever a new merge request is raised for the master code, SonarQube analysis will run.
So basically two build’s will run for a master merge,
Based on the PR (pull request)
Based on the master, after the code is merged
Sonar analysis will run for both the builds, analysis gets passed on the PR build.
But, after the code is merged to master the analysis shows the code is vulnerable.
In this case, the analysis should throw error during the PR (pull request) build only. This has been occurring frequently in the recent times.
Kindly help out on this issue, Sonaranalysis should pass on both the builds.
If the code is vulnerable it should fail in both builds.
I’m a bit confused here – I thought you expected this issue to be raised on the pull request, which would only be related to new code?
This is a free community forum. Sometimes it requires time to look through everything, while managing the rest of the Community. Please do not bump threads daily and familiarize yourself with the FAQ.
This is an open community with people volunteering their free time to provide assistance. We’re eager to contribute to the community, but you are not guaranteed a fast response.
It’s just analysis the code that we tries to merge to the master (PR build).
After the code is merged, a new build will run based on the master code, at that time only it analyzes the overall code and shows up the vulnerability for past years (2years, 10months etc…)