As a result of the recent log4j security issues and the official Sonarqube response (basically that only the latest versions are deemed safe and any prior version will not be checked) we have performed testing - upgrading from our existing version of Sonarqube (7.7) to version 9.2.4
As an initial test, we then reran analysis on a relatively small codebase - using the same Quality Profile as was used in the old version. Whilst the old version detected a number of bugs (classed as C overall) and vulnerabilities (classed as D overall) - the latest version flagged up 0 bugs, 0 vulnerabilities and marked the code as ‘A’ in all respects.
This is a concern. How can the exact same level of code go from ‘having various areas of concern’ to ‘being completely clean’ as a result of upgrading sonarqube? I understand fully that in each of the upgrade steps along the way the rulesets have had various changes applied (by the upgrade process itself) but even so - to make such a drastic change in results seems wrong. It is at the very least disconcerting - to the point where we are now wondering if later versions of the free Sonarqube offering simply no longer do what was previously offered - potentially rendering the free version pretty much useless?
Has anyone else experienced similar or got any thoughts on this at all?