Sonar is reporting new issues on source files that have not been modified for months

SonarQube Cloud
1
  • ALM used: GitHub
  • CI system used: Github Actions
  • Scanner command used when applicable (private details masked)
dotnet sonarscanner begin /d:sonar.host.url=https://sonarcloud.io/ /o:${{OurOrganizationName}} /k:${{OurProjectName}} /d:sonar.login=*** /d:"sonar.cs.nunit.reportsPaths=**/{{Redacted}}.xml" /d:"sonar.cs.opencover.reportsPaths={{Redacted}}

  • Languages of the repository: c# / .net

  • Error observed
    Sonar is reporting new issues on files that have not been modified for months (long before the new code definition)
    Our “new code” definition is based off a certain version.
    We create a new version every few weeks (in the “Activity” tab in sonarcloud)
    e.g. Sonar has flagged a Bug in our New Code. When I open the issue (c# file), sonar says the issue was introduced “14 days ago”.
    When I look at the git history for that same file, the file was last modified Aug 15 (3 months ago).

I don’t understand why sonar is raising new issues on files that have not been modified since long before the new code definition.

In our current analysis, sonar has done this on 2 different files.

One possible clue I can give is that the date the issue was created (14 days ago) might be the same time that I updated the definition of “New Code” (by creating a new version in the Activity tab). I am not sure about this and also it could just be a coincedence.

We are using version 5.13.0 of the sonarscanner plugin

2

Hi

You didn’t say this is in a PR, but it’s still worth noting that typically when you see issues on old code reported in a pull request, it’s because there was a problem reading the SCM data, which is how analysis determines what’s new. Either that, or the branch being targeted by the PR wasn’t available in the local repository.

If you check the bottom of your analysis log, do you see a message about SCM detection being disabled?

Additionally, there are very legitimate reasons “new” issues show up in old code, as described in this guide.

 
Ann

3

Thank you Ann.

My query is about issues found on our main branch, not PRs.

Those links were very informative. I didn’t realise sonar analysis was that sophisticated.

I think the situation is that an existing function was called from a new place or in a different way. This was flagged as a new issue in that function, even though it had not been modified. The “Source” listed in the issue report was indeed modified within the new code time period.

Cheers,
Andreas

1 Like