I am currently evaluating Sonar Qube developer edition and its integration with GitLab and I have a few questions about how Sonar Qube works (how it should work vs how it is working vs how it could work).
Thus far, my changes are all in a branch () and have yet to be merged to master (as we are still configuring our setup).
Thus far I have pushed the changes and created a merge request on my changes in my branch. So when I click the drop down I see:
If I look at my branch I see a whole bunch of issues under the overall code tab for the branch.
The new code tab doesn’t have anything, since there has only been one scan of the branch.
When I look at the PR I see it says 0s across the board. So I decided to fix one of the vulnerabilities found in the branch. Similarly on my MR I get a nice report (as a comment) with 0s.
I decided to fix one of the trivial vulnerabilities that were found on the branch, and after pushing I still see 0s across the board.
I was expecting to see a decrease in the number of vulnerabilities (-1 perhaps?) indicating that my MR is making our code better, but I did not, which is a bit puzzling. So if I introduce a security issue with I see a 1 here?
Overall, it’s not clear what Sonar Qube is doing with respect to scanning master, branches, and MRs and the subsequent reports. Does the fact that I have no scans on master affect this?
I am either expecting the scan to report the total number of issues on this MR OR I am expecting to see the change in the number of issues on this MR – of which neither is happening? (Although I have yet to try to introduce an issue.