Sonar qube overview

I am currently evaluating Sonar Qube developer edition and its integration with GitLab and I have a few questions about how Sonar Qube works (how it should work vs how it is working vs how it could work).

Thus far, my changes are all in a branch () and have yet to be merged to master (as we are still configuring our setup).

Thus far I have pushed the changes and created a merge request on my changes in my branch. So when I click the drop down I see:

If I look at my branch I see a whole bunch of issues under the overall code tab for the branch.

The new code tab doesn’t have anything, since there has only been one scan of the branch.

When I look at the PR I see it says 0s across the board. So I decided to fix one of the vulnerabilities found in the branch. Similarly on my MR I get a nice report (as a comment) with 0s.

I decided to fix one of the trivial vulnerabilities that were found on the branch, and after pushing I still see 0s across the board.

I was expecting to see a decrease in the number of vulnerabilities (-1 perhaps?) indicating that my MR is making our code better, but I did not, which is a bit puzzling. So if I introduce a security issue with I see a 1 here?

Overall, it’s not clear what Sonar Qube is doing with respect to scanning master, branches, and MRs and the subsequent reports. Does the fact that I have no scans on master affect this?

I am either expecting the scan to report the total number of issues on this MR OR I am expecting to see the change in the number of issues on this MR – of which neither is happening? (Although I have yet to try to introduce an issue.

Hey there.

Pull Requests only look at New Code (code changed in the pull request), and whether or not there has been an issue introduced on New Code. There is a Feature Request (FR-8: Show the number of issues fixed by PRs) with no ETA.

  • I’m happy to link this community thread to that feature request, it signals your support!
  • Scanning as a branch rather than a pull request scans everything and can show you if an issue still exists or not
  • SonarLint can show you whether or not an issue has been fixed while you code!

Hey Colin,

Nice name :wink:

I’m very surprised this is not a feature. It’s almost a deal breaker for us; hence the reason I am confused by the actual output. It’s great and all that Sonar Qube tells me where we have issues. But how do I know if I fixed an issue, because that’s just as important as identifying the issue itself…

Understood regarding SonarLint, but we prefer everything to be visible in the MR – for visibility to a broader audience.

Also, we only run a pipeline on a branch if an MR does not exist, so this feature would be a top priority for us. Please add +1000 for us, please.