Sonar seems to now be including submodules when scanning, please revert

I merged a PR that had no sonar issues into a project that had no sonar issues. The next analysis reported 4k+ new issues. After investigation I found that these are all coming from a git submodule. Can this behavior be reverted, and opt in? Otherwise how do I disable it as I certainly do not have the capacity to ensure every dependency is following sonar rules.

I think this new behavior is also causing all analysis on one of my repos to fail, due to timeout. I am not getting any PR comment on pull requests and the analysis when a PR is merged, never completes. The project has a lot of submodules.

GitHub: GitHub - LizardByte/Sunshine: Self-hosted game stream host for Moonlight. · GitHub
Sonar: SonarQube Cloud

If sonar is intentionally going to enable submodule scanning going forward, can someone at least let me know how to disable this?

Just a friendly bump after a long weekend.

Anything else I can provide to help diagnose/solve this? Hoping to get a resolution soon, as this is blocking work in GitHub - LizardByte/Sunshine: Self-hosted game stream host for Moonlight. · GitHub

Hello @ReenigneArcher,

Thanks for the detailed reports and for the follow-up. A couple of things I want to confirm, then a workaround you can try now.

Both these projects appear to be using Automatic Analysis (no sonar-project.properties and no explicit scan step in your CI), which means Sonar’s own backend checks out and scans the repo rather than your pipeline. That would explain why this changed with no config edits on your end.

While we look into whether this is an intended or unintended change on our side, you should be able to exclude the submodule paths in the meantime. Two options:

  1. In SonarQube Cloud, go to Project Settings > Administration > General Settings > Analysis Scope > Files, and add an exclusion pattern for the submodule path, for example path/to/submodule/**.
  2. Or add a .sonarcloud.properties file at the repo root with sonar.exclusions=path/to/submodule/** (note, this is different from sonar-project.properties, which is ignored under Automatic Analysis, see: Additional analysis configuration).

For the Sunshine timeout, this is likely the same root cause, the extra submodule files pushing analysis over the time limit (which is 45 minutes for Automatic analysis), so excluding those paths should help there too.

A couple of questions so we can pin down the actual cause:

  1. Can you confirm whether these projects are on Automatic Analysis (Administration, Analysis Method) rather than a CI-based scan?
  2. What are the exact submodule path(s) in libvirtualhid and Sunshine, so we can check whether this is a broader pattern?
  3. Roughly when did this start, the July 3 PR merge, or had you noticed it before that on either project?

Best regards,

Stevan

Thank you for the response @stevan.vanderwerf !

note, this is different from sonar-project.properties, which is ignored under Automatic Analysis

This explains a different issue I had for other projects. Thanks! I suppose I need both files if I want automatic analysis AND to use the sonar IDE plugin?

A couple of questions so we can pin down the actual cause:

  1. I use automatic analysis for all my projects, yes. As far as I know I can’t exactly use CI analysis because then I wouldn’t be upload the results for PRs from forks (since these are open source projects, that’s a no go)… unless sonar now has a way to tokenless upload like codecov can (last time I checked this wasn’t the case).
  2. Submodules are mostly under the “third-party” directory, but not always.
  3. I noticed it July 3rd when that PR was merged, but something may have changed on your end a bit before that. Looking a little closer, I see feat(windows): add keyboard/mouse support and expose global UMDF control-device path by ReenigneArcher · Pull Request #34 · LizardByte/libvirtualhid · GitHub was merged July 1, the PR was clean, but after merge sonar reported 31 issues (feat(windows): add keyboard/mouse support and expose global UMDF cont… · LizardByte/libvirtualhid@f06302f · GitHub)… clicking the red “X” shown in the screenshot will show the sonar failure.

This PR probably shows a good timeline of when the issue started. There is a previous sonar comment of when it was working correctly (July 3rd 12:33AM EDT) - feat(input): implement libvirtualhid by ReenigneArcher · Pull Request #5368 · LizardByte/Sunshine · GitHub … so it must have changed sometime after that.

Edit: I was hoping I wouldn’t have to add these properites files to so many repos, but I started the process. Anyway, since this comment will probably be deleted if it worked I wanted to add a screenshot showing when it was working without having to explicitly exclude submodules.