Sonar server community version 9.9.8: git submodules are getting analyzed as default behaviour

SonarQube Server / Community Build
1

I am trying to set up sonarserver:9.9.8- community.
I have migrated data from version 8.9.2-community and everything is working fine except for few projects which have git submodules.
Coming from 8.9.2 I assume these are ignored until and unless explicitly specified using the setting : ```
sonar.scm.exclusions.disabled = true

But the behaviour seems to be changed in v9.9.8.


Must-share information (formatted with [Markdown](https://commonmark.org/help/)):
* which versions are you using (SonarQube Server / Community Build, Scanner, Plugin, and any relevant extension) : SonarServer 9.9.8
* how is SonarQube deployed: Docker
* what are you trying to achieve : Migrated from version 8.9.2
* what have you tried so far to achieve this

**Do not share screenshots of logs -- share the text itself (bonus points for being well-formatted)!**
2

Hi,

Welcome to the community!

Congratulations on your recent upgrade. Unfortunately, only the latest version of SonarQube Community Build is considered active, so you’ll need to upgrade and see if the situation is still replicable before we can help you.

Your upgrade path is:

9.9.8 → 25.3

You may find these resources helpful:

Given your recent upgrade from 8.9.2, you may also be interested in this:

If you have questions about upgrading, feel free to open a new thread for that here.

If your error persists after upgrade, please come back to us.

 
Ann

3

Hi Ann,

Thank you for your response.
I have tested this on my local with sonar version * Community Build

  • v25.3.0.104237
    And scanner-cli 6.0

I am still seeing that submodules are getting analysed in this version as well.
Is this something we need to explicitly specify in new versions.
If yes, can you please point me to any documentation; I can take help from.

For context I tried passing sonar.scm.exclusions.disabled= false explicity to cli and this didn’t worked for me.

../../sonar-scanner/sonar-scanner-6.0.0.4432-linux/bin/sonar-scanner -Dsonar.host.url='http://localhost:9000' -Dsonar.scm.exclusions.disabled=false -Dsonar.login='<REDACTED>'
4

Hi,

sonar.scm.exclusions.disabled=false is the default behavior. By default, if it’s in your e.g. .gitignore then it’s ignored by analysis. The thinking is that if you don’t want to check it in, then it’s either generated or not code to begin with.

If you want analysis not to include your submodules, then you should either set a narrower initial analysis scope or use exclusions (or perhaps inclusions but probably not both) to keep the submodules out of the analysis.

 
HTH,
Ann

5

Thank you for sharing the information and helping me understand.

I’m still a bit confused, though. Coming from v8.9.2, my understanding was that if sonar.scm.exclusions.disabled=true is not specified in the sonar-project.properties file, SonarQube would, by default, not analyze the submodules.

Based on your explanation, it now seems that I need to specify the submodules folder in .gitignore to ensure SonarQube skips them during analysis.

I’m trying to understand the purpose of sonar.scm.exclusions.disabled=false when it seems that everything needs to be managed via .gitignore. Could you please clarify this for me? I appreciate your time and guidance.

6

Hi,

Now I’m confused. Are the submodules something you don’t check in?

Also, I think there’s a misunderstanding of the property name.

exclusions disabled=true disables the exclusions. I.E. it turns on analysis for those files which would otherwise be ignored.

 
Ann

7

The submodules I’m referring to are repositories that my code relies on to enable certain functionalities. However, I don’t check in these submodules; I typically just fetch them to update my local copy, and that’s all.

For this reason, we prefer not to include them in the analysis.

8

Hi,

Then you’ll need to adjust your analysis scope.

 
HTH,
Ann