Sonarcloud raising issues in codebase a long time after merge

  • ALM used - GitLab
  • CI system used - GitLab

We run a Sonarcloud scan in CI both as part of our merge request pipelines and also on the main branch of our repository.

Currently the Sonarcloud scan is failing on the main branch of our repository.

One of the issues which is failing the sonar quality gate starting 24th July is a vulnerability in a file.

As our quality gate requires there to be no vulnerabilities this means the scan on main pipeline CI is failing.

However, looking in GitLab I can see that the file containing this vulnerability was last merged into main branch on 26th June and in this merge pipeline no issues were found.

Does anyone know why this issue is not being found in the Sonarcloud scan merge request pipeline or for subsequent Sonarcloud scans in pipelines ran on main branch but is appearing so long after the change to the file was merged into main branch? Is it related to the change in version of the codebase?

Hey there.

What programming language is the vulnerability raised on, and what is the specific vulnerability?

the programming language is java and the vulnerability was “disable access to external entities in xml parsing”

however this is just one example there are other issues that have arisen in other java files that have not recently changed and passed on the Merge Request pipeline and did not fail on subsequent main pipelines.


Is there an update on this issue?

We are still seeing the same problem when we create new releases.