SonarQube: 8.0
Scanner: 3.2.0.1227
Running code analysis on my development laptop
I’ve been using SonarQube for a few months. Yesterday while working on a single file to deal with a Cognitive Complexity issue, I periodically ran an analysis to check my progress. Everything looked fine, then suddenly after running an analysis a bunch of Security Hotspot and Code Smell issues disappeared from the results. I had not made any changes to address those issues!
Notably, of the 50 Security Hotspot issues I had before, only one remains, and it is one of 28 similar issues that should still be in my results. Code Smell issues dropped from 67 to 28.
What could possibly be the cause? As far as I know NOTHING CHANGED between the previous analysis and the one that does not include all of the issues.
Well, I guess you know that there is nothing mysterious in computing, only things that we don’t understand
There are 2 ways to look at this:
at the analysis level (scanner execution): is the analysis scope is the same? ie. the files where you had issues are still analyzed? Can you see them in SonarQube?
at the SonarQube level: are rules still enabled (ie. Quality Profile)? Are you sure you are not only looking only at a specific branch? Or only in the New Code period?
in addition to Antoine’s post, this might also be related to elastic search !?
You may try a full elastic search reindex, see https://docs.sonarqube.org/latest/faq/ and => How do I trigger a full ElasticSearch reindex?
Thank you, Antoine. As I said, I didn’t change anything between the analysis showing 50 security hotspots and the analysis showing only one hotspot, other than a few lines of code in a single file.
I don’t know how to check the analysis scope, where to see my files in SonarQube, or how to check if I’m looking at only a specific branch or New Code.
Thank you, Gilbert. I was hoping that reindexing would solve my problem but alas, no. I restarted my computer, deleted the …\data\e6 folder, and ran a fresh analysis. Still looking for a solution!
To check the analysis scope, run the scanner in debug mode (sonar-scanner -X), it will list all indexed (ie. analyzed) files, so you can check if what’s expected is indeed listed or not.
In SQ, simply browse the project code (from the Code tab), do you have all your files there? BTW you are using a 8.0 version, you should upgrade to 8.2 as several UI changes had been made.
Here is a screenshot of our Java Analyzer analyzed in SQ, so you can understand what UI things I’m referring to
Thank you again. As it is, I backed out a day’s worth of changes in my code and everything returned to normal. Then I re-applied the changes I had made a few
at a time and tested at several points. Everything now looks as it should, my 50 security hotpoints and 68 code smells are showing up in the analysis. Gremlins, obviously!
