Sonarqube and bitbucket code insight with git submodules

Must-share information (formatted with Markdown):

  • Sonarqube Version 9.9 (build 65466)
  • Sonarscanner-cli-
  • BitBucket v7.21.6
  • SonarQube deployed in Docker via kubernetes

We are using sonarqube for several software components. We have recently started to migrate from “raw” git to git submodules. The components that use submodules we do not get a proper integration with bitbucket.

The sonarqube branch analysis complain about missing blame information. In the build log we can see:

INFO: SCM Publisher 2000 source files to be analyzed
INFO: SCM Publisher 0/1884 source files have been analyzed (done)
WARN: Missing blame information for the following files
WARN:   *modules/..../**.cpp
..... about 2000 files listed with no blame information
WARN: This may lead to missing/broken features in SonarQube
INFO: ANALYSIS SUCCESSFULL, you can find the resuts in ...

The results show in Sonarqube. Both analysis on the branch and on the PR. The branch analysis warn about missing balme information in the sonarqube web gui. The PR analysis looks ok.

In Bitbucket there is no sonarqube report associated with the PR.
This component has been analyzed before. The only difference is that we have migrated from several “flat” git repositories, the component now uses git submodules.

I can see in some issues on the community web that there may be some issues with submodules. Is there something special that we need to configure or consider when using submodules with SonarQube?

Hey there.

What strategy do you use to checkout your submodules?

Something like git submodule update --init --recursive

You should also make sure that your submodule checkout is not shallow.

git submodule update --init --recursive --checkout

It is not shallow.

I’ll flag this for attention from some submodule experts (I know we’ve put in some work on this before)

Hi @jfn98007,

Are your new git submodules ignored via a .gitignore file? Could you try passing -Dsonar.scm.exclusions.disabled=true when running your analysis and see if it works then? (warning: this will analyze any files that are listed in .gitignore)