Sonarqube Community Edition Security Hotspot issue

SonarQube Server / Community Build
1

Hii,

I am writing down everything about my sonarqube here.

Self Hosted sonarqube community edition version 10.1. Installed using docker (docker-compose) using the official sonarqube docs. Installed on ubuntu 22.04.

The issue is::
For my gitlab repo, gitlab pipeline runs for every merge request - and it runs sonarqube, scans the code, and uploads analysis to a sonarqube project. The branch that is being scanned is called “alpha” and the PR is being merged into “alpha” branch only.

4 days back everything was working fine. But then all pipelines start to failed because quality gate failed. The quality gate says this::

image
image1852×754 77 KB

It says 98.4% security hotspot reviewed and it fails the pipeline because of quality gate. But when I go the the “to be reviewed” section of security hotspot - it gives nothing (no issue)

image
image1594×553 41.6 KB

There are few issues that I have saved as well, but they are in safe - so it shouldn’t create problem.

Now, how can I fix this issue if I am not able to see what the issue is.

All the other checks are fine - there are 8 bugs in overall code - but earlier quality gate was passing even after those bugs. And the issue is with security hotspot only.

Also, attaching screenshot of quality gate for this project

image
image1435×562 41.7 KB

What I have tried::
1- To see whether this issue is with the security hotspot percentage. I reduced the threshold of “Security Hotspots Reviewed” to 98% from 100 in quality gate settings. And the quality gate passed - since is is 98.3% – so now I know issue is with “Security Hotspots Reviewed pecentage” - but I cannot fix it since I cannot see issue in to be reviewed.

2- I tried this documentation and did exactly what he described - but it did not work

Please let me know the cause of this issue and how can I fix it.

P.S - also sharing the sonarqube pipeline stage

sonarqube-check:
  stage: sonarqube-test
  image:
    name: sonarsource/sonar-scanner-cli:latest
    entrypoint: [""]
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  script:
    #- sonar-scanner #scanner
    - sonar-scanner -Dsonar.qualitygate.wait=true
  allow_failure: false
  rules:
    - if: $CI_COMMIT_BRANCH == 'master' || $CI_PIPELINE_SOURCE == 'merge_request_event'

Thankyou in advance.

Priyanshi Sarad
DevOps Engineer

2

Hey there.

SonarQube v10.1 is EOL – can you try updating to SonarQube v10.4.1 to see if the issue persists? Thanks!

3

Hii,

Thankyou for your reply. Sure, I will try updating it to latest and then will update.

Regards,
Priyanshi Sarad