Sonarqube decoration not working on Gitlab

Must-share information (formatted with Markdown):

• which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
  Developer EditionVersion 10.2.1
• how is SonarQube deployed: zip, Docker, Helm
  Helm
• what are you trying to achieve
  gitlab decoration
• what have you tried so far to achieve this
  I have seen logs of sonarqube, its showing successfull { Pull Request decoration | status=SUCCESS}
  I have configured settings inside general> serverbaseurl also devops integration one.

Please help on this, how to configure.

Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!

Hi,

Welcome to the community!

So your merge reqeust was successfully analyzed, and your server logs indicate that the MR decoration was successfully sent to GitLab, but it doesn’t show up in GL?

 
Ann

Yes, We are not getting comments of analysis on GitLab merge request.

Screenshot 2023-11-17 at 6.16.36 PM1764×866 70.1 KB

Getting this on Gitlab MR page.

Why we are not getting decoration part here.

stages:
    - sonarqube-check
    - sonarqube-vulnerability-report

sonarqube-check:
  stage: sonarqube-check
  image:
    name: sonarsource/sonar-scanner-cli:5.0
    entrypoint: [""]
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    SONAR_TOKEN: '${SONAR_TOKEN}'
    SONAR_HOST_URL: '${SONAR_HOST_URL}'
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  script:
      - set +e
      - npm install --no-progress --prefer-offline --no-audit
      # - npm install --save-dev jest sonarqube-scanner jest-sonar-reporter supertest
      - npm install jest  jest-sonar-reporter supertest ts-jest@next
      - npm install sonarqube-scanner -g
      - npm run test:ci:execute
      - sonar-scanner -Dsonar.qualitygate.wait=true -Dsonar.sources=src/ -Dsonar.tests=test/ -Dsonar.javascript.lcov.reportPaths=coverage/lcov.info -Dsonar.testExecutionReportPaths=coverage/test-reporter.xml -Dsonar.test.inclusions='src/*.spec.ts,src/*/.spec.js,Dsonar.exclusions='src/*/.spec.js,src/*/*.spec.ts'
    # - sonar-scanner
  allow_failure: true
  only:
    - ^new
    - master
    - main
    - develop
    - new-invoice

sonarqube-vulnerability-report:
  stage: sonarqube-vulnerability-report
  script:
    - 'curl -u "${SONAR_TOKEN}:" "${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=xxxxxxxx-xxxxxIlS&branch=${CI_COMMIT_BRANCH}&pullRequest=${CI_MERGE_REQUEST_IID}" -o gl-sast-sonar-report.json'
  allow_failure: true
  only:
    - merge_requests
    - master
    - main
    - develop
    - new-invoice

  artifacts:
    expire_in:  1 week
    reports:
      sast: gl-sast-sonar-report.json
  dependencies:
    - sonarqube-check

THis is gitlab-ci for sonarqube

Hi,

Thanks for the pipeline. Since this is about decoration, the question is actually at the server. Since your OP includes a log snippet

{ Pull Request decoration | status=SUCCESS}

that seems to indicate everything is already configured correctly, I’m not sure what to look at next. I’ve flagged this for more expert eyes.

 
Ann

Hello @Shubham_Negi, may I ask you to show the logs available on GitLab of the pipeline step called sonarqube-check?

Are you using also the Gitlab Vulnerability Report? If that is not the case you can simplify your GitLab CI configuration by removing everything related to sonarqube-vulnerability-report. That should make your config easier.

Matteo

I just got the config from Sonarqube UI, I just edited that, and I will remove the sonarqube-vulnerability-report part.
The logs of sonarqube check are:

e[0KRunning with gitlab-runner 16.3.0 (8ec04662)e[0;m

e[0K on gitlab-runner-qfz2 M8CmnJnY, system ID: s_341d995999e6e[0;m

section_start:1700124045:prepare_executor

e[0Ke[0Ke[36;1mPreparing the "docker" executore[0;me[0;m

e[0KUsing Docker executor with image sonarsource/sonar-scanner-cli:5.0 ...e[0;m

e[0KPulling docker image sonarsource/sonar-scanner-cli:5.0 ...e[0;m

e[0KUsing docker image sha256:2f384fb1bbd5f033fa0b628efb5ef3d40b9cafaddb68b9ffdd8c3cacdc237199 for sonarsource/sonar-scanner-cli:5.0 with digest sonarsource/sonar-scanner-cli@sha256:494ecc3b5b1ee1625bd377b3905c4284e4f0cc155cff397805a244dee1c7d575 ...e[0;m

section_end:1700124056:prepare_executor

e[0Ksection_start:1700124056:prepare_script

e[0Ke[0Ke[36;1mPreparing environmente[0;me[0;m

Running on runner-m8cmnjny-project-145-concurrent-0 via gitlab-runner-qfz2...

section_end:1700124064:prepare_script

e[0Ksection_start:1700124064:get_sources

e[0Ke[0Ke[36;1mGetting source from Git repositorye[0;me[0;m

e[32;1mFetching changes...e[0;m

Initialized empty Git repository in /builds/xxxxxx/xxxxxx/.git/

e[32;1mCreated fresh repository.e[0;m

e[32;1mChecking out f61848de as detached HEAD (ref is new-invoice)...e[0;m

e[32;1mSkipping Git submodules setupe[0;m

section_end:1700124076:get_sources

e[0Ksection_start:1700124076:restore_cache

e[0Ke[0Ke[36;1mRestoring cachee[0;me[0;m

e[32;1mChecking cache for sonarqube-check-non_protected...e[0;m

e[0;33mWARNING: file does not exist e[0;m

e[0;33mFailed to extract cachee[0;m

section_end:1700124078:restore_cache

e[0Ksection_start:1700124078:step_script

e[0Ke[0Ke[36;1mExecuting "step_script" stage of the job scripte[0;me[0;m

e[0KUsing docker image sha256:2f384fb1bbd5f033fa0b628efb5ef3d40b9cafaddb68b9ffdd8c3cacdc237199 for sonarsource/sonar-scanner-cli:5.0 with digest sonarsource/sonar-scanner-cli@sha256:494ecc3b5b1ee1625bd377b3905c4284e4f0cc155cff397805a244dee1c7d575 ...e[0;m

e[32;1m$ sonar-scannere[0;m

INFO: Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties

INFO: Project root configuration file: /builds/xxxxxx/xxxxxx/sonar-project.properties

INFO: SonarScanner 5.0.1.3006

INFO: Java 17.0.8 Alpine (64-bit)

INFO: Linux 6.1.0-12-cloud-amd64 amd64

INFO: User cache: /builds/xxxxxx/xxxxxx/.sonar/cache

INFO: Analyzing on SonarQube server 10.2.1.78527

INFO: Default locale: "en_US", source code encoding: "UTF-8" (analysis is platform dependent)

INFO: Load global settings

INFO: Load global settings (done) | time=285ms

INFO: Server id: 4A0584CD-AYuAE8noNnWjlfVNxA1T

INFO: User cache: /builds/xxxxxx/xxxxxx/.sonar/cache

INFO: Load/download plugins

INFO: Load plugins index

INFO: Load plugins index (done) | time=88ms

INFO: Load/download plugins (done) | time=6279ms

INFO: Loaded core extensions: developer-scanner

INFO: Process project properties

INFO: Process project properties (done) | time=8ms

INFO: Execute project builders

INFO: Execute project builders (done) | time=1ms

INFO: Project key: xxxxxx_xxxxxx_AYuFkIuaP-vH2EsU2IlS

INFO: Base dir: /builds/xxxxxx/xxxxxx

INFO: Working dir: /builds/xxxxxx/xxxxxx/.scannerwork

INFO: Load project settings for component key: 'xxxxxx_xxxxxx_AYuFkIuaP-vH2EsU2IlS'

INFO: Load project settings for component key: 'xxxxxx_xxxxxx_AYuFkIuaP-vH2EsU2IlS' (done) | time=73ms

INFO: Load project branches

INFO: Load project branches (done) | time=73ms

INFO: Load branch configuration

INFO: Detected branch/PR in 'GitLab'

INFO: Auto-configuring branch 'new-invoice'

INFO: Load branch configuration (done) | time=2ms

INFO: Auto-configuring with CI 'Gitlab CI'

INFO: Load quality profiles

INFO: Load quality profiles (done) | time=100ms

INFO: Load active rules

INFO: Load active rules (done) | time=4197ms

INFO: Load analysis cache

INFO: Load analysis cache | time=209ms

INFO: Branch name: new-invoice

INFO: Load project repositories

INFO: Load project repositories (done) | time=79ms

INFO: Indexing files...

INFO: Project configuration:

INFO: Excluded sources for duplication: src/database/migrations/*

INFO: 408 files indexed

INFO: 0 files ignored because of scm ignore settings

INFO: Quality profile for ts: Sonar way

INFO: ------------- Run sensors on module xxxxxx_xxxxxx_AYuFkIuaP-vH2EsU2IlS

INFO: Load metrics repository

INFO: Load metrics repository (done) | time=69ms

INFO: Sensor C# Project Type Information [csharp]

INFO: Sensor C# Project Type Information [csharp] (done) | time=1ms

INFO: Sensor C# Analysis Log [csharp]

INFO: Sensor C# Analysis Log [csharp] (done) | time=14ms

INFO: Sensor C# Properties [csharp]

INFO: Sensor C# Properties [csharp] (done) | time=0ms

INFO: Sensor HTML [web]

INFO: Sensor HTML [web] (done) | time=4ms

INFO: Sensor TextAndSecretsSensor [text]

INFO: 408 source files to be analyzed

INFO: 408/408 source files have been analyzed

INFO: Sensor TextAndSecretsSensor [text] (done) | time=1251ms

INFO: Sensor VB.NET Project Type Information [vbnet]

INFO: Sensor VB.NET Project Type Information [vbnet] (done) | time=1ms

INFO: Sensor VB.NET Analysis Log [vbnet]

INFO: Sensor VB.NET Analysis Log [vbnet] (done) | time=10ms

INFO: Sensor VB.NET Properties [vbnet]

INFO: Sensor VB.NET Properties [vbnet] (done) | time=0ms

INFO: Sensor JaCoCo XML Report Importer [jacoco]

INFO: 'sonar.coverage.jacoco.xmlReportPaths' is not defined. Using default locations: target/site/jacoco/jacoco.xml,target/site/jacoco-it/jacoco.xml,build/reports/jacoco/test/jacocoTestReport.xml

INFO: No report imported, no coverage information will be imported by JaCoCo XML Report Importer

INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=1ms

INFO: Sensor JavaScript/TypeScript analysis [javascript]

INFO: Found 1 tsconfig.json file(s): [/builds/xxxxxx/xxxxxx/tsconfig.json]

INFO: Creating TypeScript program

INFO: 408 source files to be analyzed

INFO: TypeScript configuration file /builds/xxxxxx/xxxxxx/tsconfig.json

INFO: Creating TypeScript program (done) | time=1145ms

INFO: Starting analysis with current program

INFO: 96/408 files analyzed, current file: /builds/xxxxxx/xxxxxx/src/invoice/line-item/line-item.service.ts

INFO: 211/408 files analyzed, current file: /builds/xxxxxx/xxxxxx/src/common/constants/countries.ts

INFO: 395/408 files analyzed, current file: /builds/xxxxxx/xxxxxx/src/kafka/kafka.service.spec.ts

INFO: Analyzed 408 file(s) with current program

INFO: 408/408 source files have been analyzed

INFO: Hit the cache for 0 out of 408

INFO: Miss the cache for 408 out of 408: ANALYSIS_MODE_INELIGIBLE [408/408]

INFO: Sensor JavaScript/TypeScript analysis [javascript] (done) | time=35097ms

INFO: Sensor CSS Rules [javascript]

INFO: No CSS, PHP, HTML or VueJS files are found in the project. CSS analysis is skipped.

INFO: Sensor CSS Rules [javascript] (done) | time=1ms

INFO: Sensor ThymeLeaf template sensor [securityjavafrontend]

INFO: Sensor ThymeLeaf template sensor [securityjavafrontend] (done) | time=1ms

INFO: Sensor IaC Docker Sensor [iac]

INFO: 0 source files to be analyzed

INFO: 0/0 source files have been analyzed

INFO: Sensor IaC Docker Sensor [iac] (done) | time=55ms

INFO: Sensor Serverless configuration file sensor [security]

INFO: 0 Serverless function entries were found in the project

INFO: 0 Serverless function handlers were kept as entrypoints

INFO: Sensor Serverless configuration file sensor [security] (done) | time=2ms

INFO: Sensor AWS SAM template file sensor [security]

INFO: Sensor AWS SAM template file sensor [security] (done) | time=1ms

INFO: Sensor AWS SAM Inline template file sensor [security]

INFO: Sensor AWS SAM Inline template file sensor [security] (done) | time=0ms

INFO: Sensor javabugs [dbd]

INFO: Reading IR files from: /builds/xxxxxx/xxxxxx/.scannerwork/ir/java

INFO: No IR files have been included for analysis.

INFO: Sensor javabugs [dbd] (done) | time=1ms

INFO: Sensor pythonbugs [dbd]

INFO: Reading IR files from: /builds/xxxxxx/xxxxxx/.scannerwork/ir/python

INFO: No IR files have been included for analysis.

INFO: Sensor pythonbugs [dbd] (done) | time=0ms

INFO: Sensor JavaSecuritySensor [security]

INFO: Enabled taint analysis rules: S2076, S2078, S2083, S2091, S2631, S3649, S5131, S5135, S5144, S5145, S5146, S5147, S5334, S5883, S6096, S6173, S6287, S6350, S6384, S6390, S6398, S6399, S6547, S6549

INFO: Load type hierarchy and UCFGs: Starting

INFO: Load type hierarchy: Starting

INFO: Reading type hierarchy from: /builds/xxxxxx/xxxxxx/.scannerwork/ucfg2/java

INFO: Read 0 type definitions

INFO: Load type hierarchy: Time spent was 00:00:00.001

INFO: Load UCFGs: Starting

INFO: Load UCFGs: Time spent was 00:00:00.000

INFO: Load type hierarchy and UCFGs: Time spent was 00:00:00.001

INFO: No UCFGs have been included for analysis.

INFO: java security sensor: Time spent was 00:00:00.003

INFO: Sensor JavaSecuritySensor [security] (done) | time=11ms

INFO: Sensor CSharpSecuritySensor [security]

INFO: Enabled taint analysis rules: S2076, S2078, S2083, S2091, S2631, S3649, S5131, S5135, S5144, S5145, S5146, S5334, S5883, S6096, S6173, S6287, S6350, S6639, S6641

INFO: Load type hierarchy and UCFGs: Starting

INFO: Load type hierarchy: Starting

INFO: Reading type hierarchy from: /builds/xxxxxx/xxxxxx/ucfg_cs2

INFO: Read 0 type definitions

INFO: Load type hierarchy: Time spent was 00:00:00.000

INFO: Load UCFGs: Starting

INFO: Load UCFGs: Time spent was 00:00:00.000

INFO: Load type hierarchy and UCFGs: Time spent was 00:00:00.000

INFO: No UCFGs have been included for analysis.

INFO: csharp security sensor: Time spent was 00:00:00.000

INFO: Sensor CSharpSecuritySensor [security] (done) | time=1ms

INFO: Sensor PhpSecuritySensor [security]

INFO: Enabled taint analysis rules: S2076, S2078, S2083, S2091, S2631, S3649, S5131, S5135, S5144, S5145, S5146, S5334, S5335, S5883, S6173, S6287, S6350

INFO: Load type hierarchy and UCFGs: Starting

INFO: Load type hierarchy: Starting

INFO: Reading type hierarchy from: /builds/xxxxxx/xxxxxx/.scannerwork/ucfg2/php

INFO: Read 0 type definitions

INFO: Load type hierarchy: Time spent was 00:00:00.000

INFO: Load UCFGs: Starting

INFO: Load UCFGs: Time spent was 00:00:00.000

INFO: Load type hierarchy and UCFGs: Time spent was 00:00:00.000

INFO: No UCFGs have been included for analysis.

INFO: php security sensor: Time spent was 00:00:00.000

INFO: Sensor PhpSecuritySensor [security] (done) | time=1ms

INFO: Sensor PythonSecuritySensor [security]

INFO: Enabled taint analysis rules: S2076, S2078, S2083, S2091, S2631, S3649, S5131, S5135, S5144, S5145, S5146, S5147, S5334, S5496, S6287, S6350

INFO: Load type hierarchy and UCFGs: Starting

INFO: Load type hierarchy: Starting

INFO: Reading type hierarchy from: /builds/xxxxxx/xxxxxx/.scannerwork/ucfg2/python

INFO: Read 0 type definitions

INFO: Load type hierarchy: Time spent was 00:00:00.000

INFO: Load UCFGs: Starting

INFO: Load UCFGs: Time spent was 00:00:00.000

INFO: Load type hierarchy and UCFGs: Time spent was 00:00:00.000

INFO: No UCFGs have been included for analysis.

INFO: python security sensor: Time spent was 00:00:00.000

INFO: Sensor PythonSecuritySensor [security] (done) | time=1ms

INFO: Sensor JsSecuritySensor [security]

INFO: Enabled taint analysis rules: S6096, S6350, S5131, S5146, S5334, S6105, S2631, S2083, S5147, S3649, S5883, S5144, S5696, S6287, S2076

INFO: Load type hierarchy and UCFGs: Starting

INFO: Load type hierarchy: Starting

INFO: Reading type hierarchy from: /builds/xxxxxx/xxxxxx/.scannerwork/ucfg2/js

INFO: Read 0 type definitions

INFO: Load type hierarchy: Time spent was 00:00:00.004

INFO: Load UCFGs: Starting

INFO: Reading UCFGs from: /builds/xxxxxx/xxxxxx/.scannerwork/ucfg2/js

INFO: Load UCFGs: Time spent was 00:00:01.113

INFO: Load type hierarchy and UCFGs: Time spent was 00:00:01.118

INFO: Analyzing 3166 UCFGs to detect vulnerabilities.

INFO: Check cache: Starting

INFO: Load cache: Starting

INFO: Load cache: Time spent was 00:00:00.000

INFO: Check cache: Time spent was 00:00:00.000

INFO: Create runtime call graph: Starting

INFO: Variable Type Analysis #1: Starting

INFO: Create runtime type propagation graph: Starting

INFO: Create runtime type propagation graph: Time spent was 00:00:00.201

INFO: Run SCC (Tarjan) on 24874 nodes: Starting

INFO: Run SCC (Tarjan) on 24874 nodes: Time spent was 00:00:00.030

INFO: Tarjan found 24874 strongly connected components

INFO: Propagate runtime types to strongly connected components: Starting

INFO: Propagate runtime types to strongly connected components: Time spent was 00:00:00.061

INFO: Variable Type Analysis #1: Time spent was 00:00:00.295

INFO: Variable Type Analysis #2: Starting

INFO: Create runtime type propagation graph: Starting

INFO: Create runtime type propagation graph: Time spent was 00:00:00.141

INFO: Run SCC (Tarjan) on 24874 nodes: Starting

INFO: Run SCC (Tarjan) on 24874 nodes: Time spent was 00:00:00.027

INFO: Tarjan found 24874 strongly connected components

INFO: Propagate runtime types to strongly connected components: Starting

INFO: Propagate runtime types to strongly connected components: Time spent was 00:00:00.030

INFO: Variable Type Analysis #2: Time spent was 00:00:00.200

INFO: Create runtime call graph: Time spent was 00:00:00.500

INFO: Load config: Starting

INFO: Load config: Time spent was 00:00:00.075

INFO: Compute entry points: Starting

INFO: Compute entry points: Time spent was 00:00:00.772

INFO: All rules entry points : 409

INFO: Slice call graph: Starting

INFO: Slice call graph: Time spent was 00:00:00.000

INFO: Live variable analysis: Starting

INFO: Live variable analysis: Time spent was 00:00:00.497

INFO: Taint analysis for js: Starting

INFO: 0 / 3166 UCFGs simulated, memory usage: 162 MB

INFO: 94 / 3166 UCFGs simulated, memory usage: 388 MB

INFO: 177 / 3166 UCFGs simulated, memory usage: 343 MB

INFO: 246 / 3166 UCFGs simulated, memory usage: 517 MB

INFO: 393 / 3166 UCFGs simulated, memory usage: 481 MB

INFO: 422 / 3166 UCFGs simulated, memory usage: 447 MB

INFO: Taint analysis for js: Time spent was 00:00:03.559

INFO: Report issues: Starting

INFO: Report issues: Time spent was 00:00:00.001

INFO: Store cache: Starting

INFO: Store cache: Time spent was 00:00:00.026

INFO: js security sensor: Time spent was 00:00:06.553

INFO: js security sensor: Begin: 2023-11-16T08:42:11.956594824Z, End: 2023-11-16T08:42:18.510224418Z, Duration: 00:00:06.553

Load type hierarchy and UCFGs: Begin: 2023-11-16T08:42:11.956750394Z, End: 2023-11-16T08:42:13.075003131Z, Duration: 00:00:01.118

Load type hierarchy: Begin: 2023-11-16T08:42:11.956768604Z, End: 2023-11-16T08:42:11.960847284Z, Duration: 00:00:00.004

Load UCFGs: Begin: 2023-11-16T08:42:11.960950064Z, End: 2023-11-16T08:42:13.074713541Z, Duration: 00:00:01.113

Check cache: Begin: 2023-11-16T08:42:13.075160041Z, End: 2023-11-16T08:42:13.075855741Z, Duration: 00:00:00.000

Load cache: Begin: 2023-11-16T08:42:13.075234571Z, End: 2023-11-16T08:42:13.075345941Z, Duration: 00:00:00.000

Create runtime call graph: Begin: 2023-11-16T08:42:13.075949611Z, End: 2023-11-16T08:42:13.575980445Z, Duration: 00:00:00.500

Variable Type Analysis #1: Begin: 2023-11-16T08:42:13.076579371Z, End: 2023-11-16T08:42:13.371590453Z, Duration: 00:00:00.295

Create runtime type propagation graph: Begin: 2023-11-16T08:42:13.077544711Z, End: 2023-11-16T08:42:13.278698112Z, Duration: 00:00:00.201

Run SCC (Tarjan) on 24874 nodes: Begin: 2023-11-16T08:42:13.279337012Z, End: 2023-11-16T08:42:13.309401389Z, Duration: 00:00:00.030

Propagate runtime types to strongly connected components: Begin: 2023-11-16T08:42:13.309665469Z, End: 2023-11-16T08:42:13.371421363Z, Duration: 00:00:00.061

Variable Type Analysis #2: Begin: 2023-11-16T08:42:13.373136093Z, End: 2023-11-16T08:42:13.573766035Z, Duration: 00:00:00.200

Create runtime type propagation graph: Begin: 2023-11-16T08:42:13.373174893Z, End: 2023-11-16T08:42:13.514674690Z, Duration: 00:00:00.141

Run SCC (Tarjan) on 24874 nodes: Begin: 2023-11-16T08:42:13.514922290Z, End: 2023-11-16T08:42:13.542608447Z, Duration: 00:00:00.027

Propagate runtime types to strongly connected components: Begin: 2023-11-16T08:42:13.542845247Z, End: 2023-11-16T08:42:13.573595375Z, Duration: 00:00:00.030

Load config: Begin: 2023-11-16T08:42:13.576063394Z, End: 2023-11-16T08:42:13.651410638Z, Duration: 00:00:00.075

Compute entry points: Begin: 2023-11-16T08:42:13.651737778Z, End: 2023-11-16T08:42:14.424699236Z, Duration: 00:00:00.772

Slice call graph: Begin: 2023-11-16T08:42:14.425014166Z, End: 2023-11-16T08:42:14.425068406Z, Duration: 00:00:00.000

Live variable analysis: Begin: 2023-11-16T08:42:14.425148326Z, End: 2023-11-16T08:42:14.922397190Z, Duration: 00:00:00.497

Taint analysis for js: Begin: 2023-11-16T08:42:14.922693640Z, End: 2023-11-16T08:42:18.481867280Z, Duration: 00:00:03.559

Report issues: Begin: 2023-11-16T08:42:18.481923390Z, End: 2023-11-16T08:42:18.483780300Z, Duration: 00:00:00.001

Store cache: Begin: 2023-11-16T08:42:18.483831480Z, End: 2023-11-16T08:42:18.510170778Z, Duration: 00:00:00.026

INFO: js security sensor peak memory: 714 MB

INFO: Sensor JsSecuritySensor [security] (done) | time=6555ms

INFO: ------------- Run sensors on project

INFO: Sensor Analysis Warnings import [csharp]

INFO: Sensor Analysis Warnings import [csharp] (done) | time=1ms

INFO: Sensor Zero Coverage Sensor

INFO: Sensor Zero Coverage Sensor (done) | time=35ms

INFO: CPD Executor 91 files had no CPD blocks

INFO: CPD Executor Calculating CPD for 273 files

WARN: Too many duplication groups on file src/common/constants/countries.ts. Keep only the first 100 groups.

INFO: CPD Executor CPD calculation finished (done) | time=120ms

INFO: Load New Code definition

INFO: Load New Code definition (done) | time=87ms

INFO: SCM writing changed lines

WARN: No merge base found between HEAD and refs/remotes/origin/main

INFO: SCM writing changed lines (done) | time=168ms

INFO: Analysis report generated in 418ms, dir size=6.6 MB

INFO: Analysis report compressed in 644ms, zip size=4.7 MB

INFO: Analysis report uploaded in 804ms

INFO: ------------- Check Quality Gate status

INFO: Waiting for the analysis report to be processed (max 300s)

INFO: QUALITY GATE STATUS: PASSED - View details on https://sonarqube-de.xxxxxx.in/sonar/dashboard?id=xxxxxx_xxxxxx_AYuFkIuaP-vH2EsU2IlS&branch=new-invoice

INFO: Time spent writing ucfgs 1085ms

INFO: Analysis total time: 1:14.580 s

INFO: ------------------------------------------------------------------------

INFO: EXECUTION SUCCESS

INFO: ------------------------------------------------------------------------

INFO: Total time: 1:23.281s

INFO: Final Memory: 197M/680M

INFO: ------------------------------------------------------------------------

section_end:1700124162:step_script

e[0Ksection_start:1700124162:archive_cache

e[0Ke[0Ke[36;1mSaving cache for successful jobe[0;me[0;m

e[32;1mCreating cache sonarqube-check-non_protected...e[0;m

.sonar/cache: found 173 matching artifact files and directoriese[0;m

Uploading cache.zip to https://storage.googleapis.com/xxxxxx-gitlab-ci-cache/cache/runner/M8CmnJnY/project/145/sonarqube-check-non_protectede[0;m

e[32;1mCreated cachee[0;m

section_end:1700124173:archive_cache

e[0Ksection_start:1700124173:cleanup_file_variables

e[0Ke[0Ke[36;1mCleaning up project directory and file based variablese[0;me[0;m

section_end:1700124174:cleanup_file_variables

e[0Ke[32;1mJob succeedede[0;m

Is there an extra configuration need to do for sonar decoration on GitLab.
we are using self-managed/hosted GitLab.

Thanks for the logs, they confirm that the analysis step completed successfully, and this is consistent with the entry you found in your SonarQube logs.

What do you see if you navigate to Administration → Configuration → DevOps Platform Integrations

In order to be sure that the Decoration works fine you should have something like this:

image912×664 51.4 KB

I already did this.

And if you click again on Check Configuration everything gets refreshed properly with the green checks?

If that is the case I am a bit lost at the moment, because everything is working as expected according to the logs.

Yes, I did. It refreshes with green checks too.

What other things need to be done for this decoration part?

Another thing worth checking is the Dev Ops settings of the specific project, available under Project Settings → General Settings → DevOps Platform Integration:

image1650×891 68.6 KB

Another thing worth checking is the privileges on GitLab of the Auth Token used for setting up the integration; the decoration in order to work, needs a token with API privileges, created for a user that has at least the Reporter status in the repository:

image1265×908 94.6 KB

Here you can find all the details related to the integration.

Now we are getting broken icon on GitLab. How to fix this.

Screenshot 2023-11-21 at 6.30.22 PM1264×878 79.7 KB

This looks like some connectivity issues between your self-managed GitLab instance and the icons needed for the Merge Request decoration.

If you inspect your browser console what errors are you getting? I would expect some 404 error codes when the browser tries to render the icons, since you are using an on-premise version of GitLab the icons will be downloaded from your SonarQube instance.
It seems that this is failing.

Opening the browser console and refreshing the Merge Request page should give logs about what is failing.

GET https://sonars-de.xxxx.in/sonar/static/developer-server/checks/Duplications/NoDuplicationInfo-16px.png 404 (Not Found)
passed-16px.png:1 
        
        
       GET https://sonars-de.xxxx.in/sonar/static/developer-server/checks/QualityGateBadge/passed-16px.png 404 (Not Found)
A-16px.png:1 
        
        
       GET https://sonars-de.xxxx.in/sonar/static/developer-server/checks/RatingBadge/A-16px.png 404 (Not Found)
code_smell-16px.png:1 
        
        
       GET https://sonars-de.xxxx.in/sonar/static/developer-server/common/code_smell-16px.png 404 (Not Found)
security_hotspot-16px.png:1 
        
        
       GET https://sonars-de.xxxx.in/sonar/static/developer-server/common/security_hotspot-16px.png 404 (Not Found)
vulnerability-16px.png:1 
        
        
       GET https://sonars-de.xxxx.in/sonar/static/developer-server/common/vulnerability-16px.png 404 (Not Found)
NoCoverageInfo-16px.png:1 
        
        
       GET https://sonars-de.xxxx.in/sonar/static/developer-server/checks/CoverageChart/NoCoverageInfo-16px.png 404 (Not Found)
bug-16px.png:1 
        
        
       GET https://sonars-de.xxxx.in/sonar/static/developer-server/common/bug-16px.png 404 (Not Found)

Thanks for sharing the errors, as expected those png images cannot be fetched from your SonarQube instance.
Is the sonar base server URL properly set? This is the URL where your instance is available right?
https://sonars-de.xxxx.in/sonar

Are you able to reach those URLs when pasting them directly into the browser?