I’ve started noticing some rather disturbing results on the projects I’ve started to analyze with Sonarqube - only the main branch was being analyzed. How do I know this? Well, there is only code in the main branch and none in the short-lived branches. Also, that for the main branch, there would be some value for the vulnerabilities (I’m working on porting stuff from the community edition to developer edition) and addressing the vulnerabilities in the way.
Basically, we’re using maven and importing a project into other. In the parent project’s pom.xml we have several <sonar.* /> tags. In the other projects we declared the parent project.
In the parent project pom.xml, we have this:
I am not sure that there’s only one problem in your post.
Let’s start by fixing one thing I noticed.
When using the scanner for Maven you don’t have to define the <sonar.sources> and <sonar.tests> properties in the pom.xml. These are automatically deducted by the scanner for maven based on the available Maven environment information. Manually defining these is much more error prone than letting the scanner find out by itself.
I recommend that you change your pom.xml as per the above first before we look at the rest. To me the fact that your branches are not scanned is an unrelated problem, but let’s troubleshoot based on a properly defined pom.
I have removed the <sonar.sources> and <sonar.tests> properties from the parent’s project pom.xml file and re-run the child’s project analysis. The sonar-maven-plugin version in use is the latest, 3.7.0.1746. It’s good to know the recommended approach is to let the maven sonarqube plugin figure this out for itself.