SonarQube doesn't leave comments in Gitlab MR decorations

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube Server / Community Build, Scanner, Plugin, and any relevant extension): 10.8 (Enterprise)
  • how is SonarQube deployed: zip
  • what are you trying to achieve: see below
  • what have you tried so far to achieve this: see below

Hello!

I’ve integrated some of my SonarQube projects with Gitlab in order to get my merge requests decorated. What I see is that besides QG status and very small amount of info there are no useful information about what’s wrong or not with my code.
Here’s how my job looks like:

sonarqube_check_merge_request:
  stage: sonarqube
  image: "$GRADLE_IMAGE"
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "master"'
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"
    PROXY_EXCLUDE: "something, something"
    GIT_FETCH_EXTRA_FLAGS: --depth=10000
  cache:
    - key: gradle
      paths:
        - build/libs/*.jar
    - key: "${CI_JOB_NAME}"
      paths:
        - .sonar/cache
  script:
    - "gradle 
      -Dhttp.nonProxyHosts=${PROXY_EXCLUDE} 
      -Dhttps.nonProxyHosts=${PROXY_EXCLUDE} sonarqube
      -Dsonar.host.url=${SONAR_HOST_URL}
      -Dsonar.login=${SONAR_LOGIN}
      -Dsonar.projectName=${CI_PROJECT_PATH}
      -Dsonar.projectKey=${CI_PROJECT_NAME}
      -Dsonar.pullrequest.key=${CI_MERGE_REQUEST_IID}
      -Dsonar.pullrequest.branch=${CI_MERGE_REQUEST_SOURCE_BRANCH_NAME}
      -Dsonar.pullrequest.base=${CI_MERGE_REQUEST_TARGET_BRANCH_NAME}
      -Dsonar.qualitygate.wait=true
      -Dsonar.java.binaries=build/libs/*.jar
      -Dsonar.exclusions=**/*.sql"

Now, when the merge request pipeline finishes, I see the following report in Activities (and nothing else at all):

screenshot

What I expect is that Sonar must create at lease one more comment which will explain what exactly is wrong with the code. Can’t figure out why it doesn’t do that, I used to see that on another, older installation at my previous workplace.
I’m trying to solve the problem of developers needing to visit SonarQube web interface each time the get negative score from QG checks. It would be really handy if they just could look in the comments.

Did something change? Did I misconfigure something?

Hey there.

What you see is the result of MR decoration. Currently, SonarQube does not leave individual comments for issues – it only leaves the summary comment.