SonarQube email notifications don't include some issues

Hi, I’m running SonarQube analysis with Sonar Scanner for Jenkins. After each analysis, all the project’s new issues are shown in SonarQube console, but I have verified that sometimes some of these issues (also Blocker or Critical) are not included in email notifications or are included with 0 impacted files:

Rules
  Security - Potential JDBC Injection (java): 1
  Security - A malicious XSLT could be provided (java): 0
Most impacted files
  Loader.java: 1
  TestSonarQ2.java: 0

I haven’t been able to determine the conditions under which this happens. In this way, email notifications are incomplete and can’t be used by developers as a reliable tool. Do you have any suggestion to solve this issue?
Thanks,
Paola

Hi Paola,

Welcome to the community!

I guess we’re talking about the “new issues” notification? Can you double-check the “missed” issues and see what the issue creation dates are versus when your project’s New Code Period started? I think this may be about “new” rather than about “Issues”.

 
Ann

Hi Ann,
you’re right. I’m talking about ‘new issues’ notifications.
The “missed issues” creation date is November 20, 2020, 11:49 AM. The project’s New Code Period is “previous_version”.
I can’t understand why a file having 10 new issues displayed in SonarQube console is included in email notification as impacted file with 0 issues.

Paola

Hi Paola,

I’d like to explore this for a moment. Does your sonar.projectVersion value change with each analysis? I.e. are you passing in a build string here, or truly a version? Because if it’s the former, each analysis is a new “version”.

Tangentially, what SonarQube version are you on? Newer versions make it really easy to understand what’s in the New Code Period on the Activities page. E.G.:

Selection_999(341)

 
Ann

Hi Ann,
sonar.projectVersion is not set for my project (it isn’t a maven project).
I am on SonarQube Community EditionVersion 7.9.3 (build 33349).
In Activities page I have no information about the New Code Period, I see only ‘Version not provided’.
The last analysis (November 20, 2020, 11:12 PM) on a project (Version not provided) with new classes created to test SonarQube behaviour (November 20, 2020, 5:31 PM) hasn’t notified vulnerability issues via email; the issues are displayed only in SonarQube console.

image
image

Paola

Hi Paola,

Your project homepage should tell you when the New Code Period starts. Could you double-check that, please?

 
Ann

Hi Ann,
in the project’s homepage I find: “New code: since previous version started 7 months ago (starting on April 29, 2020)”.

Paola

Hi Ann,
do you need further information to continue investigating my problem?

Paola

Hi Ann,
do you have any news on the problem I reported?
Thanks,
Paola