Hi, I’m running SonarQube analysis with Sonar Scanner for Jenkins. After each analysis, all the project’s new issues are shown in SonarQube console, but I have verified that sometimes some of these issues (also Blocker or Critical) are not included in email notifications or are included with 0 impacted files:
Rules
Security - Potential JDBC Injection (java): 1
Security - A malicious XSLT could be provided (java): 0
Most impacted files
Loader.java: 1
TestSonarQ2.java: 0
I haven’t been able to determine the conditions under which this happens. In this way, email notifications are incomplete and can’t be used by developers as a reliable tool. Do you have any suggestion to solve this issue?
Thanks,
Paola
I guess we’re talking about the “new issues” notification? Can you double-check the “missed” issues and see what the issue creation dates are versus when your project’s New Code Period started? I think this may be about “new” rather than about “Issues”.
Hi Ann,
you’re right. I’m talking about ‘new issues’ notifications.
The “missed issues” creation date is November 20, 2020, 11:49 AM. The project’s New Code Period is “previous_version”.
I can’t understand why a file having 10 new issues displayed in SonarQube console is included in email notification as impacted file with 0 issues.
I’d like to explore this for a moment. Does your sonar.projectVersion value change with each analysis? I.e. are you passing in a build string here, or truly a version? Because if it’s the former, each analysis is a new “version”.
Tangentially, what SonarQube version are you on? Newer versions make it really easy to understand what’s in the New Code Period on the Activities page. E.G.:
Hi Ann,
sonar.projectVersion is not set for my project (it isn’t a maven project).
I am on SonarQube Community EditionVersion 7.9.3 (build 33349).
In Activities page I have no information about the New Code Period, I see only ‘Version not provided’.
The last analysis (November 20, 2020, 11:12 PM) on a project (Version not provided) with new classes created to test SonarQube behaviour (November 20, 2020, 5:31 PM) hasn’t notified vulnerability issues via email; the issues are displayed only in SonarQube console.
I am also experiencing the same issue, Vulnerability Count is not updated in the email notification from Sonar Qube. Any update to this thread will help.