SonarQube - fails in one branch but passes in cloned branch (should it fail for both?)

Hi,

I need some help with SonarQube Server.

SonarQube server version: Community EditionVersion 8.7 (build 41497)
SonarScanner: Maven plugin sonar-maven-plugin:3.8.0.2131

From develop branch I create branch A, add 2 commits to it with duplicates, run the scanner, getting quality gate red (as expected because too many duplicates).
Now, I create branch B from branch A, run the scan again in branch B and now getting green (despite the issues are present in both branches).
Important: Sonar scanner uses an unique project key/name for each branch so they should not overwrite each other (despite in report UI is displayed always master branch).

Has anyone come across this behaviour before ?
Is this a limitation of community version ?

Hi @constantin ,

Is your quality gate set up to only fail on new code, or on all code? If the quality gate is set only for new code, it will not fail in branch B since this is the first analysis there and there’s no new code to fail on yet.

You can also check your project settings to see how SonarQube determines what counts as “new code”, i.e. based on a version number, date, or diff to another branch.

Edit: You should update the 8.7 version to either 8.9.6 LTS or 9.2.4 asap - there’s a major vulnerability in your version (log4j) that’s been fixed in the above versions.

2 Likes

Thanks, I’ve just upgraded SQ version to 8.9.6 as you suggested.

I’m using default built in Quality Gate (QG) named “Sonar way” which is configured for “Conditions on New Code”. Should I create another QG and add Conditions on Overall Code as I cannot edit the default one ?

Specifically I’m looking for Coverage & Duplicated Lines %.

After adding Coverage & Duplicated Lines % conditions on Overall Code I get branch B failed on re-run of scan.

Great! Yes, creating your own quality gate and adding conditions for Overall Code is the way to go for this.

1 Like

There is a setting called “Cross project duplication detection” which is marked as DEPRECATED.
Is my understanding correct that with this option turned on (default), if on branch A (project A) there are some duplications detected then if I run scan against branch B (project B) same duplication won’t be reported in New Code, right ?

Hi @constantin ,

I don’t think that’s quite how it works - rather, it would detect code in project A that’s duplicated in project B, and report this duplication in both projects.

I’d advise against starting to use a deprecated feature though. This was marked as deprecated in version 6.7, so may disappear completely soon:
https://jira.sonarsource.com/browse/SONAR-9931

If you need cross-project reporting, you may want to look at the portfolio management features in the Enterprise Edition instead:
https://docs.sonarqube.org/latest/user-guide/portfolios/

1 Like

Thank you @cba