SonarQube issue was not found during the PR scan

SonarQube Developer Edition 9.9.2 LTS
Sonar-scanner 5.0.1.3006
Jenkins 2.414.3 LTS
SonarQube Scanner for Jenkins plugin 2.15
SonarQube deployed inside Kubernetes with Docker image

Hi Community.
Please help us to solve the weird issue with SonarCube. SonarQube did’t not find any issues during the PR scan but after merge feature branch into master, new issues was appeared in the master branch.
How the issue flow looks like:

  1. Jenkins performs PR scan during the pipeline and SonarQube did not find any issueses in the feature branch:
Build #2 SomeProject (14 Nov 2023, 21:21:07)
21:44:10.551  Checking status of SonarQube task 'AYvPXLc8DjRFpZBTZZZZ' on server 'SonarQube'
21:44:10.588  SonarQube task 'AYvPXLc8DjRFpZBTZZZZ' status is 'SUCCESS'
21:44:10.707  SonarQube task 'AYvPXLc8DjRFpZBTZZZZ' completed. Quality gate is 'OK'
  1. After successful PR scan we have merged feature branch into master branch.
  2. Previous master branch scan was successful without the any issues:
Build #1060 SomeProject (14 Nov 2023, 02:38:29)
02:49:01.413  Checking status of SonarQube task 'AYvLTWXFDjRFpZBTZZZZ' on server 'SonarQube'
02:49:01.435  SonarQube task 'AYvLTWXFDjRFpZBTZZZZ' status is 'SUCCESS'
02:49:01.446  SonarQube task 'AYvLTWXFDjRFpZBTZZZZ' completed. Quality gate is 'OK'
  1. After merge into master, Jenkins runs SorarCube scan for the master branch and find the new issues, even though it didn’t find it in the PR scan:
Build #1061 SomeProject (15 Nov 2023, 02:38:23)
03:05:09.797  Checking status of SonarQube task 'AYvQgpOTDjRFpZBT6ZZZZ' on server 'SonarQube'
03:05:09.813  SonarQube task 'AYvQgpOTDjRFpZBTZZZZ' status is 'SUCCESS'
03:05:09.825  SonarQube task 'AYvQgpOTDjRFpZBTZZZZ' completed. Quality gate is 'ERROR'

There was not any changes for QualityGate conditions or in SonarQube rules between these scans.
Could you please help us to find the reason of this SonarQube behaviour, and how we can fix it?

Thank you for advice!

Hey there.

When you ran the pull request analyses (where you expected these issues to be rasised), were new lines detected? Any analysis warnings?

In addition, can you give some examples of issues that were only raised on a main branch analysis?

  1. New lines was found, but there were no new-created issues found during the PR scan.

  2. Master scan after merge:

The issues that have been found:

2nd function call argument is an uninitialized value
The left operand of '+' is a garbage value
1st function call argument is an uninitialized value
Assigned value is garbage or undefined
Assigned value is garbage or undefined
The left operand of '+' is a garbage value
The right operand of '-' is a garbage value
Assigned value is garbage or undefined
Returned pointer value points outside the original object (potential buffer overflow)

Well – we can say for sure that some issues were found during the PR scan (the 19 new code smells indicated in your first screenshot) – but it’s true that wouldn’t match the bugs present on your master branch.

Are the lines of code that those bugs were raised on making up the new code in the Code tab of your pull request analysis? Are there any files missing from that Code tab that you expected to make up part of your pull request analysis?