Scenario:
Recently we noticed our code analysis was failing on new and overall code and we have a huge number of project code. We decided to move from New Code and Overall Code conditions on the Quality Gate to New Code only.
We are deciding to have our projects setup as New Code on the Quality Gate Profile at the Portfolio level.
However this POC also ran into a issue. When the scan comes through, and has a issue or hotspot, it will fail. Now if the code is rerun with another line to be evaluated, the 1st vulnerability(issue or hotspot not being fixed), sonarqube passes the analysis without looking at the previous vulnerability if there are no other issues found.
Now we discovered there is a reference branch option at the project level, which lets you scan the code and keeps track of each commit and does not allow the analysis to pass if the vulnerability still exists on the next rerun.
While this works it is at a project level, and we would like to apply it from the Portfolio level, across all portfolios and projects and for any new project or portfolio created. Please note we have enterprise edition and have a huge number of projects that need this to be applied.
What is the recommended course of action to apply the reference branch for (New Code Gate.)
It sounds like you’re using a “previous version” New Code definition. This resets what’s considered “new” each time the project’s sonar.projectVersion string changes. At a guess, you’re passing something like your build string in as the sonar.projectVersion, and thus resetting both the version and what’s considered “new” with each analysis. Regardless of your New Code definition, we don’t consider this a best practice.
You can certainly set a default New Code definition for the instance, but your choices at this level are previous version and a fixed number of days. Why can’t you set reference branch? Because there’s no guarantee that any given branch will exist in all projects. Plus, a branch can’t reference itself; it needs a different new code definition.
Further, you can’t set a new code definition at the portfolio level. That can only be set at the project level.
You mention needing to configure a large number of projects. You may want to script this with the API. The best way to master the API is to perform the desired action via the UI and eavesdrop to see which calls the UI made to accomplish the action.