SonarQube New Code with Reference Branch Option

Scenario:
Recently we noticed our code analysis was failing on new and overall code and we have a huge number of project code. We decided to move from New Code and Overall Code conditions on the Quality Gate to New Code only.

We are deciding to have our projects setup as New Code on the Quality Gate Profile at the Portfolio level.

However this POC also ran into a issue. When the scan comes through, and has a issue or hotspot, it will fail. Now if the code is rerun with another line to be evaluated, the 1st vulnerability(issue or hotspot not being fixed), sonarqube passes the analysis without looking at the previous vulnerability if there are no other issues found.

Now we discovered there is a reference branch option at the project level, which lets you scan the code and keeps track of each commit and does not allow the analysis to pass if the vulnerability still exists on the next rerun.

While this works it is at a project level, and we would like to apply it from the Portfolio level, across all portfolios and projects and for any new project or portfolio created. Please note we have enterprise edition and have a huge number of projects that need this to be applied.

What is the recommended course of action to apply the reference branch for (New Code Gate.)

Hi,

It sounds like you’re using a “previous version” New Code definition. This resets what’s considered “new” each time the project’s sonar.projectVersion string changes. At a guess, you’re passing something like your build string in as the sonar.projectVersion, and thus resetting both the version and what’s considered “new” with each analysis. Regardless of your New Code definition, we don’t consider this a best practice.

You can certainly set a default New Code definition for the instance, but your choices at this level are previous version and a fixed number of days. Why can’t you set reference branch? Because there’s no guarantee that any given branch will exist in all projects. Plus, a branch can’t reference itself; it needs a different new code definition.

Further, you can’t set a new code definition at the portfolio level. That can only be set at the project level.

You mention needing to configure a large number of projects. You may want to script this with the API. The best way to master the API is to perform the desired action via the UI and eavesdrop to see which calls the UI made to accomplish the action.

You may also find this guide helpful.

 
HTH,
Ann

Hi!

I have the same error:
My SonarQube is set to use the reference branch new code definition (sonar.newCode.referenceBranch is correctly set in my yaml pipeline to “main”) and when I run the CI pipeline for the first time on a branch that is not the reference branch, the new code is correctly defined (I can see “New Code: Compared to main” in the web view).

But if I rerun immediately, without adding any commit, SonarQube tells me that there is 0 “New Lines to cover”. Also if I had rerun after adding a new commit, only the code modified by this commit would have been shown in the new code.

ATripathy have you found a way to solve this?

ganncamp I don’t think that I have a sonar.projectVersion issue because I don’t set this variable in my pipeline and also because in the “Activity” panel in the web view, all of my analyses are tagged as “Version: 1.0”.

Do you have any idea to help us solve this issue?

Hi @murdurn,

Welcome to the community!

You’ve resurrected a topic that’s 3 months old even worse, it’s with a topic that’s slightly different.. Per the FAQ, please don’t do that. Please create a new thread with all your details.

 
Thx,
Ann