I’m using SonarQube 9.9 integrated with Jenkins and Bitbucket cloud.
We use Jenkins multibranch pipeline for branch and PR analysis.
We have a scenario wherein a user committed a change in bitbucket feature branch and synced the code from develop to feature branch to get latest code which caused another merge commit. But since the latest merge commit is for the files already existing in develop, sonar should not be analyzing additional files but should be analyzing only differential code from develop. But in our scenario Sonar is also analyzing the files which were committed to feature branch during the sync process.
And strange thing is I donot find the actual modified files in Sonar → code dashboard.
Is there anything we are missing on configuration part which is preventing sonar to analyze only differential files or display the actual modified files?
Please advise.
FYI, we have the below configured for jenkins multi branch pipeline job Discover pull requests from origin → The current pull request revision is selected.
This is the important thing to focus on – you don’t have control over what is analyzed by the scanner (it’s more complicated than “just the modified files”, but in some cases a cache can be used to speed up the analysis of files that are already analyzed on the SonarQube server).
What do the logs say about detecting changed files/lines? DEBUG level logs may help as well (sonar-scanner -X)
12:41:18.612 INFO: SCM collecting changed files in the branch
....
12:41:18.853 INFO: SCM collecting changed files in the branch (done) | time=241ms
12:41:18.853 DEBUG: SCM reported 0 files changed in the branch
.....
12:53:30.951 DEBUG: SCM revision ID 'ef59fea67a9a6b4e6ed8a94411fffff7b72e0f3f'
12:53:31.006 INFO: SCM writing changed lines
12:53:31.007 DEBUG: loading config FileBasedConfig[/proj/jenkins/.config/jgit/config]
12:53:31.030 DEBUG: Merge base sha1: d928d2561a496207fff30bcbe888ecaf1a29e2f6
12:53:31.031 DEBUG: SCM reported changed lines for 0 files in the branch
12:53:31.031 INFO: SCM writing changed lines (done) | time=25ms
Any warnings, informational messages, unexpected results?
I donot see any information regarding the additional files added.
Even today we received a PR wherein SonarQube is analysis additional files and displaying below issues:
Split this 2806 characters long line (which is greater than 256 authorized).
class "*" has 60 methods, which is greater than the 35 authorized. Split it into smaller classes.
When I check on sonarqube UI for the additional files reported, it displays a message that it was committed on so and so date and that date is the same date that developer committed his changes.
Example: There are 3 files, File A, B and C
Dev commits changes to file A but file B is also added and reports below issues and displayed that code is committed on the same day as it was for file A but I don’t see any commits to this files in git:
Split this 2806 characters long line (which is greater than 256 authorized).
class "*" has 60 methods, which is greater than the 35 authorized. Split it into smaller classes.
File C is also reported under lines to cover and displayed that code is committed on the same day as it was for file A but I don’t see any commits to this files in git.