I’m using SonarQube EE v10.5 and I have a weird issue on a git repository that I’m scanning with SonarScanner CLI.
This repo is having only some kubernetes yaml files with some harcoded passwords in and the sonarqube report for overall code is showing “0” for almost everything (I guess this is caused by all yaml files are not having required fields to be recognized as kubernetes files) except for 7 critical Security issue that are all 7 passwords in those files.
It appears that the main branch has not been scanned, or SonarQube has not recognized this as the main branch of the repository. You can find the actual branch name at the top of the project’s landing page.
To see the summary on the home page, you can either scan the main branch of the repository or mark this branch as the main branch.
Here is the doc link for setting a branch as main branch
Also, SonarQube v10.5 is EOL, please consider upgrading to the LTA/latest version.
This should be normal as the repo is only having YAML files that are not identified as Kubernetes files and no other languages are identified by sonar scanner.
If it’s confirmed to be normal… so why the internal report is showing 7 vulnerabilities and the same are not showed in the summary?
I assume that “almost everything” includes LOC. We use a sentinel metric for knowing whether or not a branch/project is empty, and if your files aren’t recognized as Kubernetes, that would explain why they’re not counted.
