Trouble getting PR decoration working with SonarQube Server 2025.1 LTS and Azure DevOps

Must-share information (formatted with Markdown):

which versions are you using (SonarQube Server / Community Build, Scanner, Plugin, and any relevant extension)

- SonarQube Server Developer Edition v2025.1.4 (113907)

how is SonarQube deployed: zip, Docker, Helm

- Zip

what are you trying to achieve

- SonarQube branch analysis with Pull Request Decoration in an Azure Devops ecosystem in a Maven build. Everything appears to run correctly, and I even get quality gate status back, but I don’t get comments on my PR.

what have you tried so far to achieve this

• Updated to the latest patch version of SonarQube 2025.1 LTS

• Updated to the latest version of the sonarqube-maven-plugin

• Refreshed the connection on the ADO service Connection to SonarQube and confirmed the token works.

• Refreshed the Sonarqube token to ADO and confirmed the token works

• Verified the SonarQube: field in the SonarQubePrepare@7 step properly matches the name of the ADO SonarQube connector.

• Turned logs up to Debug level to see if there are any errors that might explain why comments aren’t showing up on pull requests; nothing stands out.

• Granted the ADO token that SonarQube uses the full privileges of my account, which has permission to comment on PRs. No change in behavior.

• Gone hunting for settings that enable or disable the PR decoration feature, without success

• Removed sonar.ci.autoconfig.disabled=true from our maven arguments. Result autoconfig fails, failing the pipeline with the error, likely due to legacy variable names from when we were using Bamboo:

• • "[ERROR] Multiple CI environments are detected: [Azure DevOps, Bamboo]. Please check environment variables or set property sonar.ci.autoconfig.disabled to true."

• Tried setting the sonar.pullrequest.key, sonar.pullrequest.branch, and sonar.pullrequest.base values as maven variables (with -D for each), populated by ADO system variables for the corresponding info. No change in behavior.

• Tried setting an environment variable named SONAR_SCANNER_JSON_PARAM to {“sonar.pullrequest.key”:“$(System.PullRequest.PullRequestId)”, “sonar.pullrequest.base”:“$(System.PullRequest.targetBranchName)”, “sonar.pullrequest.branch”:“$(System.PullRequest.SourceBranch)” } in an ADO CMD@2 task prior to the maven sonar:sonar step, as suggested in this thread: PullRequest Decoration - SonarQube Server / Community Build - Sonar Community (yes, I know it’s a very different situation and an older version of SQ, but I’m getting desperate). No change in behavior.

• Tried setting the sonar.pullrequest.provider=Azure (both capitalized, and all lowercase) property in maven (using -D). This changed caused quality results to fail to make it back to the PR. Removing it restored that functionality. I have been unable to find a list of valid options for this field, but I suspect it may be related.

• Went looking for ADO-specific instructions on enabling PR decroation. I found instructions for Jenkins, Bitbucket Cloud, Codemagic, Github Actions, and Gitlab, but not Azure DevOps, at the Pull Request Analysis link here: Setting up the pull request analysis | Sonar Documentation. I’ve re-checked every branch analysis step I’ve come across for 2025.1, and believe everything is set up correctly. Clearly I’m missing something, though.

Additonal Background: I have Sonarqube running as a separate pipeline from our primary build. This pipeline is currently configured as an optional check when doing a PR, as a way to beta test the feature before we impose it on everyone. I originally set this up a number of years ago under SonarQube v9 or v10, and SonarQube was actively commenting on PRs when the optional check was executed.

We’ve finally dialed in the quality profiles enough that we’re not at risk of flooding developers with hundreds of code smell comments that they need to fix, and my leadership is at the point where we’re either going to make the SonarQube pipeline a mandatory check, or abandon Developer Edition entirely and switch back to Community edition. Having not seen SQ comments in a while, I went to make sure everything was still working by making a pull request with deliberate problems (see below)… and it wasn’t.

The PR I made had the following code changes. I went into the quality profile for this project and made these changes based specifically to violate rules that are enabled in the profile.

  File1:

            ObjectMapper fakeMapper = new ObjectMapper();
            fakeMapper.enableDefaultTyping(); // Sonarqube should flag this

  File2:

            mapper = new ObjectMapper();
            mapper.enableDefaultTyping(); // Sonarqube should flag this
            //...
            String dbPassword = "Password"; //this should really annoy SonarQube

I then ran the optional SonarQube check. After working through many configuration issues due to small changes over the years, I eventualy reached a point where the PR branch shows up on my SonarQube server, the Publish step successfully completes, and quality gate results properly get published back to ADO. I can see on my PR that the quality gate failed (we allow zero new findings), and the link to SonarQube from that quality gate status works correctly and takes me to the problematic code in SonarQube. In the CE log, I can see DEBUG-level messages saying Pull Request Decoration completed successfully:

2025.10.16 19:55:40 INFO ce[a35f3c49-53ea-426d-9a97-8608e1476830][o.s.c.t.p.a.p.PostProjectAnalysisTasksExecutor] Pull Request decoration | status=SUCCESS | time=0ms

However, when I look at my PR, there are no comments. I’ve tried everything I can think of, and can’t get SonarQube to make comments on my PR. I’m sure there’s something silly that I missed, but I’m out of ideas for what else to check. At this point, I’m wondering if PR decoration was dropped for ADO in 2025.1.

Relevant steps in my pipeline look like this. Some steps in the pipeline have been reduced to comments to provide context without me having to sanitize a bunch of stuff.

            # Setup build specific environment variables
            # Set up build containers
            # Properly configure java to trust our internal corporate PKI CA
 
        - task: SonarQubePrepare@7
          displayName: SonarQube Prepare
          inputs:
            SonarQube: '$(SonarQubeConnector)'
            scannerMode: 'Other'
            extraProperties: 'sonar.projectKey=$(ProjectKey)'
 
            # Task: Do a maven clean verify -DskipTests=true under JDK 11
            # Task: Install JDK 17
            # Task: Do some certificate configuration
           
                 
        - task: Maven@3
          timeoutInMinutes: 120
          inputs:
            mavenPomFile: 'components/pom.xml' # yes, this is the correct POM file
            goals: 'sonar:sonar'
            options: '-Psonar,buildServices -Dsonar.projectKey=$(ProjectKey) -Dsonar.host.url=$(SonarHost) -Dsonar.token=$(AuthToken) -Dsonar.exclusions=**/*.html,**/*.css,**/*.wsdl,**/*.xml -Dsonar.ci.autoconfig.disabled=true'
            mavenOptions: '$(program.maven.opts)'
            publishJUnitResults: true
            javaHomeOption: JDKVersion
            jdkDirectory: 'c:\dev\tools\jdk-17'
            jdkArchitectureOption: x64
            mavenVersionOption: Default
            sonarQubeRunAnalysis: true
                 
           
        - task: SonarQubePublish@7
          inputs:
            pollingTimeoutSec: '300'

If it helps, the sonar profile in my POM file is pretty generic - it’s mostly there to keep the sonarqube activities isolated from our main build:

<profile>
      <id>sonar</id>
      <activation>
            <activeByDefault>false</activeByDefault>
      </activation>
      <build>
            <plugins>
                  <plugin>
                        <groupId>org.sonarsource.scanner.maven</groupId>
                        <artifactId>sonar-maven-plugin</artifactId>
                        <version>5.2.0.4988</version>
                  </plugin>
            </plugins>
      </build>
</profile>

Finally, our ce.log. It looks basically the same regardless of the various different things I’ve tried:

2025.10.20 14:11:16 INFO  ce[][o.s.c.t.CeWorkerImpl] Execute task | project=DEV_our-project-repository.git | type=REPORT | pullRequest=34883 | id=134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e | submitter=devops

2025.10.20 14:11:18 DEBUG ce[][c.z.h.p.HikariPool] HikariPool-1 - keepalive: connection org.postgresql.jdbc.PgConnection@1a89f572 is alive

2025.10.20 14:11:21 DEBUG ce[][c.z.h.p.HikariPool] HikariPool-1 - Before cleanup stats (total=10/60, idle=9/10, active=1, waiting=0)

2025.10.20 14:11:21 DEBUG ce[][c.z.h.p.HikariPool] HikariPool-1 - After cleanup  stats (total=10/60, idle=9/10, active=1, waiting=0)

2025.10.20 14:11:21 DEBUG ce[][c.z.h.pool.PoolBase] HikariPool-1 - Attempting to create/setup new connection (d19d86e2-a662-47c4-8679-346e454656bc)

2025.10.20 14:11:21 DEBUG ce[][o.postgresql.Driver] Connecting with URL: jdbc:postgresql://localhost:5433/sonarqube?currentSchema=sonarqube

2025.10.20 14:11:21 DEBUG ce[][o.p.c.v.ConnectionFactoryImpl] Trying to establish a protocol version 3 connection to localhost:5433

2025.10.20 14:11:21 DEBUG ce[][o.p.c.v.ConnectionFactoryImpl] Receive Buffer Size is 65,536

2025.10.20 14:11:21 DEBUG ce[][o.p.c.v.ConnectionFactoryImpl] Send Buffer Size is 65,536

2025.10.20 14:11:21 DEBUG ce[][c.z.h.p.HikariPool] HikariPool-1 - keepalive: connection org.postgresql.jdbc.PgConnection@4fe5270 is alive

2025.10.20 14:11:21 DEBUG ce[][c.z.h.pool.PoolBase] HikariPool-1 - Established new connection (d19d86e2-a662-47c4-8679-346e454656bc)

2025.10.20 14:11:21 DEBUG ce[][c.z.h.p.HikariPool] HikariPool-1 - Added connection org.postgresql.jdbc.PgConnection@11292ae2

2025.10.20 14:11:21 DEBUG ce[][c.z.h.p.HikariPool] HikariPool-1 - After adding stats (total=11/60, idle=10/10, active=1, waiting=0)

2025.10.20 14:11:22 DEBUG ce[][c.z.h.p.HikariPool] HikariPool-1 - keepalive: connection org.postgresql.jdbc.PgConnection@1b235fc6 is alive

2025.10.20 14:11:32 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.p.s.ExtractReportStep] Analysis report is 4.1 MB uncompressed

2025.10.20 14:11:32 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Extract report | status=SUCCESS | time=15730ms

2025.10.20 14:11:32 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Persist scanner context | status=SUCCESS | time=82ms

2025.10.20 14:11:32 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Propagate analysis warnings from scanner report | status=SUCCESS | time=0ms

2025.10.20 14:11:32 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Generate analysis UUID | status=SUCCESS | time=0ms

2025.10.20 14:11:32 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Load analysis metadata | status=SUCCESS | time=2ms

2025.10.20 14:11:32 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Initialize | status=SUCCESS | time=1ms

2025.10.20 14:11:34 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Build tree of components | components=5 | status=SUCCESS | time=2151ms

2025.10.20 14:11:34 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Validate project | status=SUCCESS | time=2ms

2025.10.20 14:11:35 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Load quality profiles | status=SUCCESS | time=1012ms

2025.10.20 14:11:35 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] This step pushes telemetry data from the Sonar analyzers to Telemetry V2 server in case telemetry is enabled. | status=SUCCESS | time=0ms

2025.10.20 14:11:35 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Build list of dependencies | dependencies=0 | status=SUCCESS | time=2ms

2025.10.20 14:11:35 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Checks executed before computation of measures | status=SUCCESS | time=2ms

2025.10.20 14:11:35 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Generate SQ Upgrade analysis events | status=SUCCESS | time=2ms

2025.10.20 14:11:35 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Load file hashes and statuses | status=SUCCESS | time=2ms

2025.10.20 14:11:35 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Load Quality gate | status=SUCCESS | time=2ms

2025.10.20 14:11:35 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Load new code period | status=SUCCESS | time=0ms

2025.10.20 14:11:35 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Load prioritized rules | status=SUCCESS | time=4ms

2025.10.20 14:11:35 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.p.f.FileMoveDetectionStep] Currently within Pull Request scope. Do nothing.

2025.10.20 14:11:35 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Detect file moves | status=SUCCESS | time=0ms

2025.10.20 14:11:35 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Detect file moves in Pull Request scope | reportFiles=2 | dbFiles=7755 | movedFiles=0 | addedFiles=2 | status=SUCCESS | time=65ms

2025.10.20 14:11:37 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Load duplications | duplications=3149 | status=SUCCESS | time=1993ms

2025.10.20 14:11:37 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.p.d.CrossProjectDuplicationStatusHolderImpl] Cross project duplication is disabled because it's disabled in the analysis report

2025.10.20 14:11:37 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Compute cross project duplications | status=SUCCESS | time=0ms

2025.10.20 14:11:37 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Compute size measures | status=SUCCESS | time=0ms

2025.10.20 14:11:37 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Compute new coverage | status=SUCCESS | time=2ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Compute coverage measures | status=SUCCESS | time=609ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Compute comment measures | status=SUCCESS | time=0ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Compute duplication measures | status=SUCCESS | time=14ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Compute size measures on new code | status=SUCCESS | time=0ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Compute language distribution | status=SUCCESS | time=0ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Compute test measures | status=SUCCESS | time=0ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Compute complexity measures | status=SUCCESS | time=0ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Load measure computers | status=SUCCESS | time=0ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Compute Quality Profile status | status=SUCCESS | time=4ms

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][c.z.h.p.ProxyConnection] HikariPool-1 - Executed rollback on connection org.postgresql.jdbc.PgConnection@1f566fe5 due to dirty commit state on close().

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][c.z.h.pool.PoolBase] HikariPool-1 - Reset (autoCommit) on connection org.postgresql.jdbc.PgConnection@1f566fe5

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][c.z.h.p.ProxyConnection] HikariPool-1 - Executed rollback on connection org.postgresql.jdbc.PgConnection@1f566fe5 due to dirty commit state on close().

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][c.z.h.pool.PoolBase] HikariPool-1 - Reset (autoCommit) on connection org.postgresql.jdbc.PgConnection@1f566fe5

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][c.z.h.p.ProxyConnection] HikariPool-1 - Executed rollback on connection org.postgresql.jdbc.PgConnection@1f566fe5 due to dirty commit state on close().

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][c.z.h.pool.PoolBase] HikariPool-1 - Reset (autoCommit) on connection org.postgresql.jdbc.PgConnection@1f566fe5

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][c.z.h.p.ProxyConnection] HikariPool-1 - Executed rollback on connection org.postgresql.jdbc.PgConnection@1f566fe5 due to dirty commit state on close().

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][c.z.h.pool.PoolBase] HikariPool-1 - Reset (autoCommit) on connection org.postgresql.jdbc.PgConnection@1f566fe5

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.p.s.ExecuteVisitorsStep]   Execution time for each component visitor:

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.p.s.ExecuteVisitorsStep]   - AnalysisFromSonarQube94Visitor | time=0ms

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.p.s.ExecuteVisitorsStep]   - LoadComponentUuidsHavingOpenIssuesVisitor | time=2ms

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.p.s.ExecuteVisitorsStep]   - IntegrateIssuesVisitor | time=209ms

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.p.s.ExecuteVisitorsStep]   - CloseIssuesOnRemovedComponentsVisitor | time=2ms

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.p.s.ExecuteVisitorsStep]   - MaintainabilityMeasuresVisitor | time=2ms

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.p.s.ExecuteVisitorsStep]   - NewMaintainabilityMeasuresVisitor | time=0ms

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.p.s.ExecuteVisitorsStep]   - ReliabilityAndSecurityRatingMeasuresVisitor | time=0ms

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.p.s.ExecuteVisitorsStep]   - NewReliabilityAndSecurityRatingMeasuresVisitor | time=0ms

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.p.s.ExecuteVisitorsStep]   - SecurityReviewMeasuresVisitor | time=0ms

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.p.s.ExecuteVisitorsStep]   - NewSecurityReviewMeasuresVisitor | time=0ms

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.p.s.ExecuteVisitorsStep]   - LastCommitVisitor | time=0ms

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.p.s.ExecuteVisitorsStep]   - MeasureComputersVisitor | time=0ms

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.p.s.ExecuteVisitorsStep]   - D | time=0ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Execute component visitors | status=SUCCESS | time=215ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Checks executed after computation of measures | status=SUCCESS | time=2ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Compute pull request fixed issues measure | status=SUCCESS | time=0ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Compute Quality Gate measures | status=SUCCESS | time=6ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Compute Quality profile measures | status=SUCCESS | time=0ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Generate Quality profile events | status=SUCCESS | time=2ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Generate Quality gate events | status=SUCCESS | time=0ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Generate Issue Detection events | status=SUCCESS | time=2ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Check upgrade possibility for not analyzed code files. | status=SUCCESS | time=0ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Persist scanner analysis cache | status=SUCCESS | time=0ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Persist components | status=SUCCESS | time=8ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Persist project dependencies | status=SUCCESS | time=0ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Persist analysis | status=SUCCESS | time=2ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Persist analysis properties | status=SUCCESS | time=4ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Persist project measures | inserts=73 | status=SUCCESS | time=18ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Persist measures | insertsOrUpdates=461 | unchanged=0 | status=SUCCESS | time=5ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Persist new ad hoc Rules | status=SUCCESS | time=0ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Persist issues | cacheSize=1.4 kB | inserts=2 | updates=0 | merged=0 | status=SUCCESS | time=12ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Delete issue changes | changes=0 | status=SUCCESS | time=0ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Persist project links | status=SUCCESS | time=0ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Persist events | status=SUCCESS | time=4ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Persist sources | status=SUCCESS | time=93ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Persist cross project duplications | status=SUCCESS | time=0ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Enable analysis | status=SUCCESS | time=2ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Persist Fixed issues in Pull Request | status=SUCCESS | time=2ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Update last usage date of quality profiles | status=SUCCESS | time=4ms

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.d.p.p.KeepOneFilter] -> Keep one snapshot per day between 2025-09-22 and 2025-10-19

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.d.p.p.DefaultPeriodCleaner] <- Delete analyses of component f75de591-8f60-44f5-b53a-cc074ea13817:

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.d.p.p.KeepOneFilter] -> Keep one snapshot per week between 2024-10-21 and 2025-09-22

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.d.p.p.DefaultPeriodCleaner] <- Delete analyses of component f75de591-8f60-44f5-b53a-cc074ea13817:

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.d.p.p.KeepOneFilter] -> Keep one snapshot per month between 2020-10-26 and 2024-10-21

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.d.p.p.DefaultPeriodCleaner] <- Delete analyses of component f75de591-8f60-44f5-b53a-cc074ea13817:

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.d.p.p.KeepWithVersionFilter] -> Keep analyses with a version prior to 2023-10-23

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.d.p.p.DefaultPeriodCleaner] <- Delete analyses of component f75de591-8f60-44f5-b53a-cc074ea13817:

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.d.p.p.DeleteAllFilter] -> Delete data prior to: 2020-10-26

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.d.p.p.DefaultPeriodCleaner] <- Delete analyses of component f75de591-8f60-44f5-b53a-cc074ea13817:

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.d.purge.PurgeDao] <- Delete aborted builds

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.d.purge.PurgeDao] <- Delete orphan issues

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.d.purge.PurgeDao] <- Delete Old Anticipated Transitions

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.d.purge.PurgeDao] <- Purge stale branches

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Purge db | status=SUCCESS | time=18ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Load changed issues for indexing | status=SUCCESS | time=0ms

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.p.s.IndexAnalysisStep] Call org.sonar.server.measure.index.ProjectMeasuresIndexer@44768d47

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.p.s.IndexAnalysisStep] Call org.sonar.server.component.index.EntityDefinitionIndexer@3d029b2f

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.p.s.IndexAnalysisStep] Call org.sonar.server.issue.index.IssueIndexer@6de0cb5

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Index analysis | status=SUCCESS | time=129ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Update need issue sync for branch | status=SUCCESS | time=2ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Compute total Project ncloc | status=SUCCESS | time=4ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Publishing taint vulnerabilities and security hotspots events | status=SUCCESS | time=3ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Send issue notifications | status=SUCCESS | time=0ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Actions to execute when the computation is about to be finished | status=SUCCESS | time=0ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Publish task results | status=SUCCESS | time=0ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.s.ComputationStepExecutor] Trigger refresh of Portfolios and Applications | status=SUCCESS | time=0ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.p.a.p.PostProjectAnalysisTasksExecutor] Webhooks | globalWebhooks=0 | projectWebhooks=0 | status=SUCCESS | time=3ms

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.w.c.OkHttpClientBuilder] --> GET https://our.azuredevops.server/TeamName/Project%20Name/_apis/git/repositories/our-project-repostiory.git?api-version=3.0

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.w.c.OkHttpClientBuilder] <-- 200 OK https://our.azuredevops.server/TeamName/Project%20Name/_apis/git/repositories/our-project-repostiory.git?api-version=3.0 (50ms, 2115-byte body)

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][c.s.Y.D.Q.I.I] get pull request : [https://our.azuredevops.server/TeamName/_apis/git/repositories/f186ecc5-dca9-4382-bb93-b762344cc1a5/pullRequests/34883?api-version=3.0]

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.w.c.OkHttpClientBuilder] --> GET https://our.azuredevops.server/TeamName/_apis/git/repositories/f186ecc5-dca9-4382-bb93-b762344cc1a5/pullRequests/34883?api-version=3.0

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.w.c.OkHttpClientBuilder] <-- 200 OK https://our.azuredevops.server/TeamName/_apis/git/repositories/f186ecc5-dca9-4382-bb93-b762344cc1a5/pullRequests/34883?api-version=3.0 (13ms, 5038-byte body)

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][c.s.Y.D.Q.I.I] get pull request iterations : [https://our.azuredevops.server/TeamName/_apis/git/repositories/f186ecc5-dca9-4382-bb93-b762344cc1a5/pullRequests/34883/iterations?includeCommits=false&api-version=3.0]

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.w.c.OkHttpClientBuilder] --> GET https://our.azuredevops.server/TeamName/_apis/git/repositories/f186ecc5-dca9-4382-bb93-b762344cc1a5/pullRequests/34883/iterations?includeCommits=false&api-version=3.0

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.w.c.OkHttpClientBuilder] <-- 200 OK https://our.azuredevops.server/TeamName/_apis/git/repositories/f186ecc5-dca9-4382-bb93-b762344cc1a5/pullRequests/34883/iterations?includeCommits=false&api-version=3.0 (41ms, unknown-length body)

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][c.s.Y.D.Q.I.I] get commit : [https://our.azuredevops.server/TeamName/_apis/git/repositories/f186ecc5-dca9-4382-bb93-b762344cc1a5/commits/7df3131ef91ec58c5431761f2ef2585f20ea1531?api-version=3.0]

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.w.c.OkHttpClientBuilder] --> GET https://our.azuredevops.server/TeamName/_apis/git/repositories/f186ecc5-dca9-4382-bb93-b762344cc1a5/commits/7df3131ef91ec58c5431761f2ef2585f20ea1531?api-version=3.0

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.w.c.OkHttpClientBuilder] <-- 200 OK https://our.azuredevops.server/TeamName/_apis/git/repositories/f186ecc5-dca9-4382-bb93-b762344cc1a5/commits/7df3131ef91ec58c5431761f2ef2585f20ea1531?api-version=3.0 (16ms, 2608-byte body)

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][c.s.Y.D.Q.I.I] create pull request iteration status : [https://our.azuredevops.server/TeamName/_apis/git/repositories/f186ecc5-dca9-4382-bb93-b762344cc1a5/pullRequests/34883/iterations/2/statuses?api-version=3.0-preview]

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.w.c.OkHttpClientBuilder] --> POST https://our.azuredevops.server/TeamName/_apis/git/repositories/f186ecc5-dca9-4382-bb93-b762344cc1a5/pullRequests/34883/iterations/2/statuses?api-version=3.0-preview (255-byte body)

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.w.c.OkHttpClientBuilder] <-- 200 OK https://our.azuredevops.server/TeamName/_apis/git/repositories/f186ecc5-dca9-4382-bb93-b762344cc1a5/pullRequests/34883/iterations/2/statuses?api-version=3.0-preview (81ms, 1258-byte body)

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][c.s.Y.D.Q.I.I] get threads : [https://our.azuredevops.server/TeamName/_apis/git/repositories/f186ecc5-dca9-4382-bb93-b762344cc1a5/pullRequests/34883/threads?api-version=3.0]

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.w.c.OkHttpClientBuilder] --> GET https://our.azuredevops.server/TeamName/_apis/git/repositories/f186ecc5-dca9-4382-bb93-b762344cc1a5/pullRequests/34883/threads?api-version=3.0

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.w.c.OkHttpClientBuilder] <-- 200 OK https://our.azuredevops.server/TeamName/_apis/git/repositories/f186ecc5-dca9-4382-bb93-b762344cc1a5/pullRequests/34883/threads?api-version=3.0 (29ms, unknown-length body)

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.p.a.p.PostProjectAnalysisTasksExecutor] Pull Request decoration | status=SUCCESS | time=242ms

2025.10.20 14:11:38 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.p.a.p.PostProjectAnalysisTasksExecutor] Report branch Quality Gate status to devops platforms | status=SUCCESS | time=0ms

2025.10.20 14:11:46 INFO  ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.c.t.CeWorkerImpl] Executed task | project=DEV_our-project-repository.git | type=REPORT | pullRequest=34883 | id=134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e | submitter=devops | status=SUCCESS | time=30522ms

Did SonarQube drop PR decoration for ADO in 2025.1? Can anyone recommend next steps?

Thanks in advance

Update: I’m not sure how I missed this setting, but it has been enabled the whole time, either because it’s default, or because I enabled it when I had PR decoration working originally.

{0EB96E18-DFD7-479E-A95A-C53E43A4B247}485×273 12 KB

Hi,

I’m wondering if your project is “bound” in SonarQube to its repo. It sounds like you’ve been using SonarQube for a while, and I think the mechanisms here have shifted a bit over the years.

Check the ‘Additional setup for an unbound project’ expander in step 5 here.

Unfortunately, I’m afraid this is normal. I suspect this just reflects that CE did its thing and didn’t get an error back. Once we get to the root of your problem, I’ll raise this internally.

 
Ann

Hello Ann! Thanks for the reply!

You might be right that I’m ‘unbound’ - We’ve ported this project across 3 or 4 versions of SonarQube Developer Edition and across at least 3 systems. Being unbound would explain why I see the ‘get the most out of your server with CI integration’ banner at the top, even though we’re already fully integrated. I wouldn’t be opposed to deleting and re-importing the project and just starting over, but we have a team of people who have spent a lot of time commenting and annotating the findings that we have in SonarQube, and I wouldn’t want to lose that work.

That said, when I go to Project → project settings → General Settings → DevOps Platform Integration, teh Configuration Name field contains our ADO server (it matches the name and URL that I see under Devops Platform Integrations in the server-wide administration panel), the Project Name correctly matches my project name, and the git repo matches the name of our git repo. I clicked ‘check configuration’ and it comes back and says ‘configuration valid’.
To make sure these are set correctly, if the URL I see when I look at this repository in ADO is https://our.azuredevops.server/TeamName/Project%20Name/_git/our-project-repostiory.git, then the values I set for each of these fields is:

Configuration Name: TeamName ADO – ``https://our.devops.server/TeamName

Project Name: Project Name

Repository Name: our-project-repository.git

I also tried disabling and re-enabling (and saving settings after each change) the Enable Inline Pull Request Annotations setting, on the off chance there was some kind of caching issue, but re-running the optional check after that caused no change in behavior - I still don’t get PR comments.

While looking into this, I noticed something strange in SonarQube, though. When I went to look at the Issues tab for the test PR in question, it says “No Issues, Hooray!”. But there are 2 security hotspots, and we’ve clearly failed the quality gate. When I click on the 2 under Security Hotspots, my two Jackson Deserialization issues show up. The hard-coded password doesn’t get detected at all for some reason.

{075BFA0E-1129-4542-957D-DD46292918A3}1022×563 42.8 KB

Do hotspots not count as issues? Is that why I’m not seeing comments?

Hi,

This is expected. A few years ago we declared that Security Hotspots (action might be required) were a different beast than Issues (action definitely is required) and needed a different lifecycle and presentation.

Let’s back up. Do you see no annotation at all, anywhere on your PR? What are you looking for, and where?

 
Thx,
Ann

Thanks, Ann.

I don’t see any SonarQube annotation on my PR. By ‘annotation’, I assume you mean PR comments, which is what I’m expecting.

When I had this working previously, the SonarQube check would add a comment on the PR in ADO for each finding that it found in the changed lines of code, similar to what a human PR reviewer would do. That’s what I’m trying to get working again.

Hi,

So there’s no Quality Gate summary on the ‘front page’ of your PR?

How long ago was this?

That used to be a thing but it got really problematic when, for instance, you reanalyzed the same PR multiple times.

 
Ann

I do successfully get quality gate information published back to ADO - that’s one of the ways I know bi-directional comms and authentication are working. Just no inline comments.

{BDF1A5C3-843D-4646-8F8C-CB33236B0802}315×175 6.31 KB

I originally set this all up in v9.something. It’s been a minute since I last saw it working. We have quite a few software assurance products in our environment, and only a couple people to maintain them. It’s been a few years since I specifically tested by injecting known bad content and scanning. I’m sure all our developers just assumed their code was good - no idea how long this feature has been missing, but it’s probably on the order of years rather than months or weeks.

Are you saying the option to have SonarQube add PR comments have been dropped entirely? I assumed that’s what the ‘Enable Inline Pull Request Annotations’ option on the DevOps Platform Integration panel controlled:

{C23856E7-DA25-4923-93C2-8F0AF02B8021}439×131 7.37 KB

If that’s feature is gone, what does this setting do?

I’m so confused now

Hi,

Sorry, I didn’t look far enough when I was researching, this.

Could you bump your server log level - briefly, they get big, fast - to DEBUG and see if anything useful is added to the ce.log?

 
Thx,
Ann

The ce.log I posted in the original message is already at the debug level - turning on debug was one of the first things I tried. Nothing in there stands out to me, but maybe someone more experienced will notice something. I grabbed everything from the start to the Execute Task to the corresponding Executed task message. Other than that, it’s just a bunch of hikari spam and the occasional Postgres self-maintenance stuff.

I just grabbed the latest run and diff’d it with the debug snippet I posted originally, and the messages are all basically the same. There are a few extra hikari or postgres messages in there, but nothing that stands out as any different from what I added to my original message.

I don’t see any errors anywhere in my ce.log, and the only warnings are watchdog things - thread starvation, etc - possibly related to the fact that I’ve had debug logging enabled for a week now. Thankfully, our SQ server isn’t very active right now because the check is optional, so a developer needs to manually execute it for it to work. Also, I quadrupled the RAM and expanded the disk prior to logging at that level… learned I needed to do that the hard way a few years ago.

Hi,

Okay, thanks for checking. I’m out of ideas, so I’m going to flag this for more expert eyes.

 
Ann

Thank you so much for your help, Ann. I sincerely appreciate your attempts. Hopefully whoever you escalate this to can help get to the bottom of it and get decorations working again.

Hi @dash, apologies for the late reply. Regarding the logs, we see:

2025.10.20 14:11:38 DEBUG ce[134bc94f-4e2d-4a56-9ee9-fd1fdf03ca2e][o.s.w.c.OkHttpClientBuilder] --> POST https://our.azuredevops.server/TeamName/_apis/git/repositories/f186ecc5-dca9-4382-bb93-b762344cc1a5/pullRequests/34883/iterations/2/statuses?api-version=3.0-preview (255-byte body)

which looks like the CE (ComputeEngine) is posting its results to a repository with the ID of f186ecc5-dca9-4382-bb93-b762344cc1a5 and a pull request ID of 34883. Are those values correct?

Cheers,

-Scott

Hi @scott.bell, no worries on the delay.

It took me a minute to figure out how to find the repository ID, but I can confirm that it is f186ecc5-dca9-4382-bb93-b762344cc1a5, and that my PR at the time the log was captured had an ID of 34883. I’ve abandoned and re-created the PR multiple times since posting in random attempts to get comments to come through, so my current PR ID doesn’t match that, but that was correct at the time.

Ann raised a question that I’m not sure I got answered: Will SonarQube add comments for Security Hotspots, or do they need to be categorized as actual bugs? I ask because all of the artificial findings I introduce fall under the Security Hotspot category, and I’m wondering if that’s why I don’t see comments…

Aside from that, I’m happy to try anything else you can think of. I’m stumped.

EDIT: Just to make sure we’re all on the same page, I DO see quality gate results get published back to the PR, and the SonarQube check correctly shows as failed because it didn’t pass quality gates. What’s missing is the individual line decorations (implemented as comments in ADO) for each finding.

Thanks,

D

Ok… so I feel really dumb about this. I finally got a chance to try adding a finding that qualified as a ‘bug’ to the code (vs the others shown above, which are detected as Security Hotspots), and SonarQube decorated the PR just fine. It’s probably been working this whole time, and I just didn’t realize that SonarQube no longer decorates everything. So with that, I guess my main issue is resolved.

Is this expected behavior - that Security Hotspots don’t get added as comments to the code? Are there any others that are excluded from decoration? Is there somewhere I can control which levels of findings get decorated and which don’t?

Thanks,

D

Hi @dash, thanks again for double checking the bug detection - and I’m glad that the bug decoration worked!

You are correct that we don’t decorate security hotspots on SQ Server like other issues. And that there isn’t a place where a user can control the levels of which findings get decorated and which don’t.

Thanks, Scott. I’ll mark this as solved, since the “solution” was the information that Security Hotspots don’t get decorated. I appreciate the help, have a wonderful day!