Trouble with PR vs Branch scanning

We run sonar-scanner this way:

if [[ "${IS_PR}" == "true" ]]
then 
  echo "******* In PR build, branch name is: $HEAD_BRANCH"
  sonar-scanner -X -Dsonar.ws.timeout=300 -Dsonar.token=$sq_token -Dsonar.pullrequest.key=${PR_NUMBER} -Dsonar.pullrequest.branch=${HEAD_BRANCH} -Dsonar.pullrequest.base="master"
else
  echo "******* In branch build, branch name is: $BRANCH"
  sonar-scanner -X -Dsonar.ws.timeout=300 -Dsonar.token=$sq_token -Dsonar.branch.name=${BRANCH}
fi

When running a PR build, it passes, but the Overview looks is empty.

When merging it and running a branch build, it fails on New code, but passes on Overall code.
Shouldn’t have the PR build fail as well…?


Hi,

Welcome to the community!

Take a closer look at your PR screenshot. Specifically this part:

Selection_2181

PR analysis isn’t actually running on any code.

I would start by changing your analysis command:

if [[ "${IS_PR}" == "true" ]]
then 
  echo "******* In PR build, branch name is: $HEAD_BRANCH"
else
  echo "******* In branch build, branch name is: $BRANCH"
fi
sonar-scanner -X -Dsonar.ws.timeout=300 -Dsonar.token=$sq_token 

You haven’t specified your CI, but most implementations pick up the branch/PR data from the env automatically.

If that doesn’t sort it out, please share your analysis log.

The analysis / scanner log is what’s output from the analysis command. Hopefully, the log you provide - redacted as necessary - will include that command as well.

This guide will help you find them.

 
HTH,
Ann

Thanks for the reply.

Even in PRs that do contain code changes, it shows the same:

Attached is a the sonar-scanner debug log.
pr-log.txt (85.0 KB)

Hi @Idan_Adar,

How is New code detection set in the project ?

Hello Bachri, sorry but I don’t follow the question. How would you expect it to be configured?

Hi @Idan_Adar,
I’ve been experimenting with configuring ‘new code’ detection using a reference branch (like ‘master’ or ‘develop’) and it seems to improve accuracy for branches compared to the default ‘previous version’ setting.

I’m curious if this approach would work similarly for Pull Requests. Would you be willing to test this out on your side? It would be great to compare notes and see if we get the same results.

Hi,

Thanks for the log.

2025-01-09T16:59:26.853901083Z 16:59:26.775 INFO: Scanner configuration file: /opt/sonar-scanner-5.0.1.3006-linux/conf/sonar-scanner.properties

This version has some age on it. The current version of SonarScanner CLI is 6.2.1.

What are the languages of this repository? Going further in the log, we see that only a few analyzers are loaded:

2025-01-09T17:00:07.455654893Z 17:00:07.413 DEBUG: Plugins not loaded because they are optional: [abap, sonarapex, csharp, cpp, cfamilydependencies, cobol, dbd, dbdjavafrontend, dbdpythonfrontend, flex, go, web, jcl, javasymbolicexecution, java, javascript, kotlin, php, pli, plsql, python, rpg, ruby, sonarscala, swift, tsql, vbnet, vb, security, securitycsharpfrontend, securityjsfrontend, securityjavafrontend, securityphpfrontend, securitypythonfrontend, dart]
2025-01-09T17:00:07.611241278Z 17:00:07.571 DEBUG: Plugins loaded:
2025-01-09T17:00:07.615171744Z 17:00:07.571 DEBUG:   * Text Code Quality and Security 2.16.0.4008 (textenterprise)
2025-01-09T17:00:07.615196457Z 17:00:07.571 DEBUG:   * Clean as You Code 2.4.0.2018 (cayc)
2025-01-09T17:00:07.615202262Z 17:00:07.572 DEBUG:   * XML Code Quality and Security 2.10.0.4108 (xml)
2025-01-09T17:00:07.615206758Z 17:00:07.572 DEBUG:   * JaCoCo 1.3.0.1538 (jacoco)
2025-01-09T17:00:07.615211056Z 17:00:07.572 DEBUG:   * IaC Code Quality and Security 1.36.0.12431 (iac)
2025-01-09T17:00:07.615215580Z 17:00:07.572 DEBUG:   * Text Code Quality and Security 2.16.0.4008 (text)

Basically, there’s nothing language-specific here. That tells me that no real code files were detected in the initial scan for changed files.

You need to back up to your checkout. Make sure your prerequisites are in place.

And again, you should drop your manual PR analysis parameter configuration and see if that helps:

2025-01-09T17:00:09.768259308Z 17:00:09.730 INFO: Found manual configuration of branch/PR analysis. Skipping automatic configuration.

 
Ann

P.S.

2025-01-09T16:59:55.007796376Z 16:59:54.970 DEBUG: Data Center 10.7.0.96327

As a Data Center customer, you have access to our Support Engineers who have SLAs… :smiley:

About the CLI - that’s indeed an old version, it’s just that when we use v6 it failed on Java and I didn’t want to focus on that at the time, so went back to v5.

This is for applications written in Golang.
I don’t control much of this, we are just users and another team manages the instance in our company (this is indeed a Data Center edition, but the internal support ticket is not being handled fast enough so I figured I’ll ask here to gain some more info from SQ team…).

We use tekton, so it’s non of the CI systems mentioned in the documentation but I do think we meet the pre-reqs. I will try with removing the manual configuration, yes.

As for the PR, while the PR build (with code changes) doesn’t present any data, once merged, does show data for the branch build. …

Hi,

Not to be pedantic, but does the data look right?

And how does your branch checkout differ, if at all, from your PR checkout?

 
Ann

1 Like

Yes, data looks correct in branch build.
I also tried now with your suggestion, including with a PR that actual code changes (not just a readmd.md dummy change), and it still shows no data for that PR.

FYI this is about support case 51278

Hi,

If you have a support case, there’s no point in continuing the discussion here.

 
Thx,
Ann