Unable to display new code based on reference branch for consecutive branch scans

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube Server / Community Build, Scanner, Plugin, and any relevant extension): Enterprise Edition v2025.3.1 (109879)
  • how is SonarQube deployed: Docker
  • what are you trying to achieve:
    I’m trying to make SonarQube branch scans display new code compared to a reference branch. By configuring the reference branch either through UI or command line I get the initial scan to display new code compared to our reference branch.
    The problem is that consecutive scans lose the new code comparison for the reference branch and instead just display new code compared to previous scans on the current branch.

Initial scan:

consecutive scans:

Activity:

Project settings:

I am expecting to see all these scans to have their new code be displayed in comparison to the reference branch, not the previous scan which seems to be the case here.
I am also expecting to see the same Quality Gates fail on all of these scans as I haven’t added any code past the initial scan.
Am I misinterpreting the reference branch functionality or is there some config that I’ve missed?

  • what have you tried so far to achieve this
sonar-scanner -Dsonar.branch.name="test" -Dsonar.projectName="test-double-ms" -Dsonar.projectKey="levpl:test-double-ms" -Dsonar.token="$SONAR_TOKEN" -Dsonar.host.url="$SONAR_HOST" -Dsonar.newCode.referenceBranch="master"

Hi,

Welcome to the community and thanks for all the screenshots! Very helpful!

Tell me about your checkout. Because my first reaction is that this is about the SCM metadata available to analysis.

These prerequisites are listed for PR analysis, but they’re relevant here too, I think.

 
Ann

Hello and thank you for the reply!

this is the status of my local checkout

test-double-ms$ git branch -a -vv
  master                e3edf93 [origin/master]
* test                  ac73c73 [origin/test]
  remotes/origin/HEAD   -> origin/master
  remotes/origin/master e3edf93
  remotes/origin/test   ac73c73
test-double-ms$ git diff master 
diff --git a/docker/testdoublems.py b/docker/testdoublems.py
index 70b3218..3abf50e 100755
--- a/docker/testdoublems.py
+++ b/docker/testdoublems.py
@@ -23,6 +23,12 @@ class ExampleHandler(http.server.BaseHTTPRequestHandler):

+    def foo(self):
+        if True:
+            return True
+        else:
+            return False
+
 
test-double-ms$ git diff master origin/master; echo $?
0
test-double-ms$ git rev-parse --is-shallow-repository
false

I added -Dsonar.sources="docker" to my sonar-scanner command to get rid of some warnings the scanner got when trying to scan .git files. Now that I’m browsing the local scanner output I can’t see any errors or warnings except this one:

Your code is analyzed as compatible with all Python 3 versions by default. You can get a more precise analysis by setting the exact Python version in your configuration via the parameter "sonar.python.version"

which is the same warning that can be seen in the pictures above.


Are you interested in the local output of the scan command?
I’ve tried every version of sonar-scanner, from 5.0.1.3006 to 7.2.0.5079.

Hi,

Are all the relevant branches up to date? Did you make sure the prerequisites are all in place?

That’s not going to do anything but narrow analysis to only files/directories under docker. Is that what you intended? If your goal is to exclude hidden files from analysis, then set sonar.scanner.excludeHiddenFiles=true.

 
Ann

Yes, the goal -Dsonar.sources="docker" with was to exclude some unnecessary files being scanned to get rid of some warnings to easier be able to read the terminal output.
sonar.scanner.excludeHiddenFiles was a useful trick though, so thank you.


As for the prerequisites:

  • The pull request source branch is checked out in the CI/CD host’s local repository.
    As per my git branch command you can see that HEAD for my local branch is the same commit hash as its upstream.
BRANCH NAME           COMMIT  UPSTREAM
test                  ac73c73 [origin/test]
remotes/origin/test   ac73c73

What you can’t see is that my local refs are up to date, but I’ve checked and they are:

test-double-ms$ git fetch; echo $?
0
  • The branch being targeted by the pull request (target branch) is fetched in the CI/CD host’s local repository
    HEAD for my local master branch is the same as its utsream:
BRANCH NAME           COMMIT  UPSTREAM
master                e3edf93 [origin/master]
remotes/origin/master e3edf93
  • The CI/CD host’s local repository contains valid repository metadata
    I don’t know what data sonar-scanner needs from .git but it’s valid enough to use standard git commands like push and pull and so forth.
    The history ought to be long enough for sonar too:
test-double-ms$ git rev-list --count origin/test
142
test-double-ms$ git rev-list --count origin/master
141

I checked that we’re not using a shallow clone of the repo:

test-double-ms$ git rev-parse --is-shallow-repository
false
  • The code in the CI/CD host’s local repository matches the code in the remote repository
    Don’t know if this one is relevant as I’m pushing the code to the repo and running the sonar-scanner locally. There is no need for me to push, then pull, then scan.
  • If you use AWS CodeBuild
    We don’t use this.

Is there anything else from the guides that I should check?

Hi,

So analysis is not running on a CI build agent, but locally? FWIW, that’s not considered best practice.

Can you provide your analysis log?

The analysis / scanner log is what’s output from the analysis command. Hopefully, the log you provide - redacted as necessary - will include that command as well.

This guide will help you find them.

 
Ann

Normally we run the scans from our CI server but right now I’m running them locally for debugging purposes.


sonar-scanner-log.txt (108.8 KB)
Command used:

test-double-ms$ sonar-scanner -Dsonar.branch.name="test" -Dsonar.projectName="test-double-ms" -Dsonar.projectKey="levpl:test-double-ms" -Dsonar.token="$SONAR_TOKEN" -Dsonar.host.url="$SONAR_HOST" -Dsonar.newCode.referenceBranch="master" -Dsonar.scanner.excludeHiddenFiles=true > sonar-scanner-log

Hi,

Can you try this without the quotes?

 
Thx,
Ann

same result with

test-double-ms$ git fetch --all
test-double-ms$ git branch --all -vv
  master                e3edf93 [origin/master]
* test                  ac73c73 [origin/test]
  remotes/origin/HEAD   -> origin/master
  remotes/origin/master e3edf93
  remotes/origin/test   ac73c73
test-double-ms$ git status
On branch test
Your branch is up to date with 'origin/test'.

nothing to commit, working tree clean
test-double-ms$ sonar-scanner -Dsonar.branch.name=test -Dsonar.projectName=test-double-ms -Dsonar.projectKey=levpl:test-double-ms -Dsonar.token=$SONAR_TOKEN -Dsonar.host.url=$SONAR_HOST -Dsonar.newCode.referenceBranch=master -Dsonar.scanner.excludeHiddenFiles=true


The first scan detects the new code compared to master.
The second scan indicates there is no new code compared to master.

I’m expecting the second scan to detect the same issues as the first scan, as nothing has been changed between the scans

I got curious and tried to set the reference branch to FOOBAR, a branch that does not exist:
sonar-scanner -Dsonar.branch.name=test -Dsonar.projectName=test-double-ms -Dsonar.projectKey=levpl:test-double-ms -Dsonar.token=$SONAR_TOKEN -Dsonar.host.url=$SONAR_HOST -Dsonar.newCode.referenceBranch=FOOBAR -Dsonar.scanner.excludeHiddenFiles=true

This resulted is the exact same behaviour as when I use master which does exist.

Scan activity:

Hi,

How is “master” spelled (capitalization counts!) in SonarQube? Is it possible that your use of quotes has injected leading or trailing whitespace in the name?

 
Ann

The name is master, no capital letters, no whitespaces.
This is how the Sonar GUI displays the master branch (picture from Project Settings → New Code:

I’ve also tried using origin/master and remotes/origin/master in my command

Hi,

Sorry, I just now looked at your analysis log. Here’s the problem:

09:20:36.056 DEBUG SCM Step is disabled by configuration

SCM metadata - when you allow analysis to read it - is how the scanner understands what’s “new”.

Look for sonar.scm.disabled at the project or global level.

 
HTH,
Ann

1 Like

This is it!
Tried and it’s working now.
Thank you so much!