I am currently investigating GitLab CI behavior for one of our engineering teams.
I think I found the issue of “Sonar does not detect which files have changed in the merge request!!” - the SCM sensor was disabled for the project in general settings.
However, this led me to ask myself: which features are affected by this setting? So I would be happy if you could help me clarify a few things.
Note: At the moment we are using an older version of the sonar gradle plugin, but I’d like to hear a general answer on how it’s supposed to be with sonar. We will update the plugin eventually anyways.
sonar.scm.disabled=trueis set, then the sonar scanner can’t identify which files changed in a merge request, right?
- Which files does the analysis take into account then for the quality gate? Does it take all the files from the branch and compares it to the latest analysis of the main branch?
- I have observed that it’s not just adding unrelated files to the “new code” for the merge request, but also not showing files that were definitely changed in the MR. So I suppose the MR analysis is just unreliable with
- The SCM feature takes care of two things, detecting changed files in an MR and “blaming” people based on
git blame, correct?
- We only do shallow clones of our bigger projects to save time and transfer volume.
- As long as SCM is enabled and both the latest commit of the target branch and the source branch are available, Sonar can still figure out the changed files for a MR, correct?
- What’s Sonar’s general perspective on shallow clones? What do we miss out on if we don’t do a full clone of the whole repo?
- While analyzing our team’s CI, I noticed that GitLab CI checks out the repo with a detached HEAD for the MR. There are no git refs available at all. How does sonar detect the changes anyways? Is the scanner using the GitLab CI env variables like
- GitLab.com hosted code (SaaS)
- Sonar scan in GitLab CI using the gradle plugin
- Gradle plugin 22.214.171.1243 (outdated)
- Sonarcloud (paid, private projects) as target
- ALM linked