First of all, welcome to this community and many thanks to you for the clear reproducer.
This feedback is coming at quite an appropriate time, as we are about to start some work on improving symbol resolution for Python analysis.
First, to address your issue, I believe what you want to do is to set up a monorepo in SonarCloud.
Your reproducer is currently analyzed with automatic analysis and is seen by SonarCloud as a single project, which is probably not what you want when working with monorepos.
Instead, you can set up multiple projects that are analyzed separately. For that, unfortunately automatic analysis is not available.
Here is some documentation about how to set up a monorepo:
Also, here is an example setup based on your reproducer:
The analysis is triggered by a Github Action (as automatic analysis is not available for monorepos - feel free to replace this with your preferred CI-based analysis configuration) and there are 2 sub-projects that are analyzed separately, each with their own
.sonarcloud.properties is no longer needed.
There, we can see that the false positive is gone. I also introduced actual bugs in both projects which are correctly detected:
That being said, your reproducer still highlights a bug in the way our analyzer resolves symbols, as the same pattern could happen in a regular project.
Mostly, this is due to the fact that our analyzer doesn’t compute the correct fully qualified names for modules if no
__init__.py is present in the package. In turn, this bug hid another bug which prevents our analyzer from correctly resolving imported symbols in some cases.
For that, I have created the following tickets: SONARPY-844 and SONARPY-846 which we will hopefully tackle soon.
Thanks again for your feedback,
Hope that helps,