Unexplained new findings shown in unchanged code

SonarQube Server / Community Build
1

SonarQube Developer Edition version 9.9.3 (build 79811)

Scenario:

  1. Quality Profile was created and applied to a project.
  2. Main branch was scanned, which shows 537 code smells under overall code.

image

  1. Then a new branch was created from main branch with name feature/testsq
  2. New branch was scanned without making any code changes, and the number of code smells matches with main branch. All good so far!

image

  1. Make code changes to feature/testsq branch. Number of new code smells = 4. OK.

image

  1. But click on the ‘Overall code’ and it shows 561.

image

If the new code has introduced 4 code smells, the overall code smells should be 537+4 = 541. Why do we suddenly have 561 code smells?

Drill down shows that new code smells were identified in unchanged code from feature/testsq branch. Those findings should have been identified in the main branch as well, but that’s not the case.

image

What explains this behaviour? Is this a known bug which has been fixed in later versions?

2

Hi,

This seems to be an analysis precision question. You should check your analysis logs to make sure that all the same class files and libraries were available in both analyses.

 
HTH,
Ann

3

As mentioned, code was changed, which also resulted in different libraries.
But looking at the last image shown above, that code (entire class) did not change at all. Same rule (java:S1905) produced findings in the previous version of code in other classes, which means the rule was running, but it was not creating a finding at Line 49 earlier.

4

Hi,

I didn’t say this was about rules. I said it’s about analysis precision. Again,

Because without all the binaries, analysis will be less precise, and things can get missed.

 
HTH,
Ann

5

So in short this means changing code in any other class, which may need new libraries, may result in new findings in unchanged code. Right ?

6

Hi,

Ehm… What I’m saying is that if the library was available to one analysis, but not the other, it’s entirely normal that the analyses will have different results.

 
Ann

7

Well libraries were available in both runs (and being a Maven project, libraries were detected automatically by SonarQube), but because some classes had code and dependency changes, libraries were different in both runs.

It may sound normal to you knowing the internals :slight_smile: but definitely confusing when numbers don’t add up, and to see findings go up in classes that had no code changes.

To summarize what I understood with an example:

  • A project has 2 classes - Class A and B
  • Scan for the first time - Total findings in code = 10
  • Make code changes in Class A - which may need new libraries or change existing libraries. No code changes in Class B.
  • Run the scan - Total findings may change - not only in Class A but also in Class B
8

Hi,

Okay, if the two runs used different libraries, then I can certainly see that having an impact on what’s found during analysis.

If Class B is using those libraries that changed for Class A, then yes absolutely.

 
HTH,
Ann