I have a project with very strict time budgets for SonarQube scan as part of CI pipeline. We essentially want to only scan the lines that have changed and not the full project. Is it possible to scan only changed files in the last commit, and provide report based only on changed lines of code? I want to check if added or modified lines make the project quality worst as the developer don't care about old code - only what they committed.
I saw a few notes on the Sonar Community that said this was not possible, but checking if this has changed over the past 12 months? Did not find anything in the docs.
New Code analysis only
I want sonar analysis on newly checkin code
Related
We were using Sonarqube Enterprise Edition and it’s version is 9.2 and we upgraded it to 9.3 yesterday. So we always use latest version for Enterprise Edition.
I think Sonarqube New Code definition is working wrong. I will try to tell you with our example.
You can see what our project’s New Code definition is.
I think Sonarqube should calculate difference code from the previous version. But it did not do that.
P.S. We scan our repository’s develop branch on Sonarqube every night as scheduled. So the previous version is yesterday’s scan.
We work with feature branches in our repository. Basically, we create new feature branch from develop, then we develop our features in the feature branch. Sometimes it takes one or more weeks. We did a lot of commits in this duration. After we finish developing, we merge the feature branch to develop. And that night, Sonarqube scan develop branch again. I think the merged feature branch’s codes is all new code. But Sonarqube only considers commits made that day(last day). Previous commits’ codes are not shown in New Code reports.
I hope I was able to explain my problem.
Update 1:
I tried to fix the Sonarqube Project’s version nubmer. After that, the New Code definition shows as “Started 5 days ago”. As you can see the below image. It means it takes 5 days period.
But I tried to tell before. I want to see all merged branches, commits to develop in new code report for every day. Is there any other suggestions?
Thanks.
We are having an issue with SonarQube analysis where known issues are failing the quality gate. This is an existing code base, after initial analysis, existing issues should remain as is and new code is analyzed. Thus if a developer checks in code, I would expect only new changes are analyzed and scanned. However, SonarQube is detecting both new changes and existing changes as issues during the leak period.
How does Sonar determine the differences between current and previous for the leak period? Is it purely analyzing source files or is there something else happening? What could cause existing code to cause a new issue in the leak period? I'm trying to determine how to diagnose and troubleshoot this issue.
Running:
SonarQube 7.1
sonar-scanner-msbuild 4.2.0.1214
TFS 2012
4 TFS 2012 Build Agents
No SCM integration
Edit:
I mostly see these issues in Bugs and Code Smells. The leak period is based on the previous run, versions are not being used. It seems to be more problematic with SonarQube 7.1 than with the previous 6.7. Here is an example flow that happened:
1) Initial Sonar Analyzes/Scan -- All code is green
2) New check-in -- All code is green
3) New check-in, one line change -- all previously "green" items from step 1 are flagged and gate fails
When I say "new code",I mean that compare two commits in master branch and get the new code.
I am confused about the new code coverage in sonarqube.I want to specify the comparison of two commitIDs
Check in the analysis parameters if the sonar.projectDate one can help:
Retrieve the oldest version of your application's source that you wish to populate into the history (from a specific tag, whatever).
Run a SonarQube analysis on this project by setting the sonar.projectDate property. Example: sonar-scanner -Dsonar.projectDate=2010-12-01
Retrieve the next version of the source code of your application, update the sonar.projectDate property, and run another analysis. And so on for all the versions of your application you're interested in.
If your commits are done on different days, that could work.
This is not as precise as two commits ID, but can still help here.
See "SonarQube - unity tests code coverage on new code not working" (if this has not changed since SonarQube 5.x)
I am considering the implementation of a Code Quality tool for our team's Projects.
SonarQube seems to be a good choice. I haven't gotten the ideal workflow figured out yet (we use SVN and Maven Projects and have a Jenkins server running the tests on every commit).
Aside from the importance of being able to analyse the quality of the current commit, historical evolution is also very interesting.
Given that we already have a few years of commits, is it possible, when setting up the project, to request a retrospective analysis of those commits, or will SonarQube only work for the commits from the day it is installed onwards?
SonarQube only displays data uploaded by scanners. You can checkout to any commit (read more here: How to checkout a specific Subversion revision from the command line?) and next execute a scanner. The used scanner depends of what kind of a build tool you use:
Ant
Gradle
Maven
MSBuild
Other
The analysis result will be pushed to a SonarQube server. Unfortunately, it is always treated as the last version of the application, so you cannot "insert" analysis of some old commits to the project history. But do you really need it? Scanners always analyze all sources. If somebody added some code three years ago and nobody deleted it, then it will be available on the server. If the code is deleted, then you shouldn't spend time on analyzing something, what doesn't exist anymore. That's why SonarQube always shows the last state of the project.
You can read a good blog post written by Fabrice Bellingrad (April 06, 2016): Stop planning; fix the leak!
Read more about SonarQube Architecture and Integration.
Yes, this is possible using the sonar.projectDate analysis parameter. Its purpose is precisely what you are asking for.
Quote from the docs:
Assign a date to the analysis. This parameter is only useful when you need to retroactively create the history of a not-analyzed-before project. The format is yyyy-MM-dd, for example: 2010-12-01. Since you cannot perform an analysis dated prior to the most recent one in the database, you must analyze recreate your project history in chronological order, oldest first.
You could for example check out your last 10 version tags in chronological order (oldest first!). For each tag run the analysis with sonar.projectDate set to the date the tag was created.
According to Sonarqube documentation: https://docs.sonarqube.org/display/SONAR/Concepts
A snapshot is generated for each analysis. Is there any way available to control this versioning and the given time for the snapshot generation. If yes, then I would like to automate the naming of snapshot generation.
Further explanation: I would like to have given time for a snapshot equal to say 2 weeks and give it a name like: "119.0 Sprint" and then for the next snapshot generation, I want that sonarqube names it as "120.0 Sprint".
Any helpful documentation or tutorial would be appreciated.
To update the version string that's shown in SonarQube, you should update its source: your sonar-project.properties, pom.xml or other document used to feed the basic analysis values such as project key, sources directory and so on.
This should be done externally to SonarQube, although you can attach such values to snapshots via the SonarQube UI after the face.