I'm using SonarQube 6.2 and I set the Leak Period to "previous_version". However, during analysis, SonarQube detects error in files that were not detected in the previous analysis and in which there was no commit made in the current analysis.
Is this a bug or an issue with my configuration?
By updating the Java analyzer, new issues are detected on files that were not modified. We're aware of the problem. It's fixed in SonarQube 6.3 with SONAR-8736
Related
We launched sonar 4.5.4 in one of our application. Then, we have upgraded sonar with 6.7.5 version and we have got different results.
e.g.: the rule DLS_DEAD_LOCAL_STORE. When we passed our code with 4.5.4 version, this critical rule was not broken at all. With the new version, it appears as a new critical bug even when no changes have been implemented (last commit for this classes was made more than one year ago).
Is there any documentation about rule implementation changes per versions?
Does anyone any experience with this?
When you upgrade SonarQube you have to prepare yourself for some (big) changes. There is a large gap between 4.5.4 and 6.7.5 so, do not be surprised that checkers have been enhanced and severity revised.
It is normal and you should analyze changes before performing any application upgrade.
SonarC# 6.7.1 (build 4347)
SonarQube Version 6.7.1 (build 35068)
Quality Profile: Sonar way (outdated copy) because the current Sonar Way quality profile returns nothing at all.
Running the current MSBuild.SonarQube.Runner (SonarQube Scanner for MSBuild 4.0.2.892) only reports Code Smells. No vulnerabilities or bugs are being reported.
Using https://github.com/SonarSource/sonar-scanning-examples - CSharpProject to test. I've added bugs from the quality profile above into the code but they never get reported. I've tried this with other CS projects with the same results.
Are there any known issues reporting vulnerabilities/bugs for C#? Is any additional configuration required to get this information reported back to SonarQube?
This isn't a known issue, and I couldn't reproduce it using the same versions of the scanner, the C# plugin and a clean install of SonarQube 6.7.1.
Analysing the sample project reported one bug (csharpsquid:S2583, Program.cs line 9), and one code smell (csharpsquid:S1118, Program.cs line 4).
Code Smells, Bugs and Vulnerabilities are all handled the same way by the Scanner for MSBuild - they are all just Roslyn issues with different categories applied. No additional configuration is required.
I'm guessing you've migrated from an older version of SonarQube since you have an outdated SonarWay. However, that shouldn't make any difference to how issues are reported. The rules included in the default SonarWay might change between versions, but you've checked for rules you know are in the active QP.
If you haven't already, you could try installing SonarLint for VS and checking it correctly detects the bugs you've injected into the code.
Other options:
the .sonarqube\conf file will contain a ruleset file showing which rules are being executed by the scanner. Check that contains the expected rules.
the bin directory of each project will contain a XXX.RoslynCA.json file containing all of the issues that were detected during the build. Check they contains the expected issues.
check the console logs for errors or warnings. You could also increase the verbosity of the logged output by passing /d:sonar.verbose=true on the command line in the Begin step.
My project is analysed by SonarQube for every VCS check-in and I have observed some strange behavior:
The dependency cycle-count changes to extremes every now and then.
When viewing the details (e.g. clicking the link) the old (smaller number) value is displayed. What could be the cause of this?
This feature has been dropped from SonarQube platform in version 5.2 thus even if there might be some flaws on this on sonar java analyzer side there is not point to make an effort to fix them as this will be dropped when it will move to LTS version 5.x
See this ticket for detailed explanation : https://jira.sonarsource.com/browse/SONAR-6553
I upgraded sonarqube to 5.2. I replaced the old instance with a new instance, so the old configuration was deleted and replaced.
I have several custom fxcop rules.
When running the analysis, I am getting the following error.
ERROR: Error during Sonar runner execution
ERROR: Unable to execute Sonar
ERROR: Caused by: Unable to find the rule key corresponding to the rule config key "HSI1009" in repository "fxcop".
This is caused by empty entries in the sonar created file fxcop-sonarqube.ruleset file.
Does anyone know if this is a bug or some error on my end? I did not have these sorts of issues before the 5.2 upgrade, but unable to go back due to reliance on some plugins using 5.2.
I was only able to fix this by downgrading back to SonarQube 5.1.2. Even though I am using the same C# plugin (5.0) and the same runner version (2.5), upgrading to SonarQube 5.2 and up broke custom fxcop rules.
This problem has been fixed with the SonarQube Scanner for MSBuild v1.0.2+ : https://jira.sonarsource.com/browse/SONARMSBRU-151
Also be sure to run the SQ Scanner for MSBuild in a .NET 4.5.2 context.
After upgrading to Sonar to 4.2, I have errors on some projects with these logs :
The resource '...' is duplicated in database
I had to manually remove the duplicate lines in the database as i didn't know what is the snapshot that provokes this behavior, or if it's du to Database upgrade.
Hope to understand what has going on as i should upgrade other Sonar servers to version 4.2
The issue you're facing relates to a bug that we're currently investigating. Follow the following thread of discussion to get some news about the fix : http://sonar.markmail.org/thread/rgpwforpxm6elnc7