Reputation: 159
Sonar is showing new violations in old code
We are using Sonar Qube 6.7.3 and sonar-java-plugin 5.3
We have made below changes to our sonar configuration recently
- Enabled new rules
- Changed configuration to include byte code(changed from 'clean sonar:sonar' to 'clean package sonar:sonar')
We are using sonar svn plugin and provide valid credentials to it.
I understand providing byte code to sonar will help it identify more issues but, I expect Sonar to flag new issues based on svn code commit date and last analysis date, but it is not.
Please let me know why it is flagging issues in old code as new?
Upvotes: 3
Views: 3260
Answers (1)
Reputation: 9116
Sonar Sanner always scans the entire code base. If somebody has decided that some code structures are wrong or dangerous (the ruleset have been changed) then SonarQube has to notify about all occurrences of that code. Why? Let's think about the following example:
After a plugin upgrade, SonarQube provides a new very important security rule which forbids the use of a dangerous cipher algorithm. Now is the question:
- is it only dangerous in new code?
- is it always dangerous?
Of course, it is always dangerous. SonarQube doesn't force you to fix everything (usage of the quality gates is optional). Its main goal is to let you know how many problems (code smells/bugs/vulnerabilities) exist in the whole code base.
Upvotes: 3
Related Questions
- Where is the Sonar "duplicated code" here?
- How can I fix below sonarqube issue
- How to solve SonarQube complaints about my code?
- SonarQube fixed issues are still shown even when the code base has changed
- Sonarqube gives me issues of deleted codes and can't filter issues
- Error while running sonar-scanner
- Confusing Sonar error
- Why different issues are found when using different versions of SonarQube?
- Sonar violation
- Sonar runner, seeonly newly introduced issues