Issue management solution overview
This page explains: how SonarCloud identifies, assigns, and synchronizes issues; the issue lifecycle; and the issue-related features and concepts deprecated in this version.
Issue identification and assignment by SonarCloud
For each code file:
- SonarCloud checks if the file has been renamed.
- SonarCloud determines:
- Whether an issue found during the current analysis is new or existed previously.
- If an issue found during the previous analysis has been fixed.
- For each new issue:
- SonarCloud determines and sets the issue date. The issue date is the analysis date except in some cases where issue backdating to the line commit date is necessary.
- SonarCloud tries to automatically assign the issue to an appropriate SonarCloud user.
Method used to identify if an issue is new
SonarQube and SonarCloud use the same algorithm to determine whether an issue is new or existed previously:
- For each issue found in the file from the previous analysis, it compares it to each issue found in this file during the current analysis:
- If there is no match then it considers the issue as Fixed.
- If there is a match and the issue status is Fixed in the previous analysis then it reopens the issue.
- For each issue found in the file during the current analysis, if there is no matching issue in the file from the previous analysis then it is considered new.
This algorithm relies on the issue's line hash. The line hash is calculated based on the content of the first line the issue is reported on, excluding the white spaces.
The figure below shows the comparison process between two issues.
Issue backdating (new issues raised on old code)
In some corner cases, new issues (issues that didn't exist in the previous analysis) may be detected on old code (code outside of the new code definition period). This may be the case, for instance, if the issue has existed in code for a long time but was only found in the most recent analysis because new rules were added to the quality profile. In such cases, SonarCloud doesn't apply the analysis date as the issue date but uses backdating so that it can correctly identify whether the new issue is to be reported on new code or old code (overall code).
If the date of the last change to the line is available then SonarCloud will backdate to this date an issue identified as new in the following cases:
- On the first analysis of a project or branch.
- When the rule is new in the quality profile (a brand new rule activated or a rule that was deactivated and is now activated) or when a rule parameter was changed.
- When SonarCloud has just been upgraded (because rule implementations could be smarter now).
- When the rule is external (rule managed and applied by an external, third-party analyzer).
- Previously excluded files are now analyzed.
During a pull request analysis, new issues on old code are not reported since only new code issues are reported. It means that the first analysis on the target branch after the merge may report new issues on old code that were not reported by the pull request analysis.
Automatic issue assignment
SonarCloud automatically assigns an issue during analysis to the last committer on the issue line - called issue author - if the author can be correlated to a SonarCloud user.
Login and email correlations between SCM account and SonarCloud user are made automatically. For example, if the user commits with their email address and that email address is part of their SonarCloud user profile, then new issues raised on lines where the user was the last committer will be automatically assigned to the user.
- Currently, issues on any level above a file, for example, issues reported at a directory or project level, cannot be automatically assigned.
- If the SCM login associated with an issue is longer than 255 characters including the characters for an issue author, the author will be left blank.
- Several SCM accounts can be added to a user profile.
Issue life cycle
An issue can have the following statuses:
- Open: initial value after the first analysis. A user can reopen an Accepted or False positive issue.
- Accepted: set by an authorized user if they
decide to fix the issue later or not fix the issue.
SonarCloud ignores accepted issues in the ratings of the code but displays the number of accepted issues in the various analysis snapshots in the UI. - False positive: set by an authorized user if the analysis is mistaken.
SonarCloud ignores False positive issues in the quality reports and ratings of the code. - Fixed: set by SonarCloud after a subsequent analysis if the previously open issue has been fixed in the code (is no longer being detected).
By default, Fixed issues are purged after 30 days. This is set in Housekeeping.
If users tend to mark a lot of issues as False positive, it means that some coding rules are not appropriate for the project. In that case, rules can be deactivated in quality profiles, or the analysis scope of the project can be adjusted to exclude files.
The figure below shows the issue life cycle.
Was this page helpful?
© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.
