Maven Sonar analysis randomly resetting quality profile to default

[romain.rou...@gfi.fr]

Hi,

I guess I've found a bug in the way the sonar-scanner-engine handles shutdown SonarQube servers when retrieving project's quality profile.

This was partially described here : https://stackoverflow.com/questions/41218879/sonarqube-resetting-quality-profile-every-week-to-default

I am personnally randomly facing the exact same problem and finally managed to reproduce the issue.

How to reproduce :

1) Let P an existing project, with former analyses along with issue statuses saved, and its java profile set as desired-profile

2) Stop SonarQube server

3) Start new analysis using sonar-maven-plugin in debug mode (breakpoint set to org.sonar.batch.repository.DefaultProjectRepositoriesLoader.load(String, boolean))

4) Step return out of load method (you can see here that a brand new org.sonar.batch.repository.ProjectRepositories is returned)

5) Now start SonarQube server

6) Disconnect debug process

The analysis resumes with the default java quality profile set, but not even the slightest hint of alert is logged. At the end of the process, it is being sent to the up-and-running server but the analysis is saved with issues that are not part of the quality profile desired-profile.

Even worse, the statuses of previously managed issues are reset.

In real life, this may occur when SonarQube is under maintenance or is restarting.

Could you please file a bug ?

SonarQube version : 5.6.3

sonar-maven-plugin : 3.4.0.905

Thanks

Romain

[Julien HENRY]

Hi Romain,

I'm really surprised by your reproducer. If SonarQube server is stopped at step 2, then running mvn sonar:sonar should fail long before reaching DefaultProjectRepositoriesLoader. Here is the first HTTP call made by scanners:

https://github.com/SonarSource/sonar-scanner-api/blob/842a7cbc4b41d46387c96ced8f96bea59131c011/api/src/main/java/org/sonarsource/scanner/api/internal/BootstrapIndexDownloader.java#L39

You can see all HTTP calls made by scanners by running in verbose mode (mvn sonar:sonar -X).

Also, DefaultProjectRepositoriesLoader will return an empty ProjectRepositories only when call to /batch/project.protobuf?key=<projectKey> will returns a 404. Again, if your SonarQube server is properly stopped, I don't expect a 404 to be returned.

++

Julien

My guess is that you have a proxy/load balancer/... in front of your SonarQube server that is not correctly configured. When the SonarQube server is down, it should not return cached content nor 404.