How to analyse only new added lines of code?

Question

I want to use SonarQube on my project. The project is quite a big and scanning whole files take much time. Is it possible to scan only changed files in the last commit, and provide report based only on changed lines of code? I want to check if added or modified lines make the project quality worst and I don't care about old code.

For example, if person A created a file with 9 bugs and then commited changes - the report and quality gate should show 9 bugs. Then person B edited the same file adding few lines containing 2 additional bugs, then commited changes - the report should show the 2 last bugs and quality gate should be executed on the last changes (so should consider the last 2 bugs)

I was able to narrow scan to only changed files in the last commit- but report is generated based on whole files. I had an idea about cutting only changed lines of code, paste them to new file and run sonar scan on the file - but I'm almost sure the SonarQube needs the whole context of file.

Is it possible to somehow achieve my usecase ?

Answer 1

No, it is impossible. I saw a lot of similar questions. These are answers to two of them:

New Code analysis only:

G Ann Campbell:

Analysis will always include all code. Why? Why take the time to analyze all of it when only a file or two has been changed? Because any given change can have far-reaching effects. I’ll give you two examples:

I check in a change that deprecates a much-used method. Suddenly, issues about the use of deprecated code should be raised all over the project, but because I only analyzed that one file, no new issues were raised.

I modify a much-used method to return null in some cases. Suddenly all the methods that dereference the returned value without first null-checking it are at risk of NullPointerExceptions. But only the one file that I changed was analyzed, so none of those “Possible NPE” issues are raised. Worse, they won’t be raised until after each individual file happens to be touched.

And that’s why all files are included in each analysis.

I want sonar analysis on newly checkin code:

G Ann Campbell:

First, the SonarQube interface and default Quality Gate are designed to help you focus on the New Code Period. You can’t keep analysis from picking up those old issues, but you can decide to only pay attention to issues raised on newly-changed code. That means you would essentially ignore the issues on the left side of the project homepage with a white background and focus instead on the New Code values over the yellow background on the right. We call this Fixing the Leak, or alternately Clean as You Code.

Second, if you have a commercial edition, then branch and PR analysis are available to you. With Short-Lived Branch (SLB) and PR analysis still covers all files, but all that’s reported in the UI is what’s changed in the PR / SLB.

Ideally, you’ll combine both of these things to make sure your new code stays clean.

The position in this matter has not changed over the last years, so don't expect it will be changed.