Active vs. passive rule violations

Hi there,

I am currently introducing SonarQube as part of our delivery pipelines. It should act as a build breaker if a PullRequest contains bugs or changes that are not compliant with our quality gate. We have a large existing codebase. Thus there are a lot of already existing issues which are now detected by SonarQube (which is great. I love SonarQube. It is an awesome tool). After introducing SonarQube as a build breaker we ran into a problem which brought me to an idea for a new feature that would improve SonarQube even more.

Here is the scenario:

Due to our existing codebase we have a lot of violations of rules like “Cognitive Complexity” or “Too many method parameters”. While I absolutely agree that these rules are some of the most valuable rules in SonarQube to ensure maintainability of a codebase it creates a problem for us. Developers are enhancing or fixing things in a method which already have a “Cognitive Complexity” of e.g. 60 where 15 is the treshold. Thus this developer is now forced to refactor that method though he might have only added a log statement. In the perfect world I’d agree that she should do it immediately and get rid of that tech debt. But in our reality this is not always possible. Thus we struggle with having a rule like “Cognitive Complexity” as a build breaker rule for new code.

Long story short, here is my suggestion: What if SonarQube can differenciate between active and passive rule violations. I.e. in the concrete example it computes the cognitive complexity of the code as it was before a change and after the change. If the complexity has increased then we have an active rule violation. In that case the developer should be forced to fix the issue. If the complexity has not changed the I’d call that a passive rule violation. The developer has changed some code but not added complexity. He might even have decreased the complexity from 60 to 40, which would be a move towards the right direction. In such a case it would be great to be able to configure rules like “Cognitive Complexity” to consider “active” rule violations only.

What do you think? Does this make sense? For us it would be a great enhancement of SonarQube in order to apply it on already existing codebases.

Best regards
Thomas