SQ 8.8 Developer edition.
My question concerns best practice on new code.
We are using SQ to decorate PR’s within a Bitbucket server + Bamboo stack to ensure feature branch commits are clean. We have a “no high severity annotations may be present” SQ report requirement enforced through Bitbucket’s SQ integration. Therefore the main branch (develop) used for the Quality Gate in SonarQube should just be an aggregate of passed/clean PR feature branches.
However, because we have a mix of new projects, and also onboarded some very old projects with code several years old, I don’t want to fail the quality gate on old code. We have gone through and remediated security issues, but now I don’t want to report on anything else that is old.
After reading the documentation, I’m wondering if setting a “Previous Version” new code period would become a bit of a pain to maintain and track for 20+ projects. From what I can tell it requires passing the sonar.projectversion variable from the build job and maintaining that version setting. Instead I’m wondering if it would be a viable option to use the “Reference Branch” setting, select “develop” as the reference branch, and then set the develop branch new code definition to 90 days? Is there any pitfalls with that approach I should consider?
The PR decoration ideally should catch everything. I’m just looking for an easy to maintain strategy to double check the Develop branch stays clean.
We’ve historically said that “Previous Version” is the recommended setting if you have the version info readily available. It sounds like you might not. By chance are all the projects on the same build mechanism? I ask because, if using Maven, the SonarScanner for Maven will auto-detect the version info from the Maven pom.xml file in each project. If not using Maven or using a mixture of build tech across the projects, that might not help you much.
In which case I agree, what you suggest sounds like quite a reasonable option.
Thank you for the reply. Everything is on a Bamboo server which we use the MSBuild SQ scanner for. If we go this Number of Days route, is there any real difference between just selecting Administration → New code → Number of days versus the longer route I mentioned in my original post where I declare the Develop branch as the Reference Branch first and then set it’s number of days value? Seems like same outcome or am I missing something?
I’m glad you followed up because I might have slightly misunderstood your original post.
Setting develop as the reference branch makes sense for other branches (that are not develop) if what you want is for New Code on those branches to start from when that branch diverged from develop. It doesn’t matter what the New Code period setting is on the develop branch itself. In other words, the setting Reference Branch doesn’t mean “use the New Code Period setting from this branch” at all.
So yes, if you simply want to use 90 days everywhere, set it under the top-level Administration and let all your projects inherit it.