SQ 8.8 Developer edition.
My question concerns best practice on new code.
We are using SQ to decorate PR’s within a Bitbucket server + Bamboo stack to ensure feature branch commits are clean. We have a “no high severity annotations may be present” SQ report requirement enforced through Bitbucket’s SQ integration. Therefore the main branch (develop) used for the Quality Gate in SonarQube should just be an aggregate of passed/clean PR feature branches.
However, because we have a mix of new projects, and also onboarded some very old projects with code several years old, I don’t want to fail the quality gate on old code. We have gone through and remediated security issues, but now I don’t want to report on anything else that is old.
After reading the documentation, I’m wondering if setting a “Previous Version” new code period would become a bit of a pain to maintain and track for 20+ projects. From what I can tell it requires passing the sonar.projectversion variable from the build job and maintaining that version setting. Instead I’m wondering if it would be a viable option to use the “Reference Branch” setting, select “develop” as the reference branch, and then set the develop branch new code definition to 90 days? Is there any pitfalls with that approach I should consider?
The PR decoration ideally should catch everything. I’m just looking for an easy to maintain strategy to double check the Develop branch stays clean.