But the quality gate status has showed up as Passed.
Hey there.
Seeing such a large number of bugs and vulnerabilities while receiving a passing Quality Gate might be initially confusing, but everything is actually functioning as designed! This scenario is a common experience when performing a first analysis on an existing codebase.
To clarify, when you run an initial scan on your codebase, SonarQube uncovers and reports on all the existing issues - hence the thousands of issues youâre seeing. Now, you might ask, âShould we fix all these issues?â
Well, you could, but fixing all of them immediately isnât necessarily the best strategy. Attending to each one would take a significant amount of time and resources, especially considering that much of this code may have been untouched for a long time and is potentially functioning well despite the identified issues. Dedicating resources to correct these issues could divert your teamâs attention from more pressing tasks, such as developing new features or enhancing existing ones.
This is where the concept of âClean As You Codeâ comes into play. SonarQube promotes this approach, which primarily focuses on maintaining high quality in the new code thatâs being written. This doesnât mean you should completely ignore existing issues, but it prioritizes dealing with issues in the code thatâs currently being worked on and modified.
As the name suggests, âClean As You Codeâ encourages developers to take ownership and ensure the cleanliness of their new code, making sure any new work is free from issues As you continue developing and modifying your codebase, sections of the older, existing code will naturally get touched, refactored, and cleaned. In this way, âNew Codeâ can also encompass updated old code.
So, in the face of thousands of identified issues, donât panic. Your Quality Gate is passing because the new code youâve written meets the quality standards. SonarQube is doing its job, helping you focus on maintaining and improving code quality incrementally, rather than getting overwhelmed by the prospect of fixing all the existing issues at once.
As you add code to your codebase and continue to scan your code, youâll see better the separation between âNew Codeâ and âOverall Codeâ.
I hope this helps explain the situation better.
Thank you for the response @Colin
That makes sense.
Does it also mean that new code will not fail the quality gate if any of the issues(or violations of the same rule that failed before) exist in the newer code too ?
For example : If a developer starts writing new code on his new branch and unknowingly introduces some bugs that violate the same rule/rules that have already been violated before(the first scan).
Will this scan also not FAIL ?
Apart from communication/collaboration/awareness on existing issues in the application, so that new developers dont introduce the same bugs. What other strategies do you recommend teams follow to fix these issues so that there isnât a huge tech debt to address later?
Note : Not every developer might go and check the sonar dashboard and see the bugs/issues.
Hi Sam,
I will try to answer your questions:
Does it also mean that new code will not fail the quality gate if any of the issues(or violations of the same rule that failed before) exist in the newer code too ?
For example : If a developer starts writing new code on his new branch and unknowingly introduces some bugs that violate the same rule/rules that have already been violated before(the first scan).
Will this scan also not FAIL ?
A new occurrence of the bug (rule violation) will fail the quality gate in this case. Because this new bug makes the new/changed code unclean. Unless this specific rule is turned off in Quality Profile, SonarQube will continue to detect new occurrences of it in new code and will fail the Quality Gate.
One thing to note here is, SonarQube will allow a small amount of code smells in new code. So you may notice that Quality Gate is not failing even though there are a few code smells. However, having single bug or vulnerability in new code is enough to fail a CaYC-compliant quality gate. You may read more here.
Apart from communication/collaboration/awareness on existing issues in the application, so that new developers donât introduce the same bugs. What other strategies do you recommend teams follow to fix these issues so that there isnât a huge tech debt to address later?
Clean as You Code (CaYC) practice brings two positive effects to your team:
My recommendation will be to let the CaYC do its job and worry less about old issues if possible. This will help your development team to focus on what is most important.
Extra:
You might find Liz Ryanâs blog post on Learn as You Code interesting.
Now a question from my side:
Apart from addressing overall debt, do you have any other motivation to clean the old code?