Seeing such a large number of bugs and vulnerabilities while receiving a passing Quality Gate might be initially confusing, but everything is actually functioning as designed! This scenario is a common experience when performing a first analysis on an existing codebase.
To clarify, when you run an initial scan on your codebase, SonarQube uncovers and reports on all the existing issues - hence the thousands of issues you’re seeing. Now, you might ask, “Should we fix all these issues?”
Well, you could, but fixing all of them immediately isn’t necessarily the best strategy. Attending to each one would take a significant amount of time and resources, especially considering that much of this code may have been untouched for a long time and is potentially functioning well despite the identified issues. Dedicating resources to correct these issues could divert your team’s attention from more pressing tasks, such as developing new features or enhancing existing ones.
This is where the concept of “Clean As You Code” comes into play. SonarQube promotes this approach, which primarily focuses on maintaining high quality in the new code that’s being written. This doesn’t mean you should completely ignore existing issues, but it prioritizes dealing with issues in the code that’s currently being worked on and modified.
As the name suggests, “Clean As You Code” encourages developers to take ownership and ensure the cleanliness of their new code, making sure any new work is free from issues As you continue developing and modifying your codebase, sections of the older, existing code will naturally get touched, refactored, and cleaned. In this way, “New Code” can also encompass updated old code.
So, in the face of thousands of identified issues, don’t panic. Your Quality Gate is passing because the new code you’ve written meets the quality standards. SonarQube is doing its job, helping you focus on maintaining and improving code quality incrementally, rather than getting overwhelmed by the prospect of fixing all the existing issues at once.
As you add code to your codebase and continue to scan your code, you’ll see better the separation between “New Code” and “Overall Code”.
I hope this helps explain the situation better.