we are currently doing some tests with Sonar 10.6. During these tests I downloaded some backups of Quality Profiles. These backups still contain the “old” severity of the rules. They don’t contain the new severity that has been introduced with Sonar 10 and it does not contain any information about the prioritization of rules feature which can make the Quality Gate break.
I also tried to download a regulatory report for one project and there it seems to be the same. All data and lists still contain the “old” severities and none of the new information.
Did I do something wrong or did I miss something? Why is this old data which is deprecated according to the documentation still contained in the backup of the rulesets and the regulatory reports?
ad 1) You are right, if you do the backup just for backup and restore purpose it might not be required to have the new severities in there. But we currently use this feature to save the ruleset which was used for scanning for reporting reasons eg for an audit where we have to show which rules were used to do scanning.
Anyhow for me it is confusing to have the old severity in there which might not be used any more even if it is not called severity but priority.
In addtion I tried the regulatory report for our use case. There it is even worse. In the contained quality_profiles.csv there is a value which is called ‘severity’ but it also contains the old severity. So you have values like Blocker, Critical,… and if you look into the GUI you only find High, Medium, Low…
ad 2) As we are still using Sonar 9 LTS in our productive environment I only have some prioritized rules for testing purpose in my Sonar 10.6 Test instance in one Quality Profile. But if this feature will really be released in new LTA like it is implemented now we will not be able to use our own priorities for rules any more to break the QG and we will need to use the prioritization of rules instead.
So I tried it out and the information about the prioritization can neither be found in the backup nor in the regulatory report. Or did it miss it somehow?
I don’t think you’ve missed anything, and I think you make a fair point about the data being missing from the regulatory report, and the prioritized rule data being missing from the profile backup. So I’m going to escalate this internally.
So I tried it out and the information about the prioritization can neither be found in the backup nor in the regulatory report. Or did it miss it somehow?
You are correct, it’s not there (yet). We chose a gradual roll-out of the new severities; the PDF exports (project, security report, and portfolio) and regulatory reports are among the final missing pieces where the old severity is still showing up, and we don’t use new severities. This is planned for SonarQube 10.7, which should be released around end of Q3 (at the time of writing).
Anyhow for me it is confusing to have the old severity in there which might not be used any more even if it is not called severity but priority.
Indeed, and I apologize for the confusion. We’re also looking at this in the context of profile exports.
an audit where we have to show which rules were used to do scanning.
Does this audit require the severity for each rule, or does it only require knowledge of the rules themselves?
We require to save all active rules together with the severity. With sonar 10.x we will probably also need the information about the prioritization as we can not use the severity any more for the quality gate.
maybe I missunderstood the answer but I understood that the changes for the missing new severities will come with Sonar 10.7 (in backup of QP and reports) and for the missing prioritization information Wouter opened a ticket.
But as the ticket for the prioritization information is only about adding it to the backup of QP and not about adding it to the reports, I was under the impression, that this is still missing.
Yes, sorry for the confusion. The other tickets are in a non-public project right now (for reasons I won’t bore you with ), but they will become public when we start our sprint on it. Which is why I didn’t share them here; you would only see a dead link . Rest assured, it will happen, highly likely for 10.7 (that’s the current plan), and worst case in 10.8.
), but they will become public when we start our sprint on it. Which is why I didn’t share them here; you would only see a dead link 
. Rest assured, it will happen, highly likely for 10.7 (that’s the current plan), and worst case in 10.8.