- if there’s already an exisiting coding styleguide
create a blank quality profile and add all the rules provided by Sonarsource scanners covering the requirements of the styleguide. Had been myself in this situation in 2016, except for 7 rules all was covered already by rules provided from Sonarsource, also take your chance to get rid of obsolete rules at this point.
For the missing ones, you may find them provided by Findbugs | Checkstyle or some other plugins.
Tried with Findbugs first, but after many bugs and problems, i’ve implemented them as custom rules
with Sonarqube api.
I recommend to not use no third party rules if possible, because it’s not needed anymore, see all provided rules https://rules.sonarsource.com/ … and Sonarsource plugins are supported by Sonarsource.
- If there is nothing as an exisiting styleguide … etc. and you’re starting from scratch
a good starting point is to create your own quality profile as copy from the builtin ‘Sonar way’ profiles,
as builtin quality profiles are not editable / immutable.
A quality profile is not static, it will change over time. Most important is the communication with
the developers, expect to face resistance and misunderstandings at first.
Be open for discussions and proposals. Often you’re the mediator between developers
and security team.
bla bla bla … think you got the point