Can't put shared library used by multiple apps into portfolio

Hi,
We have the same problem 4 years later on Sonarqube Enterprise 10.2.
We have applications using shared libraries, sometimes tied to different branches, ex:

Application 1

  • library 1 branch A

Application 2

  • library 1 branch B

Application 3

  • library 1 branch A

We need to create portfolios per customer or product suite. Real-world application development scenarios are complex and often driven by technical and business motivations; blocking the analysis of a portfolio because a shared library is used by multiple applications is clearly a bug; it cannot be a design choice. Portfolio functionality is currently unusable in many real-world scenarios.

We purchased sonarqube enterprise for the portfolio functionality, which was beautiful during the demo. Despite paying a lot of money we only found out later that it is not possible to open a support ticket or report a bug privately.

I kindly request that the bug be taken care of.
Thanks

Hi,

Welcome to the community!

I’ve moved your post to a new topic because the topic you posted in was nearly 4 years old. Per the FAQ, you should create a new thread if the one you’re thinking of adding to is more than 2 months old.

Regarding the content of your post, I’m sorry you’re disappointed in the Portfolio functionality. The reason a project can’t be present in a portfolio more than once is because it would screw up the math. For instance, if you were to put all three of your Applications, with their references to the same library, into the same portfolio, any issues in that library would be counted three times instead of just once.

 
HTH,
Ann

Hi Ann,
thank you for your support.

It is not clear what you mean by “it would screw up the math”, this might be a correct way to work:

  • in the issues section all issues should be shown.
  • In the portfolio breakdown section the scores of individual applications should be shown.
  • The overview/security reports/measures sections should show the scores calculated on all projects (of applications or sub-portfolios), counting once project+branch. If different branches are present for a project, the same vulnerabilities should be counted only once.

The current behavior is clearly a bug, an unmanaged case, it is not correct that applications that have components in common cannot be put in a portfolio, it is a very common thing when developing product suites. The portfolio feature is designed to group applications and even other portfolios together.

Beyond the philosophy of how to do the calculations, it is not fair to demo such an important functionality by omitting such serious limitations.

Could you please open an issue on your ticket system?

Thank you for your support
Regards
Piero