Must-share information (formatted with Markdown):
-
We are using SonarQube Server, Enterprise Edition, deployed via Docker.
As the SonarQube admin for our instance, I’m working to ensure code quality for both new code and the overall codebase. Most of our teams currently use the built-in Sonar Way Quality Gate for their projects.
However, I’ve noticed that the Sonar Way gate only includes conditions for new code (e.g., no new bugs, vulnerabilities, or code smells). This raises a concern: if a project has existing security issues in the overall codebase, but the new code is clean, the Quality Gate still passes.
Is this expected behavior? Are we missing a recommended approach to ensure that overall code quality, especially critical issues like security vulnerabilities, is also enforced through the Quality Gate?
I’d appreciate guidance on best practices for configuring Quality Gates to cover both new and overall code quality.
Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!
HI @shanmugabharathim ,
You’re right, the default “Sonar Way” Quality Gate is designed to encourage the “Clean as You Code” approach by focusing on the quality of new code. It’s an excellent way to ensure that technical debt doesn’t increase.
However, you raise an important point: it’s crucial to monitor and improve the overall quality of the codebase, especially regarding existing security vulnerabilities.
Here are some complementary approaches to address this need:
-
Create a custom Quality Gate: This is the most flexible solution. You can define a Quality Gate that includes conditions on both new code (like Sonar Way) and existing code. For example, you can add conditions such as:
-
“Number of major/critical vulnerabilities overall < X”
-
“Overall code coverage > Y%”
-
“Overall code duplication < Z%”
-
Define technical debt objectives: SonarQube allows you to track and manage technical debt. You can set clear goals for reducing vulnerabilities, bugs, and code smells over time. Use SonarQube’s reporting features and dashboards to track your progress.
-
Use tags and prioritization: Identify the most critical areas of code (e.g., those that handle sensitive data) and focus your improvement efforts on those areas. You can use tags to categorize the code and facilitate tracking.
-
Adopt an iterative approach: Don’t try to fix all the problems at once. Prioritize the most critical issues and plan regular iterations to improve the overall quality of the codebase.
The ideal approach depends on your constraints and priorities. The important thing is to find a balance between continuously improving new code and fixing existing problems. Feel free to start small and adjust your strategy as you go.
I hope these suggestions are helpful. Don’t hesitate to ask if you have any other questions.
1 Like