Define Quality Gate using the new Severities

Carsten_HB · February 27, 2024, 10:51am

Hi,

we recently migrated from SonarQube 9.9 to 10.4 (both on-Premise) and would like to adjust our Quality Gate to the new Severities.

Currently our Quality Gate for New Code says:

Blocker Issue > 0
Critical Issues > 0
Major Issues > 0

Fixing issues with Severity <= Minor is optional for us, as we are working on legacy code (in parts >20 years old) and want to concentrate on the more important issues.

Now these severities are deprecated and there are the new severities High, Medium and Low. Currently out old Quality Gate definition still works, but we would like to switch to the new severities.

My first thought was, to define something like “High Issues > 0”, assuming we treat all three Software Qualities the same way. It would as well be fine to have something like this:

High Security Issue > 0
High Maintainability Issues > 0
High Reliability Issues > 0

The only way to achieve something similar seems to be using the Rating, like “Security Rating worse than A”. But the documentation for these Ratings still uses the deprecated severities: metric definition

Is the documentation just outdated or are these Ratings as well deprecated? What would the recommended way be to handle our use case?

Thanks!

Regards,
Carsten

Carsten_HB · April 5, 2024, 12:00pm

Hi,
this question is still relevant to us, but the fact that nobody has answered so far, raises some questions for me.

Is our quality gate and the approach behind unusual or discouraged?
Is there nobody else having this question?
Is there a non-deprecated equivalent for our quality gate at all?

I would be grateful for any advise on this.

Thanks!

Regards,
Carsten

vivek.reghunath · April 9, 2024, 3:12pm

Hello Carsten,

Sorry for the late response.

I will recommend you to set up a Clean as You Code compliant quality gate. It will be a good idea to fix all issues in the new code as this prevents accumulation of new technical debt (even in a legacy project). However, if you still do not want to fix some low-severity issues, you can accept those issues.

anon67236913 · April 9, 2024, 5:44pm

Hi,

IMO to fix only issues in new code is the obvious way to go for legacy projects.
But what about new projects starting from scratch ?

This questions are still not answered

Gilbert

vivek.reghunath · August 5, 2024, 12:14pm

Yes, the current solution in your case is to add extra conditions on the overall code to cover your use case. If you are not removing any Clean as You Code conditions on the new code, your quality gate will remain Clean as You Code ‘ready’.

HSNG · August 7, 2024, 1:16am

Hi, you are not giving us an option here. You are FORCING us to do that. This is not fair to us. Please include the same options for High, Medium and Low Issues, so that we will have time to transit to the new severity. By the way, the link you provided for “accept” is being diverted to “Page not found”.

ganncamp · August 7, 2024, 11:40am

Hi @HSNG,

Thanks for mentioning the bad link. I’ve edited that post to correct the URL, which is this: Managing issues & SonarQube

Ann

HSNG · August 8, 2024, 2:44am

Hi @ganncamp ,

Thanks for updating the link.
Any updates to my other concerns?

ganncamp · August 8, 2024, 11:57am

Hi @HSNG,

The other concerns are out of my hands. I’ll leave them for @vivek.reghunath.

Ann