Deprecation check in Legacy code

Hi experts,

In Sonar, we have such a rule to check if the code changes ever invoke/use any deprecated APIs(method, class or interface). It is called " @Deprecated” code should not be used"

We would like to write a rule, to check the legacy code ever use deprecated APIs. If the legacy does, then the SonarQube give warning message to notify developers. We believe that, combined with the previous existing rule, these two rules will work as a double insurance to the code quality of our project.

My question is:

Is this rule already implemented in Sonar?
If it’s not the case, is it feasible and reasonable to implement such a rule?

Thank you a lot for your suggestion

Welcome :slight_smile:

This rule is already implemented for many languages, use
yoursonarinstance/coding_rules?q=deprecated
to see the rules available in your instance.

For legacy code you will probably use only ‘new’ conditions.
The first scan will bring up all issues but not break the build.
Then you have to configure your quality gate and decide whether the use of deprecated code
in new code should break the build or not.
e.g. your quality gate for legacy projects has no new issues with severity Blocker/Critical/Major
Then you might change the severity of the deprecated rules to INFO to keep track of those findings,
but not break the build.

Gilbert

Hi @Rebse

Thank you a lot for your answer. Maybe I didn’t clarify my question very clearly.
Right now, SonarQube has a rule to check any deprecation use in new change code and we have no problem with this rule.

We actually would like to implement a rule that, when a developer deprecate an API, let’s call it methodA(), this rule can help us detect any part of the current project where this methodA() is invoked.

Is this kind of rule already implemented?
If it’s not, is it feasible and reasonable to create such a rule?

Hi,

if i understood correctly you want the rule squid:CallToDeprecatedMethod with an additional parameter for e.g. methodA().
Don’t know of an existing rule, but you may implement your own custom rule based on squid:CallToDeprecatedMethod.
see https://github.com/SonarSource/sonar-java/blob/master/docs/CUSTOM_RULES_101.md
for additional infos and https://github.com/SonarSource/sonar-java for a lot of examples
(/tree/master/java-checks/src/main/java/org/sonar/java/checks).

Gilbert

What kind of mechanism do the Sonar rules use to scan the whole project?

Don’t know if i understand your question.
The analysis scope is defined via new code setting (default = previous_version) and properties, e.g. sonar.sources, sonar.exclusions …
The set of rules that should be used for the analysis is defined in the quality profile, every
scanner (SonarJava …) has one default quality profile and maybe more.