Difference between Cognitive, Cyclomatic Complexity Quality Gate and Rule

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
  • what are you trying to achieve
  • what have you tried so far to achieve this

We are using SonarQube 7.5.
We have set our Quality Gates to fail the projects with below conditions:

  1. Cognitive Complexity cannot be > 15
  2. Cyclomatic complexity cannot be > 20

Also, we have enabled a Java Rule-
Cognitive Complexity of Methods should not be too high (>15)

Projects fails showing number of Cognitive and Cyclomatic complexities are high (cog - 673, cyc - 572) and cannot be > than 15 and 20, however when we drill down to code level, it only shows the number of complexities in the file in Measures tab, but not which lines/ blocks has to be fixed to resolve these.

The Java Rule configured: - Cognitive Complexity on methods should not be too high (>15).
The Cognitive Complexity as per Java rule we configured shows the count as 193 (under Critical Issues), and this shows the code level drill down and in which method to fix the logic.
we don’t see any Java rule specific for Cyclomatic Complexity.This is okay, as we can identify and fix the cog complexity on method level.

I would like to understand the difference between the rules and gates.
Are these rules applied on method level?
And Quality Gate applies on the entire project level?

The gates we applied on Cyc and Cognitive Complexity is it right? Please suggest.

  1. Cognitive Complexity cannot be > 15
  2. Cyclomatic complexity cannot be > 20


Quality Gates use Measures, so what you’re really after is the difference between Rules and Measures. Generally (there are some grandfathered exceptions) Measure-related Rules (i.e. a rule with a threshold parameter) act at the method level and below. Measures that you can see outside of Issues (i.e. in the Measures page) are file-level and above.

When you set a Quality Gate parameter on Cognitive Complexity, you said that for the entire project, there should only be a total - across all methods and files - of 15 Cognitive Complexity points. And the same for Cyclomatic Complexity (although with a different numeric value).

BTW, there is a rule for Cyclomatic Complexity. It’s called something like (depending on the language) “Functions should not be too complex”. It was written and implemented before we invented Cognitive Complexity - before there was a need to differentiate.

IIWY, I’d simply drop those Quality Gate conditions. Your rules will flag all the methods that need work.


Thank you very much Ann for the quick response :slight_smile: We have removed these 2 gates and are using “Cognitive Complexity on Methods must not be too high” Rule instead.