Difference between rules and rules in quality profiles / Oracle security guidelines

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    SonarQube 7.9.2
    Java Code Quality and Security 5.14 (build 18788)

  • what are you trying to achieve
    Compare a quality profile to Sonar way (defaults by Sonarqube)

  • what have you tried so far to achieve this
    I have to compare the default Sonar way to a quality profile created a while ago by someone. The problem is that I’m not 100% familiar with all the rules. Very confusing is, that the quality profile Sonar way has about 498 rules defined, while in “Rules” for Java I’ve git >1.9k rules. What’s the deal? Is it because other profiles may have other rules defined and the profiles only represents a bunch of rules from the pool of 1.9k?

A task I’ve got from our security guys is to take a look if the official Oracle Java Security Guidelines are implemented as well into “Sonar way” or any other defined profile.

Can you please advice? I hope my question is somehow understandable.

Regards, Thomas

Hi Thomas,

To get 1.9k rules in your instance, it sounds like you have quite a few 3rd-party plugins installed. At a guess, PMD, Checkstyle, FindBugs and maybe a few more. The Sonar way profile is provided by the built-in analyzer, and it’s not going to contain any 3rd-party rules, so that explains the difference between what you’re seeing in that built-in profile versus the total number of rules.

You say you’re trying to compare the Sonar way profile, but it’s not clear to me what you’re trying to compare it to. There is a built-in feature to allow you to compare profiles to each other. You’ll find the functionality under the profile cog menu on the Quality Profiles page. Select ‘Compare’ for profile 1, and you’ll be prompted to pick profile 2.

Regarding the Oracle guidelines, that’s not something I’ve looked at in a very long time. I can tell you that rules are available for all the naming conventions, and very likely already on in the Sonar way profile, although again it’s been quite a quite a while since I looked at that. For the rest, rules a probably available. Your best bet is to do keyword search in the rules page to see what SonarQube rules you can find that match up.

Just in case it’s helpful, here are the docs on creating and managing profiles.


1 Like

Hi Ann,

sorry for the late reply. The rules, which are in “Sonar Way” for Java, or - better - the rules in general, how are they going to be updated? I thought that whenever I update the plugin Java Code Quality and Security I’m going to update this default profile as well, or maybe also the rules specified in general.

I try to compare different profiles and create a diff to have an overview, which ones we have to update. This action is necessary since noone took care of SQ for a while.

Regards, Thomas


Don’t be silly. Some threads go days or weeks without response. :slightly_smiling_face:

This is really two different questions for me. The underlying rule implementations are indeed, and necessarily, updated when you upgrade SonarQube* (and thus the underlying analyzers). Built-in profiles, such as Sonar way, are also updated automatically with upgrades. Generally that means new rules are added, but it could also mean that thresholds are changed and occasionally rules are removed. If you have custom profiles that are inherited from Sonar way, they’ll inherit those updates as well.


*The ability to independently upgrade analyzers outside a SonarQube upgrade is being removed.