Different metrics on portfolios containing the same projects


In a SonarQube instance I have defined an application portfolio and a view porfolio containing the same projects. Both porfolios have been refreshed recently.

I’ve noticed that reliability and security ratings are different even though the portfolios composition is identical.

As you can see in the image:

  • Reliability is “E” in the application portfolio but “C” in the view portfolio.
  • Security is “E” in the application portfolio but “B” in the view portfolio.

Can you confirm it’s a bug? Or maybe the semantics of those metrics are different depending on the kind of portfolio?

Environment information:

  • SonarQube Enterprise Edition 6.7.5


You have not discovered a bug. What you have done is made an apples-and-oranges comparison. :slight_smile:

An Application is a synthetic project, and as such it is treated, and graded like a project. The thinking is that an Application is made up of a group of projects that ship together - if one isn’t releasable, none are - but for whatever technical reasons the projects are all analyzed separately.

So, for a project, the Reliability and Security ratings are based on the severity of the worst issue. This means that somewhere in your group of projects is at least one Blocker Bug and at least one Blocker Vulnerability.

Portfolios, on the other hand are meant to be Executive overviews, and as such, they employ an averaging strategy. That’s why the ratings are better for your portfolio than for your application.

Out of curiosity, did you create both an application and a portfolio of the same set of projects just playing around, or is there some feature you really need from each?


Thanks @ganncamp for you focused and clear explanation. You solved my doubts!

So my guess of different semantics depending on the kind of portfolio was right…
Maybe this could be clearer explained on the documentation.


Just for fun and for better understand some portfolio concepts :sweat_smile: