Fine-grained quality profiles

Some rules are hard to enforce for a complete codebase. We’ve got our code in a mono-repo including both backend and frontend code.

Frontend code relies on UI components that bring themselves a few levels in dependency tree.

So for rule “Inheritance tree of classes should not be too deep” (java:S110) we would prefer to have different values of “max” depending on module, e.g.

  • frontend: max=8
  • backend: max=4

frontend and backend codes are e.g. distinguishable by source folder.

I second this.
Another use case would be projects that use the GWT framework for their frontend code. While the code is written in Java, it is eventually transpiled to JavaScript. Not all Java rules from Sonar might be relevant in that context or even result in anti-patterns.
GWT also doesn’t have support for the entirety of the Java standard library, so some features simply can’t be used in client code. And if we were to write custom Sonar rules specifically for GWT, it would also be nice to only apply those to client code and not to server stuff (without having to hardcode such a lookup into the rules themselves).

Hi Holger,

Why don’t you execute 2 SonarQube analyses (frontend and backend) instead of one? So you could see 2 projects in SonarQube and associate different quality profiles.
If the frontend and the backend are in two different folders it should be easy, otherwise you can play with sonar.exclusions and sonar.inclusions see Narrowing the Focus.

Hi Alban,

actually, that’s a good suggestion, I think this would work at least from a Sonar / MAVEN perspective - Thanks!

But I am not sure if this will work with our bitbucket integration where we enforce quality gate before a merge is permitted for short- and long-lived branches. We’re using " Sonar for Bitbucket Server" plugin for that.

Hi Alban,

I’ve been thinking about your suggestion; I don’t think it will work in my environment, and here’s why:

  1. As already indicated, we have bitbucket (on premise) with “Sonar for Bitbucket Server” plugin to enforce quality gates for Pull Requests. I can’t see how this will work with two analysis since the plugin will look at just one branch. This might be considered not a SQ issue, but would be a problem for us.

  2. We’ve got everything in IntelliJ in a single project, and a single project cannot have two Quality Profiles (e.g. see feature request SonarLint + IntelliJ + Module settings?)

  3. Maintenance - we used to have different Quality Profiles for different git repositories, and it has been quite a bit of work to align all of them, so I am hesitant to create new profiles again

I’ll take the chance to shamelessly promote another suggestion of mine:

e.g. for rule “java:S110” I’d be happy to batch-suppress it via @SuppressWarnings(“java:S110”) for all existing UI classes and then activate the rule in my global SQ Quality Profile.