We are at a stage in our organisation where we will be setting up all critical projects (repos) with Sonarcloud for PR analysis as well as baseline analysis.
All our repos are existing codebases with code commits happening since 5-10 years. This means that there are coverage and quality issues in the baseline (code in the main branch).
As an initiative, we are setting up guidelines and recommendations for product teams to follow to improve the current state of their codebases. On a high level these are the guidelines:
Over the period of next 1 year all teams should aim to improve their baseline (code on main branch) code coverage and quality incrementally to an acceptable state.
-
Services which have > 0 security vulnerabilities & hotspots
Review all the vulnerabilities and remove the false positives. There are high chances that some of these vulnerabilities might be false positive. So it is a good chance to mark them as false positives. After removing the false positives, you can plan to fix the legitimate vulnerabilities.
Acceptable state: 0 security vulnerabilities and hotspots. -
Services which have code coverage <= 50%
Identify if these services have files that are not supposed to be tracked under code coverage but are getting tracked. Update the exclusion criteria to get more accurate code coverage data.
Identify if these services have critical paths or business logic that are uncovered with tests. If yes, plan to improve the functional coverage. Use this low code coverage as a foundation to improve the functional coverage. This will consequently increase the code coverage as well.
Acceptable state: Although there is no âideal code coverage number,â we would like to offer the general guidelines of 50% as âacceptableâ, 65% as âcommendableâ and 80% as âexemplary.â -
Services which have reliability rating C or D
Focus on prioritising the blocker and critical issues (if there are any). If they are false positives, please mark them as false positives. If they are legitimate reliability issues, please plan to fix the bugs as part of the improvement plan.
Acceptable state: 0 critical/blocker bugs.
My questions
- Does this sound reasonable to you? Any suggestions?
- Iâd like to know from Sonarsource folks as well as the community here how other organisations go about improving the state of coverage and quality? Do you look at existing issues and try to fix them, or only focus on preventing issues via PR analysis?
- In general I feel that setting up integration with code quality tools is the easiest part. What is complex is getting people to adopt it and religiously follow it. How do you get around fixing the culture problem? Do you mandate adoption from the top via leadership?