How do we get informed about new rules

SonarQube Server / Community Build
1

Hello
sonarqube 7.0 community version is used. How do the new rules announced?
Are they added when we update the plugins to the newest version? At 30.07.2018 we upgraded the css plugin (sonar-css-plugin-1.0.1.508.jar) and today developers came across the critical bug which is said to be available since 19.07.2018. ( Selectors of lower specificity should come before overriding selectors of higher specificity)

When I checked 1.0.1.508 at github I see that is is released on Jul 27.

In Short my questions are

  1. when and how are new rules added to our sonarqube instance?
  2. İf with new plugins, what does “available since” mean, it does not seem to be related with plugin release date.
  3. How can we get announced about the new rules?

Best Wishes

2

Gulla,

New rules are (often) added when analyzer plugins are upgraded, either through platform upgrades or individual plugin upgrades. It should never be a surprise.

That being said, if you don’t want new rules to automatically be added to your quality profiles, you shouldn’t be using the built-in Sonar Way quality profiles when analyzing code. It’s a best practice to copy the built-in Sonar Way profiles, set those as default and start refining based on what is useful to your team/organization (and you can even do a diff on the built-in Sonar Way after analyzer plugin upgrades to see how you’re tracking against Sonar’s evolving defaults). Checkout this documentation about Quality Profiles.

You can check the release notes on analyzer plugins to discover new rules (and read about enhancements / bug fixes). These release notes are always linked in the Marketplace on your instance.

On your second point, between SCM information and how SonarQube tracks file lines, issues can be backdated to when the issue first appeared in the code, rather than when SonarQube first knew about the issue. This is really useful for not polluting the leak period with old issues related to new rules; a feature, not a bug!

Colin

1 Like
3

Hi Colin
Thank you for the answers. I am confused about your answer about the second point:
As you see 8.1 k issues seem to occur in both overview and activities tab in following pictures and also in the first png it is said to be created 3 days ago with the last analysis , so why did not it incure in august 15th full analysis, since the plugin is first uploaded in 19.07.2018 , do you think “not polluting the leak period feature” worked here ? I am not sure because all the css:S4664 violations incurred on sep 13 not on the aug 15th.

leakPeriod
leakPeriod1340×674 66.8 KB

AvailableSince_CreationDate
AvailableSince_CreationDate1422×716 59.6 KB

AugustToSeptemberActivities
AugustToSeptemberActivities1356×635 42.6 KB

Best wishes

4

Hilal,

Let me hit on a point from your first post.

today developers came across the critical bug which is said to be available since 19.07.2018

The rule description states when the rule was first available on the quality profile, but the “issue creation” date should be when the issue first appeared in the code (or more accurately, when the code was first scanned).

Is any of this CSS new code that wouldn’t have been scanned in the August 15th scan? Did any inclusion/exclusion patterns change since the August 15th scan?

Colin

5

Hi Colin,
thank you for your points.
I checked the jenkins job: sonar full analysis pipeline, no difference in exclusion list between two builds. On the bitbucket side, the css code never changed after initial commit: 22 Feb 2018 .

Maybe if i provide the job logs, you can observe something which I could not.
I also do not know the meaning of info log at jenkins builds: ‘src/main/webapp/assets/cms/assets/css/help.css’ generating issue exclusions

The files are attached. the named file (SonarScannerJenkinsJobLog_Aug_15_2018.txt)
did not detected the css issue but the other did as issue
Thank you for your help.

SonarScannerJenkinsJobLog_Aug_15_2018.txt (854.4 KB)
SonarScannerJenkinsJobLog_Sep_13_2018.txt (876.0 KB)

6

Hi Colin
Have you had the chance to examine the situation

7

Hi,

There are still a couple cases where issues aren’t backdated. They’re laid out in this MMF that aims to address the gaps:

MMF-1287 Issues should usually be backdated

Note that we’ve gotten to the state documented in this MMF gradually. My Jira-fu is failing me at the moment, but it’s possible some of the backdating improvements were made after 7.0 (7.3 is the current version).

In terms of learning that new rules are available, there are several mechanisms for this in addition to what Colin mentioned. Specifically, there’s a sidebar on the profiles page that lists some of the most recently added rules, as well as an email notification that can go out (off by default) to quality profile administrators when built-in profiles are updated (this can only be done by a plugin upgrade, so this pretty much means the added rules are new). And finally, you can do an “Available Since” search on the rules page.

Regarding your new-old issues, without more details it will be hard to diagnose why they appeared suddenly.

 
Ann