Hi, we are provided with a corporate SonarCloud at work and it has a big disadvantage compared to a local SonarQube installation. Namely, we have no control over the version. New rules are updated too often and during the release preparation this often confuses the team, as we see unexpected results. We have a year-long iteration, and we need to be able to lock the version and update it only at the start of the next iteration (new year).
If you don’t want new rules to be applied to your project unexpectedly (keep in mind, these new issues from new rules are always backdated, so they don’t affect your New Code Period), I suggest creating a new Quality Profile that does not inherit from the continuously updated Sonar Way.
Rules will still receive updates (fixing false-positives and false-negatives), but I think that has to be okay. If we improve SQL Injection detection, you don’t want to wait next year to find out you have a SQL injection vulnerability in your code.
1 Like
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.