Include code in analysis but keep only Vulnerabilities and Security Hotspots?

randomuser · September 28, 2022, 8:03am

SonarQube Community Edition - Version 9.6.1 (build 59531)

I have a code base with a legacy directory and a new shiny one (on-going migration using the strangler pattern).
On the legacy directory, I would like to ignore Code Smells and Bugs, as we are actively working to make them no longer relevant in the long term, but I would still be interested in the eventual security issues that are found.

I tried using filters to make my life easier but since directory search is not recursive, it did not help me
Is there any way to make this kind of config work?

Colin · September 28, 2022, 8:41am

You can adjust Quality Profiles to only include issues of a certain type – but I’m not sure what it achieves in this instance. Why exclude them entirely (and have no information), rather than (perhaps) configuring your Quality Gate to only focus on those issue types, or filtering on Issue type in the Issues page?

randomuser · September 28, 2022, 10:27am

The thing is, I want to focus on the security issues only for a specific part of the codebase. I don’t see a way to do that through Quality Profiles / Gate

Topic		Replies	Views
Quality Gate metrics needed on Bugs and Vulnerabilities, but ignoring Code Smells SonarQube Server / Community Build	2	341	February 28, 2023
Security issues SonarQube Server / Community Build	2	298	August 11, 2022
SonarQube Security Scanning SonarQube Server / Community Build sonarqube , security	11	3869	May 8, 2023
Is there a functionality in Sonarqube to fail quality gate only for bugs with Severity blocker, critical or Major and ignore all other bugs and Code smell SonarQube Server / Community Build sonarqube	4	2902	October 26, 2021
Disable code smell analysis SonarQube Cloud quality-profiles , analysis-scope	3	3790	December 16, 2021

Include code in analysis but keep only Vulnerabilities and Security Hotspots?

Related topics