Metrics categorisation

Hello, complete noob on here. I wish to learn more about the Security/Vulnerability Metrics on the sonarqube. From my understanding the vulnerabilities are scored from A(good) to F(bad) but what I’m trying to understand is what is acceptable and what needs remediating. I guess my question is directed to those who remediate the vulnerabilities as to what category do you live with and what needs fixing. Hope this makes sense, thank you in advance.

Hello @ZombT,

Welcome to the community.

Sonarsource uses the industry standard CVSS scoring methodology. We have SLAs for fixing the vulnerabilities and the security team monitor SLA compliance closely.

Many of the vulnerabilities found are in modules that our software does not reference and these can be ignored. But we do not have a threshold for vulnerability acceptance, we fix everything, it’s easier than arguing over risk. There are occasionally transient exceptions.

We are currently rolling out a new SCA tool and the objective is to make the vulnerabilities public as many customers request this type of information just as you have.

1 Like


In addition to Mark’s thorough & excellent answer about our own internal security practices, I’d like to add some detail about how you can interpret the ratings SonarQube raises on your project, in case it’s relevant.

Just to be clear, no vulnerabilities are “good” :joy:. It’s just that some are worse that others. Vulnerabilities raised in your code are given one of four severity ratings: Blocker, Critical, Major, Minor.
Those ratings determine the Security Rating on your project. Per the docs

A = 0 Vulnerabilities
B = at least 1 Minor Vulnerability
C = at least 1 Major Vulnerability
D = at least 1 Critical Vulnerability
E = at least 1 Blocker Vulnerability

To dig into that a little, you can have only 1 Vulnerability in your project, but if it’s a Blocker, you’re going to get an E rating. Conversely, you can have 500 Minor Vulnerabilities and get a B.

In terms of what you need to jump on fixing and what you can maybe live with for a while. I’d handle it worst-first. So start with any Blockers, then any Criticals. After that I’d say you can slow down, take a breath and assess any Majors.


1 Like

Great explanation Ann, thanks. I supposed to change the word vulnerabilities with findings. :sweat_smile:

Very detailed explanation Mark, thanks.