Our commitment to you – and an update on severity ratings for software quality

Yesterday, we shared more information on restoring the ability to customize rule severities in SonarQube Server 10.8 – see our blog here for all the details (also copied below). The blog also includes four engineering principles that will further guide our product delivery and development.

Our commitment to you – and an update on severity ratings for software quality

The speed of software development and product delivery is increasing for organizations everywhere – including here at Sonar. Just like for many of you, this increase in production has required us to grow quickly and reevaluate the way we operate. Since day one, our mission has been to build products that help developers write better, more secure code – and that’s not changing. We are, however, expanding on how we do that.

Sonar’s Engineering Principles

We decided to put our guiding engineering principles in writing and share them with you. These principles are designed to support three critical things: (a) set clearer expectations with our customers around what we will and won’t change in our products; (b) operate more effectively as an engineering and product organization; and (c) innovate and experiment to bring new, exciting capabilities to our customers while staying focused on our mission.

Here they are –

  1. You, our customers, are at the center of everything we do. We will continue to focus on gaining a deep understanding of your needs and how you’re using our products. As always, the doors to feedback via our Community are wide open – please continue to share your ideas, questions, and recommendations with us.
  2. We will ensure backward compatibility. We know that you count on our products in critical parts of your software development toolchain, and we will do our best to ensure that we do not make changes that break prominent workflows that a large number of customers count on.
  3. No (bad) surprises. We will continue to provide significant notice for features that we plan to phase out so that you can adjust workflows or processes as needed well in advance of the changes taking place.
  4. Real solutions to improve developers’ experiences. We succeed by making tools that developers love to use. We are committed to creating thoughtful experiences that maximize the signal and minimize the noise for developers.

An update to SonarQube Server’s Severity Ratings and Rules Customization

As we shared on the Sonar Community in October, we are restoring the ability to customize rule severities in SonarQube Server 10.8. We will introduce two modes for customers to choose from: Standard Experience Mode and Multi-Quality Rule (MQR) Mode. This will enable you to continue using familiar workflows and categorization for issues such as bugs, vulnerabilities, and code smells from the earlier SonarQube Server 9.9 version or use the concepts introduced in SonarQube Server 10.2. For SonarQube 9.9 customers, the Standard Experience will bring a seamless path without impacting your way of working. If you’ve adopted the new classifications and severities from SonarQube Server 10.2 and later releases, they won’t be removed and you can continue using them in the MQR Mode.

Standard Experience Mode. The Standard Experience encompasses the use of rule types such as bugs, code smells, and vulnerabilities, with a single type and severity level for each rule. This approach focuses on assigning severity to a rule based on the single software quality (e.g. security, reliability, or maintainability) it has the largest impact on. For customers on SonarQube Server 9.9 and earlier, this is a continuation of the experience you are familiar with.

Multi-Quality Rule Mode. The new MQR Mode aims to more accurately represent the impact an issue has on all software qualities. It does this by assigning a separate severity to a rule for each software quality it might impact. This approach focuses on ensuring the impact on all software qualities is clear, not just the one most severely impacted. This mode is reflective of the changes that were introduced in SonarQube Server 10.2 and later.

Your system will start in the mode that most closely resembles the software version you are upgrading from. You are free to switch modes to whichever best suits your needs and working practices. Both approaches for classifying issue types and assigning issue severity will be available going forward and you can determine which is more suitable for your business.

SonarQube Server 10.8 is scheduled for release in December 2024. We are currently evaluating software quality severity ratings for SonarQube Cloud with these principles in mind and will provide further details in the coming weeks.

For further information on SonarQube Server, visit our documentation.

14 Likes