we have our front end projects in java script.
when i tried to deploy the code in jenkins it was successfull but then sonarqube shows that it has some bugs and vulnerabilities.
when i showed one of the developers about the bug listed by sonarqube they said that is not an issue.
so, my doubt is can i overlook the bugs shown by sonarqube because even though sonarqube told that there is a major bug, the code is still working fine.
Do i need to create a custom quality profile and exclude that rule or how do i proceed?
Short answer: The SonarQube dashboard is very reliable, and you should follow most of the recommendations.
Long answer: it depends on what you and your developer define as “not an issue”.
Maybe that means that the code works in the narrow circumstances that you’ve tested it in. Maybe it means that you follow best practices for the language and development environment you work in. Maybe it means that it’s easy to maintain for future developers. Maybe it’s acceptable to you or you that this could cause a bug in certain circumstances, but you’ve mitigated those circumstances so that they never happen, and the bug will never be triggered. You will need to work with your developers to adjust the code rules and quality gates accordingly.
Without knowing your code, the recommendation SonarQube made, and your definition of “not an issue”, it’s impossible to answer your questions in more detail. I recommend a longer discussion with your development team. A successful rollout of SonarQube requires the support of your developers; it’s not as easy as scanning an existing code base and throwing all recommendations back at them to fix.
Like most tools, SonarQube just provides you information. It’s up to you to set it up so that it gives you the right information, and then act on that information accordingly.
i asked the developer who made this code and he was like we haven’t used the component sonarqube mentioned as an bug and they were like the code is fine…
Now my question is,
i might add a custom rule and exlude the on’es that i don’t need.
but what if that rule might be needed in the future?
Also, in some projects, sonarqube comes up with lesser bugs and in some other projects there are almost a 100…
but then the code is fine both of the projects since the code has been deployed in production.
we are thinking of implementing sonarqube in all the projects and in that case
do i need to talk to each one of the developer cuz each one is assigned to certain projects.
I just need the clarity regarding rules and custom profiles…
Hope i have explained what i was intended to tell.
The help we can give you here about this specific issue is really limited, since it depends a lot on your own code base and internal processes.
Some food for thought though: If you’re not using the component that SonarQube highlights here, then why is it part of your code base? It should be easy to remove in that case. And if the code was fine, then SonarQube wouldn’t highlight this as a bug.
The “what if that rule might be needed in the future?” question is exactly why you shouldn’t just create a rule to exclude it. When the Check Engine light in your car comes on, the fix is not to put a piece of tape over it. the fix is to take it to a mechanic to repair what’s wrong. That’s the same in this case.
