Rules not getting updated in default sonar Quality profile

Hello ,

I am using community edition of sonarqube 9.1 and I was going through the console where when I click on Quality profile , for Java I can see one profile that is sonar way .

After click on the sonarway for Java I could see Active rules as “461” and inactive rules as “152”

So I have 2 question in my mind :

  1. why there are 152 inactive rules ?
  2. If these are newly added rules in sonarqube for Java , then why these are inactive and how can i update them automatically .

Thanks in advance.

Hi @Jitender_Negi

Thanks for reaching out here!
The Quality Profile sonar-way you mention is the built-in Quality Profile, that we offer in the platform when you install the product. (See more info here)
Among the entire list of rules available for a certain language (here for Java, 461+152=613 rules in the Community Edition 9.1 server you are using), we selected a list of rules that we activated and found relevant for the majority of the SonarQube users.

Fyi, you can find here the entire list of available rules for Java (warning: some are available only running a commercial edition (Developer at least) - written on the bottom of each rule), in the latest release (currently 9.3). → You should upgrade at your earliest convenience to 9.3, as this is the latest (and supported) version of SonarQube.

If you want to change stuff in the Quality Profile, you have to create your own Quality Profile.
You have 2 options:

  • either you create a Copy of the built-in sonarway profile, and you will be able to activate/deactivate rules (with the Copy option)
  • or you create a Child of the built-in sonarway profile (with the Extend option)
    In that specific option, the Quality profile will be updated as soon as you upgrade the platform to a new version that has new rules for this specific language. You will get all activated rules from the Parent and you will be able to activate more rules if you want (but you will not be able to deactivate existing activated rules).

In this page of our documentation you’ll find more about how to manage Quality Profiles (and eventually compare two profiles to see what’s new in the new version of SonarQube).

Hope this helps!

Hello @Carine_Bayon

Thank you for your reply .

So In short can we say that the default sonar profile don’t gets updated automatically until or unless we upgrade the sonar version.

Also is this the same case with security hotspots too … for example a person is working with sonar and in the mean time Log4j vulnerability comes in the IT world … so will sonar automatically rule will automatically upgrade itself or I have to upgrade the sonar version .


Hello @Jitender_Negi

Indeed, the Quality Profiles don’t get updated automatically without you running an upgrade of SonarQube version, as the analyser (and rules) are bound to specific versions (and we don’t have access to your platform to run upgrade on your behalf :wink: )
To benefit from all latest rules, you should upgrade to the latest release (currently 9.3).

If you don’t want to manage the upgrade of your platform, you can also have a look at SonarCloud, which is our self-hosted solution, that you can use if you have repos stored on an cloud-based ALM solution (,, Azure Devops Services or Bitbucket Cloud).

Have a nice day

1 Like

Hi Carine,

whoa, mind blown. This is actually the first time i find out that there are rules that are only available in commercial editions.

Can i somewhere see a list of all these rules? If not … could you please forward the following suggestion to the relevant parties involved?

I would like to suggest that rules that are only availabe in commercial editions of sonarqube must be tagged (e.g. in the page you mentioned ( ) with a fitting tag … for example “commercial” or something else that fits your taste of diplomacy better but is still sufficiently explanatory.

This way i - as someone caring for the ruleset - can get an overview of the things i need to look into when switching to a commercial edition.


P.S.: Like this :slight_smile:

Hi @daniel

I will forward your insight to my dev colleagues indeed.
For what it worth, globally the rules that aren’t available in Community Edition but only in commercial editions are Security-related rules, for injection detection, taint analysis…
If you select “injection” for example as a tag, you will see that all rules are available only in commercial editions.


1 Like

thank you … and the “workaround” is helpful to find these rules!

also, with your explanation, it now is more clear to me where the distinction comes from :+1: