Hello, in my company I have to do static analysis on a legacy project in PHP (about 24k LoC). The system engineer installed SonarQube Developer edition 10.4.
I then received a document from a third-party company with the quality gate written on it to use for my company’s projects (I paste them here).
Issues is greater than 0 Security Hotspots Reviewed is less than 100% Coverage (%) is less than 80.0% Duplicated Lines (%) is greater than 5.0% Blocker Issues is greater than 0 Critical Issues is greater than 0 Maintainability Rating is worse than B Reliability Rating is worse than B Security rating is worse than B
what is not clear to me is: should I also use these metrics for the new code? my manager thought it might be “safer” to use these metrics for both new code and overall code; but I’m not so sure…
furthermore, I believe that this Gate is very stringent.
Welcome to the community and thank you for asking!
To get straight to the point:
Yes, this is very stringent when applied to Overall code
No, we would not advise applying this to Overall code
(Most of) These criteria should be used for New Code only
Specifically, it is a Very Bad Idea to apply “Issues is greater than 0” to overall code in a legacy project. Unless you’re writing firmware for hospital equipment, car braking, astronaut safety, &etc, it’s just not reasonable to suddenly start analyzing 24k LOC and expect you to go immediately to 0 issues.
Instead, you should apply Clean as You Code. That means making sure the new code you check in is fully covered and issue-free. Our own real-world experience shows that by focusing on keeping New Code clean you will gradually, naturally clean up the old code as business requests lead you to doing maintenance in it.