Hi
I’ve seen the announcement
and various questions whether the analysis scope could be controlled per rule, but without answers, e.g.
Is there still no way to control for me as user whether applying a rule make sense for my code base as on test level?
I think it is quite unfortunate if a simple update of Sonar introduces thousands of issues to your codebase.
I would appreciate if it could be controlled on rule level to which scope it should be applied.
Best,
Thomas
Hi @Thomas_Mauch,
Unfortunately, there aren’t any significant updates on this issue. However, I recommend using the Ignore Issues on Multiple Criteria feature at either the global or project level to reduce unnecessary alerts.
For example, to exclude java:S1874 from all test files, you could set up a rule similar to the one shown below:
Hope this helps!
Hi Colin,
Thanks for your answer. Yes, then ignoring the issues like this seems to be the best option. We would still prefer, if we could control per rule in the quality profile whether it should be active for tests or not.
Thanks,
Thomas
HI @Thomas_Mauch ,
Thomas,
I understand your concerns about the impact that SonarQube updates can have on your codebase, especially when it comes to test code. You raise a valid point - it can be quite unfortunate if a simple SonarQube update introduces thousands of new issues, particularly in your test code.
Regarding the management of quality profiles, I avoid using the default or built-in quality profiles to better control the updates to the quality profiles used by my teams. I make it a practice to backup and version the quality profiles in XML format. When upgrading SonarQube, I compare the quality profiles and work with the development teams to ensure the changes proposed by SonarQube are consistent with our internal development standards.
As for the application of rules to production code versus test code, SonarQube currently does not provide the functionality to use different quality profiles for these two code types. However, you have to decide whether your test code should be held to the same quality standards as your production code, or if it should be excluded from the analysis altogether.
If you choose to include the test code, you’ll need to decide whether to keep or exclude certain rules - it will be an all-or-nothing decision for the entire codebase, both production and test.
An other solution then @Colin’s could be to keep certain rules and consider all the issues identified in the test sources as false positives or “won’t fix”.
I hope these suggestions are helpful in managing the SonarQube analysis of your test code. Please let me know if you have any other questions.
