Thank you to all who attended our session! Please find here the questions that were asked during the webinar:
Q: Would the Clean as You Code criteria gate individual PRs analysis if New Code is set to a period like a sprint (14 days) i.e Block a PR after accumulating debt added by others over the period?
A: PR won’t be blocked due to the debt which is not originated from the current PR. The New Code of a PR is based on the code diff, relying on the version control system of PR. The definition of the new code period set for the project will apply to the branches.
Q: How to convince business, project managers or product owners to consider this as the development process? Considering this could feel like more time is taken to deliver new software.
A: Clean as You Code prevents any accumulation of issues and helps enhance the quality of your overall code over time. It proactively prevent introducing business risks in production. Clean as You Code can bolster developer velocity while ensuring a secure, reliable and maintainable code base.
Q:Is the reference branch only available with latest version of SonarQube ?
A: The reference branch New Code definition was already available with SonarQube 9.9 LTS, with your Enterprise Edition. You’ll find documentation about it here: https://docs.sonarsource.com/sonarqube/9.9/project-administration/defining-new-code/
Q: When a PR has commits that deletes, then restores a line of code, SonarQube requires coverage. Is it normal?
A: This is not a bug. In PRs, we consider the code diff from the version control system as new code. If there were no existing tests covering those lines of logic, it will show up in new code coverage.
Q: Can you describe what a Quality Gate is in detail?
A: Quality gates enforce a quality policy in your organization by answering one question: is my project ready for release? Using fail pipelines when the code quality doesn’t meet your defined requirements and prevents problems from being merged or deployed. quality gates has more details.
Q: When do quality gates apply? To every commit/push/some other action?
A: The Quality Gate applies to every analysis. You can configure your CI/CD pipeline so that every push on your repository triggers a SonarQube analysis. SonarQube will show you the Quality Gate status on the corresponding branch or PR.
Q: Why set up code coverage at 80%, and not 100%?
A: You can customize the expected coverage on new code. We recommend by default a value of 80%. From our experience, it appears to be a good starting point to make sure your new code is sufficiently covered by tests. See https://docs.sonarsource.com/sonarqube/latest/user-guide/clean-as-you-code/ for more information
Q: I saw you set up new code definitions with reference branches. Does this mean that SonarQube could be integrated with git?
A: SonarQube is using git blame information for various features. However, you are the one to choose what is the reference branch that applies to your case.
Q: I am trying to set up SonarQube via docker; are all the features presented here also available in the Community Edition?
A: The docker image of SonarQube Community Edition has all the features of the Community Edition. The features of SonarQube don’t depend on whether it’s running from a docker container or not.
Q: Regarding “New code” project settings: Which resources are used to detect that a version bump happened? Is it based on common files like package.json, composer.json, etc?
A: The project version is determined in different ways depending on the build system: pom.xml, build.graddle or via an analysis parameter you can set. See [Defining new code]
Q: Do we have to define our own unit test cases and Unit testing methods to test the coverage? Or does SonarQube do that automatically?
A: SonarQube doesn’t write your tests but imports coverage results from your third-party coverage tool.
You’ll find more documentation about it here: https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/test-coverage/overview/
Q: When it comes to adding in projects to SonarQube, do all projects have to come from the same ALM? or is it possible to have one from say Azure and another from GitHub Enterprise?
A: You can integrate SoanrQube with several ALMs and import your projects for example from both Azure DevOps and GitHub.
Q: Are the features presented during this session also available in SonarCloud?
A: Clean as You Code methodology, Quality Profiles Quality Gates, and much more… are also available in SonarCloud.
Q: Can we see at branch level with the Enterprise Edition?
A: You can define the New Code at global, project and branch level. To configure a specific value at branch level, go to your Project Settings / New Code. See more here: https://docs.sonarsource.com/sonarqube/latest/project-administration/clean-as-you-code-settings/defining-new-code/
Q: Where can we see which rules are being used in the scan?
A: Quality Profiles define the set of rules to be applied during code analysis. Quality profiles
Q: Is there any plan to have integration with the Microsoft Azure environment?
A: SonarQube can already integrate with Azure DevOps - Azure DevOps integration
Q: How can we add tags automatically from gitlab.yml while creating projects on SonarQube?
A: You can’t add tags directly from your gitlab.yml file or with analysis properties. This is an improvement under consideration. Please share more about your need on the corresponding portal card: https://portal.productboard.com/sonarsource/3-sonarqube/c/504-set-tags-as-a-project-property
Q: Is it possible to run two Quality Gate at a time for single project?
A: For a given project, a single Quality Profile applies to each programming language.
Q: How do you parallel release 1.0 and 2.0 at the same time for CaYC in a new codebase setting?
A: Using branches for the different project versions, each of your branches will beneft from their own new code.
Q:. When editing very old code files that were here before SonarQube usage, “new code” gets mixed with recurring issues and actually new issues. What would be a good workflow on fixing those recurring issues?
A: SonarQube makes a clear distinction between the issues in the new code and the old ones. You can prioritize fixing specific issues in the overall code according to your criteria. You can also ask for more detailed advice onour Community Forum to get feedback from our community of users.
Q: Are there any efforts to have native integration with AWS?
A: With SonarCloud we are looking into native integration. SonarQube works just fine with CodeCommit, CodePipeline etc. We are hosting a webinar with AWS on December 14th where we will show the integration of SonarQube with AWS Code* services and EKS.
Q: Will false positive affect other matching issues, so that they get ignored?
A: You can choose to dismiss an individual issue, but also to deactivate a rule from your Quality Profile to ignore all the corresponding issues.
Q: What is the point with inactive rules in Quality Profiles? Are these considered more restricted, as inherited profiles can only activate inactive rules?
A: The built-in quality profiles activate a set of rules that should be applicable to most projects. You may want to adjust your profiles with additionnal rule to take it a step further.
Note that, starting from SonarQube 10.3, you can also deactivate rules that are activated in the parent profile.
Q: What can be the reason to exclude some files from duplication analytics?
A: A typical example can be to ignore generated files that can present a lot of similarities and on which you can’t really act.
Q: What is the latest stable enterprise edition recommended to be upgraded to?
A: You have the choice between the 9.9 Long Term Supported version or install the latest version. If you adopt the latest version, you should be prepared to upgrade regularly
You’ll find help for your decision here: SonarQube Long-Term Support Download.
Q: What is the recommended upgrade frequency?
A: Only the LTS (9.9 LTS) and the latest version (10.x) are officially supported by Sonar. Sonar releases a new version of SonarQube approximately every two months, We come out with a LTS release almost every 18 months. SonarQube 9.9 is the latest LTS that was released in Q1 of 2023.
Q: If I raise PR, does SonarQube analyse the whole code and report the issues on New code only? Also, what are the scans not included in a PR compared to a CD scan to speed it up?
A: SonarQube analyzes only the files changed in your PR. Still, it leverages its knowledge of the entire codebase to identify relevant issues in the new code.
Q: What are causes for code not being scanned properly? What are things that could cause SonarQube to not cover the code during analysis?
A: We suggest checking which edition of SonarQube you are using, which languages it supports, and what language your project is written in. Details of language support can be found here: Plans & Pricing
Q: Can we add conditions for Vulnerabilities, code smells etc?
A: You can create custom conditions. However, we recommend fixing all the issues in the new code to keep the quality of your code under control.
Q: Does SonarQube support MuleSoft’s DataWave 2.0?
A: SonarQube doesn’t support the DataWeave programming language. However, we invite you to share your need on the SonarQube portal for the idea to be reviewed: https://portal.productboard.com/sonarsource/3-sonarqube/tabs/5-under-consideration/submit-idea