Name:  image6.png
Views: 3904
Size:  48.0 KB

A SonarQube quality model implements the SQALE methodology (Software Quality Assessment based on Lifecycle Expectations) with certain improvements. As it is well known, the SQALE methodology focuses mainly on the complexity of the code maintainability and does not take the project risks into account.

For example, if there is a critical security problem detected in a project, the strict following SQALE methodology requires you to address all the existing reliability issues, changeability, testability and so on and only then go back to the new critical problem. In fact, it's much more important to focus on fixing new bugs, if potential problems have been living in the code for quite a long time and there were no user bug reports.

Taking that into account, SonarQube developers have modified the quality model, based on SQALE to focus on the following important points:

  • The quality model should be as simple as possible
  • Bugs and vulnerabilities should not get lost among the maintainability issues
  • Serious bugs and security vulnerabilities in the project should lead to the fact that the Quality Gate requirements aren't met
  • Maintainability issues of the code are important too and cannot be ignored
  • The estimation of the remediation cost (using the SQALE analysis model) is important and should be carried out

The standard SonarQube Quality Gate uses the following metric values to assess if the code has passed the checks successfully:

  • 0 new bugs
  • 0 new vulnerabilities
  • technical debt ratio on the new code <= 5%
  • the new code coverage is not less than 80%

Sonar team has defined 7 deadly sins of developers that increase the technical debt:

  • Bugs and potential bugs
  • Violation of coding standards
  • Code duplication
  • Insufficient unit tests coverage
  • Poor distribution of complexity
  • Spaghetti design
  • Too few or too many comments

The SonarQube platform is designed to help fight these sins.

In this article we'll look at the main features of SonarQube - a platform for continuous analysis and measurement of code quality, and we'll also discuss advantages of the methods for code quality evaluation based on the SonarQube metrics.