We have a lot of legacy code in our repositories, and now we implement SonarQube 6.4 but our legacy code causes a lot of errors and warnings, so we would like to analyze only new written/in the future modified code and exclude the old because we have no resources to amend all issues from legacy code written during last 10 years.
How can I exclude already found issues e.g. by the date they when they were found? But we don't want to exclude all old files as such, because edit them from time to time. We just want to make sure not to add new issues.
SonarQube promotes the idea of a "leak paradigm". In short, the idea is to continously enrich your existing code base with clean, maintainable, secure increments - which will make your code base better over time.
Fixing all existing issues is not advisable.
So: define a leak period in SonarQube and change your quality gate to only leak measures. SonarQube is made for exactly your use-case!
You could change all of the issues within a time frame via Bulk change:
filter:
bulkchange accordingly
Related
we have a legacy code (10 years old), I want to bypass that code not to be analyzed in SonarQube. Or, SonarQube should scan only recent changes which i made to the legacy code or new files. How to achieve this. I found the CutOff Plugin is deprecated since SonarQube4.0 , we are using SonarQube 7.5
Please help
SonarScanner doesn't support analyzing only part of source code (example: only newer than a specified date). It always scans everything. If you keep your legacy code in other packages than the new code, then you may configure exclusion filter to just ignore the old code. You have to set the sonar.exclusions parameter (comma-separated list with ignored paths). You can read more about Narrowing the Focus in the official documentation.
Be aware that the proposed solution is not recommended. SonarScanner is able to find many vulnerabilities which should be fixed also in legacy code. It can prevent your company against material (e.g. money) and non-material (reputation) losses. The recommended way is to scan all code, and use Quality Gate to prevent introducing new issues. You can read more about it in Fixing the Water Leak.
can Sonarqube analyse code only on latest perforce changelists.I don't want code review on the whole code base as its Legacy code written 10-15 yrs back.
can you please help me here or point me to any documentation.
Thanks in Advance.
What you're looking for is the Leak Period. I.e. you want to focus on the recent changes to the code. SonarQube is designed to help you do that.
The entire code base will be analyzed, but by default the Quality Gate tests changes on new/leak period code, and the interface is designed to highlight leak period changes.
I've just installed SonarQube and it's understandably found a lot of technical debt that we want to eventually fix. However at the moment, I want to make sure that any new code checked in is evaluated and issues flagged in that.
I know I can mark issues as won't fix, but is there a way to flag issues that have arisen after a certain point in time and leave the existing technical debt as "Will fix later"?
I know ideally I'd like to halt development and fix everything right now, but I've only just got buy in for a CI server and some of my senior colleagues don't even see the point of unit tests, let alone ensuring code quality.
SonarQube focuses now on the Leak Period, i.e. problems introduced recently. This is handled through project versions, so you just need to update your string to start a new leak period and immediately differentiate old code from new.
Take a look at SonarQube itself on SonarQube.com. The highlighted "Leak Period" section on the right brings attention to problems that are new in this version.
I know that the 5.0 release note say "After the migration, source syntax-highlighting won't be available on a project until it has been successfully analyzed"
BUT, i can't imagine that there is no way to activate just by running another analysis. In fact, when you have thousands of components (it's our case), you can't plan 4500 analysis just to "restore" a basic but helpful functionality ! And it's more true when you know that the majority of theses components wasn't changed since a time ago... :(
So, please, say me that we can write a little batch or program that will do the job without need to pull all the sources ! I don't know how because i don't' understand this limitation of this upgrade (why sources aren't accessible)
You should trust the release notes. Information required for syntax highlighting is computed during analysis. Note that it also requires the language plugins to support this feature. I suggest to upgrade them to latest versions.
I'm trying to analyze the programmers profile. So I'm looking for people that is duplicating code, and trying to understand why they're doing this.
My idea is identify (if is lazy, lack of knowledge, etc) and attack the problem in root.
Is there anyway to see only the duplications added ONLY in last analysis of SonarQube?
Just checked on nemo and the time machine view just tells you how much code duplication was added since last analysis, but doesn't actually link to the new issues unlike other metrics. Most likely it's not supported yet..