SonarQube - how to specify last successfull analysis as Leak Period

8
votes

We are using SonarQube 5.5 (latest to date).

Our project contains a lot of legacy code that wouldn't pass our desired Quality Gate, so we decided to ignore technical debt which is already there, but be strict about new changes.

So we are enjoying Leak concept and default Quality Gate that considers only new changes.

We use Continuous Integration and Continuous Delivery, so we run SonarQube analysis for every CI build to be able to give immediate feedback to developers whether their changes fail the Quality Gate, so issues are not left till the end of sprint, or new technical debt accumulated.

We set Leak Period to previous_version as we increment version number every run, but as far as I understand it could be set to previous_analysis in our case with the same effect.

The problem with this approach is that next good commit will clear the state of the project (Green, was Red) as analysis for last only commit will pass the Quality Gate. Although the code already contains the issue introduced in previous commit.

If Leak Period is set to a fixed date\version (A custom date or A version options), analysis will run for cumulative commits, and individual "bad" commits can squeeze through unnoticed, causing issues later in the cycle. So it doesn't satisfy "immediate" requirement. Imagine that after a fixed date\version there were 5 commits of the same size - 4 from "good" developers following TDD so with 100% coverage, and 1 from "bad" guy whose changes has 0% coverage. In average it will pass the default condition "Coverage on new code is not less than 80%", but in reality we want to give feedback to such "bad" guys as soon as possible, so they improve their practices.

If Leak Period is set to rolling Number of days before analysis, the state of the Gate will clear as soon as this number of days passes since the last "bad" commit, while issue could still be there in the code.

We need to be able to analyze individual commits (similar to "previous_version" Leak Period option in SQ). But in case last commit passes QG and previous one failed, we should analyze them together to see if last commit actually fixes the problem from previous one, so that the project as a whole can be deemed as passed.

So, in essence we should be analyzing all the commits since the last successful analysis

There is no such option for Leak Period. Is there any other way to achieve this?

1
continuous-integrationsonarqubecontinuous-deliverysoftware-quality
I don't understand why the "A version" or "A date" wouldn't work. At SonarSource, we are running analyses on each commit, and leak is set to "previous_version" (because we don't increment the version on each commit): that works perfectly. You can't miss issues introduced in a bad commit that happened during the leak period (whatever the period) because issues are tracked. So I don't really understand your problem. - Fabrice - SonarSource Team
@Fabrice-SonarSourceTeam, sorry for not explaining this better. Imagine that after a fixed date\version there were 5 commits of the same size - 4 from "good" developers following TDD so with 100% coverage, and 1 from "bad" guy whose changes has 0% coverage. In average it will pass the default condition "Coverage on new code is not less than 80%", but in reality we want to give feedback to such "bad" guys as soon as possible, so they improve their practices. - Ivan
@Fabrice-SonarSourceTeam, also, IMHO logically if code passes Quality Gate in SonarQube, it could be deemed as "good" and so Leak period can be reset to this version of the code. In your case if I understood correctly you increment version manually only when you are happy about that version not just from SonarQube perspective but after some other checks (completeness of the version?, tests passing in the pipeline?, etc), so only then you increment the version and it resets the Leak Period. But ... why analyzing code which has already been analyzed earlier and deemed to be "good"? - Ivan
@Ivan you'd be better served by code reviews to help a developer improve his code coverage - Teryk - SonarSource
Unfortunately never solved this. - Ivan

1 Answers

-1
votes

To track a developer's code coverage you can do several things: