SonarQube glossary

A

application
In SonarQube Server, the aggregation of multiple projects into a synthetic single project. Applications allow you to see your set of projects as a larger, overall meta-project. 

C

CI/CD host
The host on which the CI/CD pipeline runs and the Sonar scanner analysis is performed.

Clean as You Code
A methodology that helps you achieve a state of Clean Code.

Clean Code
Clean Code ensures that your software works as intended and meets high standards of quality. The Sonar solution is designed to help you achieve a state of Clean Code, that is, code whose attributes make your software secure, reliable, and maintainable.

cognitive complexity
A Sonar exclusive metric formulated to more accurately measure the relative understandability of methods. Cognitive complexity breaks from using mathematical models to assess software maintainability by combining cyclomatic complexity precedents with human assessment. It yields method complexity scores that align well with how developers perceive maintainability.

connected mode
The mode used by SonarQube for IDE when connected to SonarQube (Cloud, Server) or SonarQube Community Build. This mode allows users to get the most out of the Sonar solution. The mode used by SonarQube for IDE when not in connected mode is called standalone mode.

cyclomatic complexity
A software metric used to indicate the complexity of a program. It is a quantitative measure of the number of linearly independent paths through a program's source code. 

D

deprecated
A warning related to a feature indicating that the feature still works but will not work at some point in the future.

E

external issue
An issue detected by an external, third-party analyzer and imported into SonarQube.

external rule
A rule applied in an external, third-party analyzer, and that raises external issues.

F

false positive
Users can assign a false positive status to an issue raised during a code analysis that was wrongly classified as an issue.

I

inactive branch
A branch that has not been analyzed for more than seven consecutive days.

injection vulnerability
A security issue that identifies injection risks in the code. SonarQube (Cloud, Server) and SonarQube Community Build use taint analysis - a technology used to track tainted data - to detect injection vulnerabilities (Tainted data refers to unsanitized external data, which exposes the code to injection attacks.). SonarQube for IDE, in connected mode, can show injection vulnerabilities.

issue
A problem in your code that prevents it from being Clean Code. Each issue is linked to one Clean Code attribute which is associated with one or more software qualities, each with a level of severity.

issue assignee
The user assigned to the issue.

issue author
The last committer on the issue line.

issue flow
A path through the code shown in the UI from the source to the sink when the issue originated upstream.

issue primary location
The location where the issue message is displayed.

issue secondary location
A location additional to the primary location that may help to understand the issue.

issue severity
In MQR mode, represents the impact level of the issue on a given software quality. In Standard mode, represents the issue severity. It is inherited from the rule that raised the issue and may take the values: Blocker, High, Medium, Low, Info.

K

keystore
A repository that contains personal certificates, plus the corresponding private keys that are used to identify the owner of the certificate for cryptographic protocols such as TLS. 

L

language analyzer
An engine used by the SonarScanners to analyze the code files. Depending on the language, different analyzers are used.

LOC
Lines of Code. Number of analyzed lines of code in all private projects of your SonarQube Cloud organization or of your SonarQube Server instance. The maximum allowed LOC depends on your SonarQube Server edition or SonarQube Cloud organization's subscription.

local user
In SonarQube Server and SonarQube Community Build, if the automatic provisioning mode is enabled with a third-party identity provider (e.g. GitHub or GitLab), all users that are not auto-provisioned (i.e., manually created users, or through another identity provider Just-in-Time-provisioned users), are called local users.

long-lived branch
A branch that plays a continuous role within the development process of a software project. The main branch of a repository is always considered a long-lived branch, usually representing the next release of the project. SonarQube Cloud processes the analysis of long-lived branches differently from short-lived branches.

M

main branch
The default branch. This branch typically corresponds to what's being developed for your next release. This branch is usually known within a development team as "main", "develop" or "head" and is analyzed when no specific branch parameters are provided.

maintainability issue
Issue impacting the maintainability of your code. Is called a code smell in the Standard Experience.

measure
The value of a metric for a given file or project at a given time. For example, 125 lines of code on class MyClass or the density of duplicated lines = 30.5% on project myProject can be considered a measure.

metric
A type of measurement. Metrics can have varying measures over time. A metric may be either qualitative (for example, the density of duplicated lines, line coverage by tests, etc.) or quantitative (for example, the number of lines of code, the complexity, etc.).

monorepo
A software development strategy in which the code for a number of projects is stored in the same repository.

MQR mode
Multiple-Quality Rule mode. In this mode, a rule measures the impact on one or several software qualities (e.g., a rule can impact your software reliability and security). A severity is assigned to each software quality associated with the rule and determines how much that software quality is impacted when the rule is broken. Compared to the Standard Experience, this mode offers a more accurate reflection of your software’s health through different lenses. The MQR mode is supported in SonarQube (Cloud, Server) and SonarQube Community Build.

N

new code
Any line of code added or modified compared to a baseline. The baseline depends on the new code definition applied to the analysis.

new code definition
The setting that determines what code is considered new code. For example, it may be code that has changed since the previous project version or since a specific date. 

O

old code
Code that is not considered new code.

organization
A group of projects on a repository platform. The organization (or workspace, or group) concept is represented in SonarQube Cloud but not in SonarQube Server or Community Build.

overall code
All code. Consists of both new code and old code.

P

PDF report
PDF reports give a periodic, high-level overview of the code state through a number of lenses, including releasability, security, reliability, and maintainability. 

portfolio
A grouping of several projects that enables an aggregate view of the project metrics and risks.

project
In the Sonar products, the entity that corresponds to a project in the DevOps platform and is related to the repository storing the project code.

pull request decoration
The display in the DevOps platforms’ interface of the pull request analysis results.

Q

quality gate
A set of conditions on quality measures to enforce a quality policy. A project passes its associated quality gate if its analysis results meet the quality gate's conditions.

quality profile
Defines a set of rules to be applied during code analysis for a given language. 

R

reference branch
In SonarQube Server, a new code definition refers to the code that has changed compared to a selected reference branch.

regulatory report
In SonarQube Server, a zip file containing a snapshot of a branch including a branch overview, the relevant configuration items, and a list of findings (operational risks).

reindexing
For a SonarQube Server or SonarQube Community Build project, the rebuild of the Elasticsearch indexes.

reliability issue
Issue impacting the reliability of your code. Is called a bug in the Standard Experience.

remediation cost
The estimated time required to fix code issues.

rule
A coding standard or practice that should be followed. The analysis applies the rules defined through the quality profiles to the code. If a rule is broken, an issue is raised.

S

scanner
A standalone program that runs on the CI/CD host, manages the analysis of projects, and sends the results to the server. SonarSource offers different scanners that can hook up into different systems to automatically extract the project’s configuration out of that system. 

security hotspot
A security-sensitive piece of code that needs to be manually reviewed. Upon review, users will either find that there is no threat or that there is vulnerable code that needs to be fixed.

security issue
Issue impacting the security. Is called a vulnerability in the Standard Experience.

security report
Security reports help users understand where they may have issues related to various security standards.

short-lived branch
Branches that are intended to exist only temporarily. They are typically a child branch of a long-lived branch and are intended to be merged back into that parent branch within a relatively short period. SonarQube Cloud processes the analysis of short-lived branches differently from long-lived branches.

snapshot
A set of measures and issues on a given project at a given time. A snapshot is generated for each analysis.

sonar property
A key/value pair in which the key has the sonar.<property> syntax and used to manage parameters in Sonar products. 

Standard Experience
In this mode, a rule impacts either the reliability, maintainability, or security of your code (the respective issues raised are called bugs, code smells, or vulnerabilities). The rule severity measures the severity level of an issue raised by this rule. The Standard Experience is supported in SonarQube Server and SonarQube Community Build.

T

technical debt
The estimated time required to fix all issues impacting the maintainability.