Overview
SonarQube evaluates your code against a set of rules to generate issues.
Overview
SonarQube Server executes rules on source code to generate issues. The way rules are categorized depends on the Overview your instance of SonarQube Server is using.
In Multi-Quality Rule (MQR) mode, rules are categorized by software qualities: security, reliability, and maintainability. A rule may impact more than one software quality.
Under maintainability and reliability, zero false positives are expected. At least this is the target so that developers don’t have to wonder if a fix is required.
For vulnerabilities, the goal is to have more than 80% of issues be true positives.
Security hotspot rules draw attention to security-sensitive code. After being reviewed by a developer, more than 80% of issues are expected to be quickly resolved as "reviewed."
The Sonar Rules catalog is the entry point where you can discover all the existing rules or create new ones based on available templates.
Rules
By default, when selecting the top menu item Rules, you will see all the available rules installed on your SonarQube Server instance. You have the ability to review and narrow the selection based on search criteria in the left sidebar:
- Language: the language to which a rule applies. 
- Software Quality: security, reliability, maintainability bug 
- Security hotspot: security hotspot rules. 
- Understanding measures and metrics: the severity of all the software qualities it has an impact on. 
- Tag: it is possible to add tags to rules in order to classify them and to help discover them more easily. 
- Coding attributes: consistency, intentionality, adaptability, responsibility 
- Repository: the engine/analyzer that contributes rules to SonarQube Server. 
- Status: rules can have 3 different statuses: - Beta: The rule has been recently implemented and we haven’t gotten enough feedback from users yet, so there may be false positives or false negatives. 
- Deprecated: The rule should no longer be used because a similar, but more powerful and accurate rule exists. 
- Ready: The rule is ready to be used in production. 
 
- Available since: the date when a rule was first added on SonarQube Server. This is useful to list all the new rules since the last upgrade of a plugin for instance. 
- Template: display rule templates that allow you to create custom rules (see Custom rules below on this page). 
- Quality profile: inclusion in or exclusion from a specific profile 
If a Quality profile is selected, it is also possible to check for its active severity and whether it is inherited or not. See the Managing quality profiles documentation for more.
Rule details
To see the details of a rule, either click the rule with your mouse or use the right arrow key. Along with basic rule data, you’ll also be able to see which, if any, profiles the rule is active in and how many open issues have been raised with it.
The following actions are available only if you have the correct permission level Administer quality profiles and gates:
- Add/Remove tags: - It is possible to add existing tags on a rule, or to create new rules; simply enter a new name while typing in the text field. 
- Note that some rules have built-in tags that you cannot remove. For example, the rules are provided by the plugins which contribute to the rules. 
 
- Extend description: - You can extend rule descriptions to let users know how your organization is using a particular rule or to give more insight into a rule. 
- Note that the extension will be available to non-admin users as a normal part of the rule details. 
 
Rule templates and custom rules
Rule templates are provided by plugins as a basis for users to define their own custom rules in SonarQube Server.

- To find templates, select the Show Templates Only option from the Template dropdown menu. 
- Rule Template appears below the title indicating that this is a template. 
- Click through the tabs for more information about the custom rule. 
- Click Create to define your custom rule and enter the following information: 
- Name: Enter a meaningful name for the rule. 
- Key (auto-suggested) 
- Type: The options are Issue or Security Hotspot, inherited by default from the template. 
- Category: The options are Consistency, Intentionality, Adaptability, or Responsibility, which are inherited by default from the template. 
- Attribute: The options are Conventional, Identifiable, or Formatted, which are inherited by default from the template. 
- Software Quality: Select all that apply, the options are Security, Reliability, and Maintainability, inherited by default from the template. 
- Severity: The options are Blocker, High, Medium, Low, or Info, inherited by default from the template. 
- Status: The options are Ready, Beta, or Deprecated, inherited by default from the template. 
- Description (Markdown format is supported): Write a meaningful description for your custom rule. 
- The parameters specified by the template 
The Custom rules section contains a list of all custom rules created from the template. Click on the custom rule link to view details or Delete it from the system.
Custom rules
Custom rules are considered like any other rule, except that you can edit or delete them:

Extending coding rules
Custom coding rules can be added. See Adding coding rules for detailed information and tutorials.
Rule types and severities
When using Multi-Quality Rule mode, there are four categories: Security, reliability, maintainability, and security hotspots. Rules are assigned to one or more categories based on the answers to these questions:
Is the rule about code that could be exploited by an attacker? If so, then it’s a security rule.
Is the rule about code that is security-sensitive? If so, then it’s a security hotspot rule.
Is the rule about code that is demonstrably wrong, or more likely wrong than not? If the answer is "yes", then it’s a reliability rule.
Is the rule neither a bug nor a vulnerability? If so, then it’s a maintainability rule.
How severities are assigned
The table below lists the severity metrics used in Multi-Quality Rule mode.
Severity
Definition
Blocker
An issue that has a significant probability of severe unintended consequences on the application that should be fixed immediately. This includes bugs leading to production crashes and security flaws allowing attackers to extract sensitive data or execute malicious code.
High
An issue with a high impact on the application that should be fixed as soon as possible.
Medium
An issue with a medium impact.
Low
An issue with a low impact.
Info
There is no expected impact on the application. For informational purposes only.
To assign severity to a rule, we ask a further series of questions. The first one is basically:
What’s the worst thing that could happen?
In answering this question, we try to factor in Murphy’s Law without predicting Armageddon.
Then we assess whether the impact and likelihood of the worst thing (see the How severity and likelihood are decided section below) are high or low, and plug the answers into a truth table:
Standard Experience
MQR mode
Impact
Likelihood
Blocker
Blocker
✅
✅
Critical
High
✅
❌
Major
Medium
❌
✅
Minor
Low
❌
❌
How severity and likelihood are decided
To assess the severity of a rule, we start from the worst thing (see the How severities are assigned section above) and ask category-specific questions.
Reliability
Impact: Could the worst thing cause the application to crash or corrupt stored data?
Likelihood: What’s the probability that the worst thing will happen?
Security
Impact: Could the exploitation of the worst thing result in significant damage to your assets or your users?
Likelihood: What is the probability that an attacker will be able to exploit the worst thing?
Security hotspots
Security hotspots are not assigned severities as it is unknown whether there is truly an underlying vulnerability until they are reviewed.
What might change after a software update
Sonar developers continually re-evaluate our rules to provide the best results. This process is evident in each release and means some rule-specific properties may change after an upgrade, even in a custom Quality Profile. This is normal and expected, and is no cause for alarm. The following are rule-specific properties that may change in an upgrade:
- Software quality: Software quality (security, reliability, maintainability) updates to rules can occur. Changes to a rule’s qualities will not be applied to issues previously raised by the rule until the project is reanalyzed. 
- Type: Type (bug, vulnerability, code smell) updates happen on occasion. When a rule type is updated, its value will update automatically in every profile that uses it. Although the rule will be updated, issues previously raised by the rule will not be updated. For example, if a rule transitioned from bug to code smell, the existing issues will retain their original bug type, and new issues will get the new type, code smell. 
- Severity: Changes to a rule’s default severity will automatically be applied in quality profiles where the default severity was used. Although the rule will be updated, existing issues raised by the rule will not be updated. Note that it is possible to override a rule’s default severity in a profile, and your custom override should remain intact in your quality profile after the upgrade. 
- Tags: Two types of tags may be attached to a rule: the default tags that come out of the box, and the custom tags added by administrators. When the default tags attached to a rule are updated in SonarQube Server, those changes will happen automatically. Custom tags associated with a rule will not change. 
- Key: Can change but this is uncommon. Typically this happens in the rare case that, for whatever reason, a key that was non-normal needs to be normalized. When the key of a rule is changed, related issues are updated as well, so that they remain related to the re-keyed rule. 
- Status: Status does not affect the operation of a rule and has no impact on its issues. There are three possible rule statuses: beta, ready, and deprecated. Sometimes, rules are first issued in beta status and then moved to ready. Most rules are in ready status; ready to be used in production. When Sonar developers realize that a rule no longer makes sense, they first deprecate the rule, then eventually drop it. 
For a comprehensive list of available rules and their up-to-date properties, see our Sonar Rules catalog.
Rules covered with AI CodeFix
Sonar’s AI CodeFix uses a large language model (LLM) to automatically generate AI-driven code fixes for the issues discovered by SonarQube Server. The process is simple. When you request a fix, the affected code and issue description are sent to an LLM. AI CodeFix then proposes an edit that resolves the problem without changing the code’s functionality.
AI CodeFix currently uses OpenAI’s GPT-4o or your own Azure OpenAI LLM, to suggest fixes for a select set of rules in Java, JavaScript, TypeScript, Python, C#, and C++. To learn more about which rules are eligible for AI CodeFix, please see the list of Rules for AI CodeFix #Rules covered with AI CodeFix.
Last updated
Was this helpful?

