While running an analysis, SonarQube raises an issue every time a piece of code breaks a coding rule. The set of coding rules are defined by the associated quality profile for each language in the project.
Ideally, the team wouldn't introduce any new issues (new technical debt). SonarLint helps developers by performing local analyses to check code before pushing it back to the SCM. But in real life, it's not always possible to catch all the issues while you code.
So new issues do get introduced.
Clean Code attributes are characteristics your code needs to have to be considered Clean Code. When an issue is detected in your code, it means that this part of your code lacks one or more of these attributes, and it has an impact on the software qualities. For a detailed description of the attributes, see Clean Code.
Issue types (bug, vulnerability, and code smell) are deprecated. Issues are now tied to Clean Code attributes and software qualities impacted. See Clean Code for more details.
There are three types of issues:
- Bug: A coding mistake that can lead to an error or unexpected behavior at runtime.
- Vulnerability: A point in your code that's open to attack.
- Code Smell: A maintainability issue that makes your code confusing and difficult to maintain.
Info: The old severity feature is deprecated. It is no longer possible to change the severity of an issue. Severity is now tied to the software qualities impacted.
The severity of an issue is determined based on its impact on the software qualities (see Clean Code) and cannot be edited. There are three levels: high, medium, and low.
An issue can have multiple severities if it impacts more than one software quality. For example, an issue can have a high impact on the security of your software, but a low impact on its maintainability. As rules get updated, this will apply to more and more issues.
The severity feature evolved in SonarQube 10.2. The following mapping was applied.
|Old Severity||Mapped to|
The severity values listed below are deprecated.
Each issue has one of five severities:
- BLOCKER: Bug with a high probability to impact the behavior of the application in production. For example, a memory leak, or an unclosed JDBC connection are BLOCKERs that must be fixed immediately.
- CRITICAL: Either a bug with a low probability to impact the behavior of the application in production or an issue that represents a security flaw. An empty catch block or SQL injection would be a CRITICAL issue. The code must be reviewed immediately.
- MAJOR: A quality flaw that can highly impact the developer's productivity. An uncovered piece of code, duplicated blocks, or unused parameters are examples of MAJOR issues.
- MINOR: A quality flaw that can slightly impact the developer's productivity. For example, lines should not be too long, and "switch" statements should have at least 3 cases, are both be considered MINOR issues.
- INFO: Neither a bug nor a quality flaw, just a finding.
Sometimes, issues are self-evident once they're pointed out. For instance, if your team has agreed to an init-lower, camelCase variable naming convention, and an issue is raised on
My_variable, you don't need a lot of background information to understand the problem. In other situations, context may be essential to understanding why an issue was raised. That's why SonarQube supports not only the primary issue location where the issue message is shown but also secondary issue locations. For instance, secondary issue locations are used to mark the pieces of code in a way that adds Cognitive Complexity to a method.
However, there are times when a simple laundry list of contributing locations isn't enough to understand an issue. For instance, when a null pointer can be dereferenced on some paths through the code, what you really need are issue flows. Each flow is a set of secondary locations ordered to show the exact path through the code on which a problem can happen. SonarQube supports multiple flows because there can be multiple paths through the code on which a resource is not released.
Check out this video for more information about understanding issues with multiple locations.
After creation, issues flow through a lifecycle, taking one of the following statuses:
- Open: set by SonarQube on new issues.
- Confirmed: set manually to indicate that the issue is valid.
- Resolved: set manually to indicate that the next analysis should Close the issue.
- Reopened: set automatically by SonarQube when a Resolved issue hasn't actually been corrected.
- Closed: set automatically by SonarQube for automatically created issues.
This also applies to external issues.
Closed issues will have one of the following resolutions:
- Fixed: set automatically when a subsequent analysis shows that the issue has been corrected or the file is no longer available (removed from the project, excluded from a project, or renamed).
- Removed: set automatically when the related rule is no longer available. The rule may not be available either because it has been removed from the Quality Profile or because the underlying plugin has been uninstalled.
Resolved issues will have one of the following resolutions:
- False Positive: set manually.
- Won't Fix: set manually.
Issues are automatically closed (Status: Closed) when:
- an issue of any status has been properly fixed = Resolution: Fixed
- an issue no longer exists because the related coding rule has been deactivated or is no longer available (for example, the plugin has been removed) = Resolution: Removed
Issues are automatically reopened (Status: Reopened) when:
- an issue that was manually Resolved as Fixed, and not a labeled as False positive, is shown by a subsequent analysis to still exist.
To determine the creation date of an issue, an algorithm is executed during each analysis to determine whether an issue is new or existed previously. This algorithm relies on content hashes (excluding whitespace) for the line the issue is reported on. For multi-line issues, the hash of the first line is used. For each file (after the detection of file renaming), the algorithm takes the base list of issues from the previous analysis and tries to match those issues with the raw issue list reported by the new analysis. The algorithm tries to first match using the strongest evidence and then falls back to weaker heuristics.
- If the issue is on the same rule, with the same line number and with the same line hash (but not necessarily with the same message) : MATCH
- Detect block move inside the file, then if the issue is on the same (moved) line and on the same rule (but not necessarily with the same message) : MATCH
- On the same rule, with the same message and with the same line hash (but not necessarily with the same line) : MATCH
- On the same rule, with the same message and with the same line number (but not necessarily with the same line hash) : MATCH
- On the same rule and with the same line hash (but not the same message and not the same line) : MATCH
- Is there a matching CLOSED issue : MATCH and Reopen
Unmatched "base" issues are closed and considered as Fixed.
Unmatched "raw" issues are considered new.
Once an issue has been determined to be "new" as described above, the next question is what date to give it. For instance, what if the issue has existed in code for a long time but was only found in the most recent analysis because new rules were added to the profile? Should this issue be given the date of the last change on its line, or the date of the analysis where it was first raised? That is, should it be backdated? If the date of the last change to the line is available (this requires SCM integration) then under these circumstances, the issue will be backdated:
- On the first analysis of a project or branch.
- When the rule is new in the profile (a brand new rule activated or a rule that was deactivated and is now activated).
- When SonarQube has just been upgraded (because rule implementations could be smarter now).
- When the rule is external.
As a consequence, it is possible that backdating will keep newly raised issues out of new code.
New issues are automatically assigned during analysis to the last committer on the issue line if the committer can be correlated to a SonarQube user. Note that currently, issues on any level above a file, for example, issues reported at a directory or project level, cannot be automatically assigned.
Login and email correlations are made automatically. For example, if the user commits with their email address and that email address is part of their SonarQube profile, then new issues raised on lines where the user was the last committer will be automatically assigned to the user.
Additional correlations can be made manually in the user's profile. For more details, please see the documentation on Security under the Authorization header.
If the SCM login associated with an issue is longer than 255 characters including the characters for an issue author, the author will be left blank.
SonarQube's issues workflow can help you manage your issues. There are seven different things you can do to an issue (other than fixing it in the code!): Comment, Assign, Confirm, Change Severity, Resolve, Won't Fix, and False Positive.
These actions break out into three different categories.
The Confirm, False Positive, Won't Fix, Severity change, and Resolve actions all fall into this category which presumes an initial review of an issue to verify its validity. Assume that it's time to review the technical debt added in the last review period; this time period could be a day, a week, or an entire sprint. You go through each new issue and assign one of the following:
- Confirm: By confirming an issue, you basically say "Yep, that's a problem." Doing so moves it out of "Open" status to Confirmed.
- False Positive: Looking at the issue in context, you realize that for whatever reason, this issue isn't actually a problem. So you mark it as a False Positive and move on. This review assignment requires Administer Issues permission level on the project.
- Severity change: This is the middle ground between the first two options. Yes, it's a problem but it's not as bad a problem as the rule's default severity makes it out to be. Or perhaps it's actually a far worse problem. Either way, you adjust the severity of the issue to bring it in line with what you feel it deserves. This review assignment requires Administer Issues permission level on the project.
- Won't Fix: Looking at the issue in context, you realize that while it's a valid issue, it's not one that actually needs fixing. In other words, it represents accepted technical debt. So you mark it as Won't Fix and move on. This review assignment requires Administer Issues permission level on the project.
- Resolve: If you think you've fixed an open issue, you can Resolve it. If you're correct, the next analysis will move it to closed status. If you're wrong, it's status will go to re-opened.
If you tend to mark a lot of issues as False Positive or Won't Fix, it means that some coding rules are not appropriate for your context. You can either completely deactivate issues in the quality profile or use issue exclusions to narrow the focus of the rules so they are not used on specific parts (or types of objects) of your application; check out the documentation on defining the analysis scope for more details about inclusions and exclusions. Similarly, making a lot of severity changes should prompt you to consider updating the rule severities in your profiles.
As you edit issues, the related metrics, for example, new bugs being reported, will update automatically; as will the Quality gate status if it's relevant.
False-Positive and Won't Fix
You can mark individual issues False Positive or Won't Fix through the issues interface. If you're using PR analysis provided by the Developer Edition, issues marked False Positive or Won't Fix will retain that status after merge. This is the preferred approach.
For most languages, SonarQube supports the use of the generic mechanism:
//NOSONAR at the end of the line of the issue. This will suppress all issues - now and in the future - that might be raised on the line.
Once issues have been through technical review, it's time to decide who's going to deal with them. By default, issues are assigned to the last committer on the issue line (at the time the issue is raised), but you can certainly reassign them to yourself or to someone else. The assignee will receive an email notification of the assignment but only if they signed up for notifications, and the assignment will show up everywhere the issue is displayed, including in the My Issues list in the My Account space.
At any time during the lifecycle of an issue, you can log a comment on it. Comments are displayed in the issue detail in a running log. You have the ability to edit or delete the comments you made.
You can also edit an issue's tags. Issues inherit the tags of the rules that created them, but the tag set on an issue is fully editable. Tags can be created, added, and removed at will for users with the Browse permission level on the project.
Although they are initially inherited from the relevant rule, issue tags are not synchronized with the rule therefore, adding tags to a rule will not add those tags to the rule's issues.
All of these changes and more can be made to multiple issues at once using the Bulk Change option in the issues search results pane.
By default, Closed issues are kept for 30 days. For more details, please see Housekeeping.
From your Project's Issues page, pull up an issue’s detail view and use the Open in IDE button as an authenticated user to edit the issue in your IDE. Understanding the issue in context will help you address it more effectively.
This feature is available to users of:
- SonarLint for IntelliJ 10.0 and above.
- SonarLint for Visual Studio available for opening security hotspots only.
- SonarLint for VS Code 4.0 and above.
- SonarLint for Eclipse available for opening security hotspots only.
The project should already be open in the appropriate IDE and bound to the server using Connected mode; if not, you will be prompted to set up a new connection and must reselect the Open in IDE button (from SonarQube) to reinitiate the jump.
If you’ve already fixed the issue in your code, SonarLint will not be able to find it; only matching code will be highlighted. Keep in mind that the revision or branch analyzed by SonarQube may not be the same as what you have opened in the IDE. In this case, SonarLint will do its best to locate the issue in your local code.
The Open in IDE feature will open security hotspots in all SonarLint IDEs. Please see the Security hotspots page for more details.
© 2008-2023, SonarSource S.A, Switzerland. Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution-NonCommercial 3.0 United States License. SONARQUBE is a trademark of SonarSource SA. All other trademarks and copyrights are the property of their respective owners.