Understanding SonarQube: Quantifying Software Quality, Rule Types, Severities, and Metrics

How to Quantify Software Quality

Using tools such as SonarQube can improve developer productivity and code quality, promoting a degree of standardization that is crucial when software components are shared among multiple developers.

SonarQube performs static analysis of source code to assess reliability, maintainability, security, complexity, test coverage, and code duplication, assigning a score based on the severity of detected defects.

When software quality remains high, it ensures greater security, reduces lifecycle costs, shortens maintenance time, and creates value for producers, customers, and investors.

SonarQube Rule Categories

SonarQube classifies rules into four types: Code Smells, Bugs, Vulnerabilities, and Security Hotspots.

Code Smells indicate programming flaws that do not cause incorrect behavior but make the code harder to maintain.

Bugs are unintended or incorrect behaviors that reduce program reliability.

Vulnerabilities are weaknesses that can be exploited to compromise system security.

Security Hotspots are not defects but potential weaknesses that could become vulnerabilities, such as improper cookie settings or non‑standard encryption algorithms.

Severity Levels

Each rule violation generates an issue with a severity level:

Blocker : An error that can change program behavior and must be addressed.

Critical : An error unlikely to change behavior but represents a serious security flaw.

Major : Defects that reduce developer productivity, such as duplicated code or unused variables.

Minor : Minor productivity impacts, like overly long lines or insufficient case branches.

Info : Non‑defects such as TODO comments or deprecated structures.

Five Issue States

An issue can be in one of five states after creation: (1) Open, (2) Confirmed, (3) Resolved (no further analysis needed), (4) Reopened (reported as fixed but not truly corrected), and (5) Closed (no longer recognized as an issue). Issues are closed when fixed or when the associated rule becomes unavailable.

Metric Ratings

Quality metrics include complexity, duplication, maintainability, reliability, security, size, and test coverage.

Reliability Rating

A = 0 bugs

B = at least one minor bug

C = at least one major bug

D = at least one critical bug

E = at least one blocker bug

Security Rating

A = 0 vulnerabilities

B = at least one minor vulnerability

C = at least one major vulnerability

D = at least one critical vulnerability

E = at least one blocker vulnerability

Technical Debt Rating

The Technical Debt Ratio (TD Ratio) compares debt to estimated development time (LOC × 30 min). Ratings are:

A = TD ≤ 5 %

B = 6 % – 10 %

C = 10 % – 20 %

D = 21 % – 50 %

E = TD ≥ 50 %

Lower Production Cost for High‑Quality Software

If you practice continuous integration, SonarQube should not be ignored because it checks code after every change, helping maintain consistently high software quality.

Happy coding!