Specify a Quality Profile on the Command Line or through Config? #157
Comments
|
Hi @hax0rdlux3 , did this fulfil your usecase? Maybe someone else will have the same one. |
|
Hello, It turns out that the ability to pass in a QP is deprecated - the community wanted to assure baseline results for all scans so they did away with it - which sort of is horrible for me - as it is, without the ability to dynamically swap out quality profiles, I have to pursue other routes for implementation... it seems like a common usecase... I think some of the workflow plugins might assist.. some custom code might be necessary somewhere along the way... was going to start looking at my options today... thx! |
|
I am interested in your findings and it would be great if you could report them here afterwards. |
Hello...
So, just an idea here, maybe you can help me out if I'm missing something:
We have a Pull Request - we want to either approve the PR and then merge into 'master' if no issues of a defined severity (Blocker or Critical) are present in the code for the PR... but, as discussed, this is not allowed for in the sonar-stash plugin. The plugin approves the PR only if NO issues are present - severity level doesn't matter. We good up to here? Okay, so what if I just define a Quality Profile in SonarQube which contains only those issues we consider Critical or Blockers and use that for the Pull Request Approval scan - no issues found, we approve as before and Merge takes place (how to automate the merge on Pull Request approval is my next issues...);
This may sound self-evident to others, and indeed may be the intended use of Quality Profiles - what I am suggesting is that the Quality Profiles in SQ reflect the "context" of your scan - are you in a DevSecOps 'fail fast' environment? Define a QP with security (quality) issues that are "show stoppers" only and run that - then, out of the DevOps pipeline - run the "full" scan w/a larger number of issues as you define them, etc...
Again, this may seem evident to some... we did this with other static analyzers and I presume QPs are the equivalent of "filter sets" and other issue configurations for the other scanners - so the Quality Profile becomes the critical thing used to determine if a Pull Request is approved... therefore, I suppose I would like a way of passing in a Quality Profile so I can get my "fail fast/devSecOps" scan run (Critical/Blocker issues only) and then a my out of pipeline scan w/full set of all issues as defined my other Quality Profile
Thoughts/Feedback?
The text was updated successfully, but these errors were encountered: