Note: Please note that Rencore will no longer provide updates for SPCAF integration into SonarQube. SPCAF version 18.104.22.168. is the last plugin available, support will continue as we continue to support SPCAF version 22.214.171.124.
Once you have performed your analysis in SonarQube you will have the results which then shows the severity if any with your project. Below is a table of what those severity means in SonarQube.
|Blocker||Operational/security risk: This issue might make the whole application unstable in production. Ex: calling garbage collector, not closing a socket, etc.|
|Critical||Operational/security risk: This issue might lead to an unexpected behavior in production without impacting the integrity of the whole application. Ex: NullPointerException, badly caught exceptions, lack of unit tests, etc.|
|Major||This issue might have a substantial impact on productivity. Ex: too complex methods, package cycles, etc.|
|Minor||This issue might have a potential and minor impact on productivity. Ex: naming conventions, Finalizer does nothing but call superclass finalizer, etc.|
|Info||Unknown or not yet well-defined security risk or impact on productivity.|
So how do these severity levels in SonarQube map to those of SPCAF?
As there is the same number of levels of severity on both systems the mapping is straightforward as you can see in the table below:
For a detailed explanation for the SPCAF Severity levels please go to the Knowledge Base article What do the reports mean after the SPCAF analysis?