Once you have performed your analysis in SonarQube you will have the results which then shows the severity if any with your project. Below is a table of what those severity means in SonarQube.
|Blocker||Operational/security risk: This issue might make the whole application unstable in production. Ex: calling garbage collector, not closing a socket, etc.|
|Critical||Operational/security risk: This issue might lead to an unexpected behavior in production without impacting the integrity of the whole application. Ex: NullPointerException, badly caught exceptions, lack of unit tests, etc.|
|Major||This issue might have a substantial impact on productivity. Ex: too complex methods, package cycles, etc.|
|Minor||This issue might have a potential and minor impact on productivity. Ex: naming conventions, Finalizer does nothing but call superclass finalizer, etc.|
|Info||Unknown or not yet well defined security risk or impact on productivity.|
So how do these severity levels in SonarQube map to those of SPCAF?
As there is the same number of levels of severity on both systems the mapping is straight forward as you can see in the table below:
For a detailed explanation for the SPCAF Severity levels please go to the Knowledge Base article What do the reports mean after the SPCAF analysis?