SPCAF Results Severity Mappings in SonarQube

Note: Please note that Rencore will no longer provide updates for SPCAF integration into SonarQube. SPCAF version is the last plugin available, support will continue as we continue to support SPCAF version

Once you have performed your analysis in SonarQube you will have the results which then shows the severity if any with your project. Below is a table of what those severity means in SonarQube.

Blocker Operational/security risk: This issue might make the whole application unstable in production. Ex: calling garbage collector, not closing a socket, etc.
Critical Operational/security risk: This issue might lead to an unexpected behavior in production without impacting the integrity of the whole application. Ex: NullPointerException, badly caught exceptions, lack of unit tests, etc.
Major This issue might have a substantial impact on productivity. Ex: too complex methods, package cycles, etc.
Minor This issue might have a potential and minor impact on productivity. Ex: naming conventions, Finalizer does nothing but call superclass finalizer, etc.
Info Unknown or not yet well-defined security risk or impact on productivity.

So how do these severity levels in SonarQube map to those of SPCAF

As there is the same number of levels of severity on both systems the mapping is straightforward as you can see in the table below:

Critical Critical Error 
Major Critical Warning
Minor Warning
Info Information

For a detailed explanation for the SPCAF Severity levels please go to the Knowledge Base article What do the reports mean after the SPCAF analysis?

Have more questions? Submit a request


Please sign in to leave a comment.