Skip to content

Standards and best practices for SonarQube Administration Configurations

The document is intended to describe the global administration configurations for SonarQube (version 9.9)

Overview

  • Users having admin rights on the SonarQube instance can configure the global administration settings by selecting Administration → Configuration
  • SonarQube is installed at sonarqube.mdtproductdevelopment.com
  • Official docs for global administration settings can be found here

1. ALM Integrations

ALM integrations allow SonarQube to interact with ALM. This enables things like authentication, or providing analysis details and a Quality Gate to Pull Requests directly in ALM provider's interface.

1.1 ALM Integration with Azure devops

  • To create ALM integration with azure devops go to Administration → Configuration → ALM Integrations → Azure DevOps → Create Configuration has to be selected
  • Three values has to be set in the configuration
  • Configuration Name : The name used to identify your Azure DevOps configuration at the project level
    • Name should be easily recognizable and succinct
  • Azure DevOps Url : Url to the azure devops service organization
    • Full organization url has to be provided
  • Personal Access Token : Token of the user that will be used to decorate Pull Requests
    • Token should be generated against a service account
    • Authorization for Code Read and Write should be provided

2. Analysis Scope Settings

This setting provides the option to configure what to be analyzed. Wildcards can be used to set values in analysis scope settings. More information can be found in the documentation

2.1 Code Coverage

This section provides options to configure the files that should be ignored by code coverage calculations

2.1.1 Coverage Exclusions

Description

Patterns used to exclude some files from coverage report

Key: sonar.coverage.exclusions

Configuration

Value: TBD

2.2 Duplications

This section provides option to configure the files that should be ignored by duplication detection mechanism

2.2.1 Duplication Exclusions

Description

Patterns used to exclude some source files from the duplication detection mechanism

Key: sonar.cpd.exclusions

Configuration

Value: TBD

2.3 Files

This section provides option to configure the files that should be completely ignored by the analysis

2.3.1 Global Source File Exclusions

Description

Patterns used to exclude some source files from analysis. They apply to every project and cannot be overridden.

Key: sonar.global.exclusions

Configuration

Value: TBD

2.3.2 Source File Exclusions

Description

Patterns used to exclude some source files from analysis

Key: sonar.exclusions

Configuration

Value: TBD

2.3.3 Global Test File Exclusions

Description

Patterns used to exclude some test files from analysis. They apply to every project and cannot be overridden

Key: sonar.global.test.exclusions

Configuration

Value: TBD

2.3.4 Source File Inclusions

Description

Patterns used to include some source files and only these ones in analysis

Key: sonar.inclusions

Configuration

Value: TBD

2.3.5 Test File Exclusions

Description

Patterns used to exclude some test files from analysis

Key: sonar.test.exclusions

Configuration

Value: TBD

2.3.6 Test File Inclusions

Description

Patterns used to include some test files and only these ones in analysis

Key: sonar.test.inclusions

Configuration

Value: TBD

2.4 Issues

This section provides option to configure the conditions under which issues should not be reported

2.4.1 Ignore Issues on Files

Description

Patterns to ignore all issues (except the ones from the common repository) on files that contain a block of code matching a given regular expression

Key: sonar.issue.ignore.allfile

Configuration

Value: TBD

2.4.2 Ignore Issues in Blocks

Description

Patterns to ignore all issues (except the ones from the common repository) on specific blocks of code, while continuing to scan and mark issues on the remainder of the file

Key: sonar.issue.ignore.block

Regular Expression for Start of Block - If this regular expression is found in a file, then following lines are ignored until end of block

Regular Expression for End of Block - If specified, this regular expression is used to determine the end of code blocks to ignore. If not, then block ends at the end of file

Configuration

Value: TBD

2.4.3 Ignore Issues on Multiple Criteria

Description

Patterns to ignore issues on certain components and for certain coding rules

A rule key pattern consists of the rule repository name, followed by a colon, followed by a rule key or rule name fragment

Example: squid:S1195 squid:*Naming*

Key: sonar.issue.ignore.multicriteria

Rule Key Pattern - Pattern to match rules which should be ignored File Path Pattern - Pattern to match files which should be ignored

Configuration

Value: TBD

2.4.4 Restrict Scope of Coding Rules

Description

Patterns to restrict the application of a rule to only certain components, ignoring all others

A rule key pattern consists of the rule repository name, followed by a colon, followed by a rule key or rule name fragment.

Example: squid:S1195 squid:*Naming*

Key: sonar.issue.enforce.multicriteria

Rule Key Pattern - Pattern used to match rules which should be restricted.

File Path Pattern - Pattern used to match files to which the rules should be restricted.

Configuration

Value: TBD

3. Azure Active Directory

This settings provide the option for AAD integration

3.1 Authentication

3.1.1 Enabled

Description

Enable Azure AD users to login. Value is ignored if client ID and secret are not defined.

Key: sonar.auth.aad.enabled

Configuration

Value: ON

3.1.2 Client ID

Description

Client ID provided by Azure AD when registering the application

Key: sonar.auth.aad.clientId.secured

Configuration

Value: ReplaceWithClientSecret

3.1.3 Client Secret

Description

Client key provided by Azure AD when registering the application

Key: sonar.auth.aad.clientSecret.secured

Configuration

Value: ReplaceWithClientSecret

3.1.4 Multi-tenant Azure Application

Description

Option to specify whether multi-tenant application

Key: sonar.auth.aad.multiTenant

Configuration

Value: OFF

3.1.5 Tenant ID

Description

Azure AD Tenant ID to be used

Key: sonar.auth.aad.tenantId

Configuration

Value: d73a39db-6eda-495d-8000-7579f56d68b7

3.1.6 Allow users to sign-up

Description

Allow new users to authenticate. When set to 'false', only existing users will be able to authenticate to the server

Key: sonar.auth.aad.allowUsersToSignUp

Configuration

Value: ON

3.1.7 Login generation strategy

Description

When the login strategy is set to 'Unique', the user's login will be auto-generated the first time so that it is unique. When the login strategy is set to 'Same as Azure AD login', the user's login will be the Azure AD login

Key: sonar.auth.aad.loginStrategy

Configuration

Value: Same as Azure AD login

3.1.8 Directory Location

Description

The location of the Azure installation

Key: sonar.auth.aad.directoryLocation

Configuration

Value: Azure AD (Global)

3.2 Groups Synchronization

3.2.1 Enable Groups Synchronization

Description

Enable groups synchronization from Azure AD to SonarQube, For each Azure AD group user belongs to, the user will be associated to a group with the same name(if it exists) in SonarQube

Key: sonar.auth.aad.enableGroupsSync

Configuration

Value: ON

4. External Analyzers Settings

4.1 Android

4.1.1 Android Lint Report Files

Description

Paths (absolute or relative) to xml files with Android Lint issues

Key: sonar.androidLint.reportPaths

Configuration

Value: TBD

4.2 Apex

4.2.1 PMD Report Files

Description

Paths (absolute or relative) to xml files with PMD issues

Key: sonar.apex.pmd.reportPaths

Configuration

Value: TBD

4.3 C

4.3.1 Ignore issues from external Roslyn analyzers

Description

If set to 'true', issues reported by external Roslyn analyzers won't be imported

Key: sonar.cs.roslyn.ignoreIssues

Configuration

Value: OFF

4.3.2 Rule categories associated with Bugs

Description

External rule categories to be treated as Bugs

Key: sonar.cs.roslyn.bugCategories

Configuration

Value: TBD

4.3.3 Rule categories associated with Vulnerabilities

Description

External rule categories to be treated as Vulnerabilities

Key: sonar.cs.roslyn.vulnerabilityCategories

Configuration

Value: TBD

4.3.4 Rule categories associated with Code Smells

Description

External rule categories to be treated as Code Smells. By default, external issues are Code Smells, or Bugs when the severity is error

Key: sonar.cs.roslyn.codeSmellCategories

Configuration

Value: TBD

4.4 Java

4.4.1 Checkstyle Report Files

Description

Paths (absolute or relative) to xml files with Checkstyle issues

Key: sonar.java.checkstyle.reportPaths

Configuration

Value: TBD

4.4.2 PMD Report Files

Description

Paths (absolute or relative) to xml files with PMD issues

Key: sonar.java.pmd.reportPaths

Configuration

Value: TBD

4.4.3 SpotBugs Report Files

Description

Paths (absolute or relative) to xml files with SpotBugs issues

Key: sonar.java.spotbugs.reportPaths

Configuration

Value: TBD

4.5 JavaScript/TypeScript

4.5.1 ESLint Report Files

Description

Paths (absolute or relative) to the JSON files with ESLint issues

Key: sonar.eslint.reportPaths

Configuration

Value: TBD

4.5.2 TSLint Report Files

Description

Paths (absolute or relative) to the JSON files with TSLint issues

Key: sonar.typescript.tslint.reportPaths

Configuration

Value: TBD

4.6 Kotlin

4.6.1 Detekt Report Files

Description

Paths (absolute or relative) to checkstyle xml files with detekt issues

Key: sonar.kotlin.detekt.reportPaths

Configuration

Value: TBD

4.7 Python

4.7.1 Bandit Report Files

Description

Paths (absolute or relative) to json files with Bandit issues

Key: sonar.python.bandit.reportPaths

Configuration

Value: TBD

4.7.2 Flake8 Report Files

Description

Paths (absolute or relative) to report files with Flake8 issues

Key: sonar.python.flake8.reportPaths

Configuration

Value: TBD

4.7.3 Pylint Report Files

Description

Paths (absolute or relative) to report files with Pylint issues

Key: sonar.python.pylint.reportPaths

Configuration

Value: TBD

4.8 Ruby

4.8.1 RuboCop Report Files

Description

Paths (absolute or relative) to json files with RuboCop issues

Key: sonar.ruby.rubocop.reportPaths

Configuration

Value: TBD

4.9 Scala

4.9.1 Scalastyle Report Files

Description

Paths (absolute or relative) to scalastyle xml files with Scalastyle issues

Key: sonar.scala.scalastyle.reportPaths

Configuration

Value: TBD

4.9.2 Scapegoat Report Files

Description

Paths (absolute or relative) to scapegoat xml files using scalastyle format

Key: sonar.scala.scapegoat.reportPaths

Configuration

Value: TBD

4.10 Swift

4.10.1 SwiftLint Report Files

Description

Paths (absolute or relative) to the JSON files with SwiftLint issues

Key: sonar.swift.swiftLint.reportPaths

Configuration

Value: TBD

4.11 VB. NET

4.11.1 Ignore issues from external Roslyn analyzers

Description

If set to 'true', issues reported by external Roslyn analyzers won't be imported

Key: sonar.vbnet.roslyn.ignoreIssues

Configuration

OFF

4.11.2 Rule categories associated with Bugs

Description

External rule categories to be treated as Bugs

Key: sonar.vbnet.roslyn.bugCategories

Configuration

Value: TBD

4.11.3 Rule categories associated with Vulnerabilities

Description

External rule categories to be treated as Vulnerabilities

Key: sonar.vbnet.roslyn.vulnerabilityCategories

Configuration

Value: TBD

4.11.4 Rule categories associated with Code Smells

Description

External rule categories to be treated as Code Smells. By default, external issues are Code Smells, or Bugs when the severity is error

Key: sonar.vbnet.roslyn.codeSmellCategories

Configuration

Value: TBD

5. General Settings

5.1 Duplications

5.1.1 Cross project duplication detection

Description

(DEPRECATED) By default, SonarQube detects duplications at project level. This means that a block duplicated on two different projects won't be reported. Setting this parameter to "true" allows to detect duplicates across projects.

Key: sonar.cpd.cross_project

Configuration

Value: OFF

5.2 Email

5.2.1 Email prefix

Description

Prefix will be prepended to all outgoing email subjects

Key: email.prefix

Configuration

Value: TBD

5.2.2 From address

Description

Emails will come from this address

Key: email.from

Configuration

Value: TBD

5.2.3 From name

Description

Emails will come from this address name

Key: email.fromName

Configuration

Value: TBD

5.2.4 Secure connection

Description

Type of secure connection. Leave empty to not use secure connection

Key: email.smtp_secure_connection.secured

Configuration

Value: TBD

5.2.5 SMTP host

Description

SMTP Host to be used for email. Leave blank to disable email sending.

Key: email.smtp_host.secured

Configuration

Value: TBD

5.2.6 SMTP password

Description

Password to use with authenticated SMTP

Key: email.smtp_password.secured

Configuration

Value: TBD

5.2.7 SMTP port

Description

Port number to connect with SMTP server

Key: email.smtp_port.secured

Configuration

Value: TBD

5.2.8 SMTP username

Description

Username to use with authenticated SMTP

Key: email.smtp_username.secured

Configuration

Value: TBD

5.3 General

5.3.1 Avoid quality profiles notification

Description

Avoid sending email notification on each update of built-in quality profiles to quality profile administrators

Key: sonar.builtInQualityProfiles.disableNotificationOnUpdate

Configuration

Value: OFF

5.3.2 Server base URL

Description

HTTP(S) URL of this SonarQube server, such as https://yourhost.yourdomain/ sonar. This value is used to create links in emails

Key: sonar.core.serverBaseURL

Configuration

Value: https://sonarqube.mdtproductdevelopment.com

5.4 Issues

5.4.1 Default Assignee

Description

New issues will be assigned to this user each time it is not possible to determine the user who is the author of the issue

Key: sonar.issues.defaultAssigneeLogin

Configuration

Value: TBD

5.4.2 Disable developer aggregated information

Description

Don't show issue facets aggregating information per developer

Key: sonar.developerAggregatedInfo.disabled

Configuration

Value: TBD. OFF by default

5.5 Look & Feel

5.5.1 About page text

Description

Optional text that is displayed on the About page. Supports html

Key: sonar.lf.aboutText

Configuration

Value: TBD

5.5.2 Enable support of gravatars

Description

Gravatars are profile pictures of users based on their email

Key: sonar.lf.enableGravatar

Configuration

Value: TBD. OFF by default

5.5.3 Gravatar URL

Description

Optional URL of custom Gravatar service. Accepted variables are {EMAIL_MD5} for MD5 hash of email and {SIZE} for the picture size in pixels

Key: sonar.lf.gravatarServerUrl

Configuration

Value: TBD

5.5.4 Logo URL

Description

URL to logo image. Any standard format is accepted

Key: sonar.lf.logoUrl

Configuration

Value: TBD

5.5.5 Width of image in pixels

Description

Width in pixels, given that the height of the the image is constrained to 30px

Key: sonar.lf.logoWidthPx

Configuration

Value: TBD

5.6 Quality Gate

5.6.1 Ignore duplication and coverage on small changes

Description

Quality Gate conditions about duplications in new code and coverage on new code are ignored until the number of new lines is at least 20

Key: sonar.qualitygate.ignoreSmallChanges

Configuration

Value: ON

6. New Code Behavior

6.1 Default New Code behavior

The New Code definition is used to compare measures and track new issues. More information on New Code can be found in the documentation This setting is the default for all projects. A specific New Code definition can be configured at project level.

Previous Version

Description

The New Code will be based on the analysis following the previous version.

Number of days

Description

A floating window set to a specific number of days used to define New Code. Number of days has to be specified.

Configuration

Value: Previous Version

7. Portfolio Settings

7.1 PDF Reports

7.1.1 Frequency

Description

Defines the default frequency that will be used to send PDF reports for portfolios

  • "Daily" => report is sent during the first portfolio calculation of the day (if any)
  • "Weekly" => report is sent during the first portfolio calculation of the week (if any), starting from Midnight on Monday
  • "Monthly" => report is sent during the first portfolio calculation of the month (if any), starting from the first day of the current month

Key: sonar.governance.report.view.frequency

Configuration

Value: Monthly

7.1.2 Recipients

Description

Email addresses of people who will automatically receive a PDF report for every portfolio defined in the system, based on the given frequency

Key: sonar.governance.report.view.recipients

Configuration

Value: TBD. Email recipients to be idenitfied

7.2 Recalculation

7.2.1 Portfolio Calculation Hours

Description

Hours of the day at which outdated portfolios will be recalculated. Portfolios will be queued at the beginning of each selected hour. A 24-hour clock is used, so valid values are 0–23. If this value is empty or invalid, each portfolio will be recalculated immediately after it becomes outdated.

By default Portfolios are queued to be recalculated after each analysis of an included project. If performance issue occurs on recalculations of portfolio, specific hour can be mentioned in this setting. Portfolios are queued to be recalculated at the beginning of the hour(s) is specified.

Key: sonar.portfolios.recompute.hours

Configuration

Value: EMPTY

8. SAST Engine configuration

8.1 Configuration

8.1.1 C# custom configuration

Description

Custom configuration of the C# SAST engine. Details on the expected JSON format can be found on the 'Security Engine Custom Configuration' documentation page

Key: sonar.security.config.roslyn.sonaranalyzer.security.cs

Configuration

Value: TBD

8.1.2 Java custom configuration

Description

Custom configuration of the Java SAST engine. Details on the expected JSON format can be found on the 'Security Engine Custom Configuration' documentation page

Key: sonar.security.config.javasecurity

Configuration

Value: TBD

8.1.3 PHP custom configuration

Description

Custom configuration of the PHP SAST engine. Details on the expected JSON format can be found on the 'Security Engine Custom Configuration' documentation page

Key: sonar.security.config.phpsecurity

Configuration

Value: TBD

8.1.4 Python custom configuration

Description

Custom configuration of the Python SAST engine. Details on the expected JSON format can be found on the 'Security Engine Custom Configuration' documentation page

Key: sonar.security.config.pythonsecurity

Configuration

Value: TBD

9. Technical Debt Configuration

9.1 Technical Debt

9.1.1 Development cost

Description

Cost to develop one line of code (LOC). Example: if the cost to develop 1 LOC has been estimated at 30 minutes, then the value of this property would be 30.

Key: sonar.technicalDebt.developmentCost

Configuration

Value: 30

Language specific parameters - Language Key

Description

The parameters specified here for a given language will override the general parameters defined in this section.

Key: languageSpecificParameters

Ex: java, cs, cpp...

Configuration

Value: TBD

Language specific parameters - Development cost

Description

The parameters specified here for a given language will override the general parameters defined in this section

Key: languageSpecificParameters

Configuration

Value: TBD

9.1.2 Maintainability rating grid

Description

Maintainability ratings range from A (very good) to E (very bad). The rating is determined by the value of the Technical Debt Ratio, which compares the technical debt on a project to the cost it would take to rewrite the code from scratch. The default values for A through D are 0.05,0.1,0.2,0.5. Anything over 0.5 is an E. Example: assuming the development cost is 30 minutes, a project with a technical debt of 24,000 minutes for 2,500 LOC will have a technical debt ratio of 24000/(30 * 2,500) = 0.32. That yields a maintainability rating of D. Key: sonar.technicalDebt.ratingGrid

Key: sonar.technicalDebt.ratingGrid

Configuration

Value: 0.05,0.1,0.2,0.5