In SonarCloud, analyzers contribute rules executed on source code to generate issues. There are four types of rules:
- Code smell (maintainability domain)
- Bug (reliability domain)
- Vulnerability (security domain)
- Security hotspot (security domain)
For code smells and bugs, zero false-positives are expected. At least this is the target so that developers don't have to wonder if a fix is required.
For vulnerabilities, the target is to have more than 80% of issues be true-positives.
Security hotspot rules draw attention to code that is security-sensitive. It is expected that more than 80% of the issues will be quickly resolved as "reviewed" after review by a developer.
The Rules page is the entry point where you can discover all the existing rules or create new ones based on provided templates.
By default, when entering the top menu item "Rules," you will see all the available rules brought by the analyzers available on SonarCloud. You can narrow the selection based on search criteria in the left pane:
- Language: the language to which a rule applies.
- Type: bug, vulnerability, code smell, or security hotspot rules.
- Tag: it is possible to add tags to rules in order to classify them and to help discover them more easily.
- Repository: the engine/analyzer that contributes rules to SonarCloud.
- Default severity: the original severity of the rule - as defined by the analyzer that contributes this rule.
- Status: rules can have 3 different statuses:
- Beta: The rule has been recently implemented and we haven't gotten enough feedback from users yet, so there may be false positives or false negatives.
- Deprecated: The rule should no longer be used because a similar, but more powerful and accurate rule exists.
- Ready: The rule is ready to be used in production.
- Available since: date when a rule was first added on SonarCloud. This is useful to list all the new rules since the last upgrade of a plugin for instance.
- Template: display rule templates that allow to create custom rules (see later on this page).
- Quality Profile: inclusion in or exclusion from a specific profile
If a quality profile is selected, it is also possible to check for its active severity and whether it is inherited or not.
See the Quality Profile documentation for more.
To see the details of a rule, either click on it, or use the right arrow key. Along with basic rule data, you'll also be able to see which, if any, profiles it's active in and how many open issues have been raised with it.
The following actions are available only if you have the right permissions ("Administer Quality Profiles and Gates"):
- Add/Remove tags:
- It is possible to add existing tags on a rule, or to create new ones (just enter a new name while typing in the text field).
- Note that some rules have built-in tags that you cannot remove - they are provided by the plugins which contribute the rules.
- Extend description:
- You can extend rule descriptions to let users know how your organization uses a particular rule, or give more insight on a rule.
- Note that the extension will be available to non-admin users as a normal part of the rule details.
Rule types and severities
How are rules categorized? The SonarCloud Quality Model divides rules into four categories: bugs, vulnerabilities, security hotspots, and code smells. Rules are assigned to categories based on the answers to these questions:
Is the rule about code that is demonstrably wrong, or more likely wrong than not? If the answer is "yes", then it's a bug rule. If not...
Is the rule about code that could be exploited by a hacker? If so, then it's a vulnerability rule. If not...
Is the rule about code that is security-sensitive? If so, then it's a security hotspot rule. If not...
Is the rule neither a bug nor a vulnerability? If so, then it's a code smell rule.
How are severities assigned?
To assign severity to a rule, we ask a further series of questions. The first one is basically:
What's the worst thing that could happen?
In answering this question, we try to factor in Murphy's Law, without predicting Armageddon.
Then we assess whether the impact and likelihood of the Worst Thing (see How are severity and likelihood decided?, below) are high or low, and plug the answers into a truth table:
How are severity and likelihood decided?
To assess the severity of a rule, we start from the Worst Thing (see How are severities assigned?, above) and ask category-specific questions.
Impact: Could the 'Worst Thing' cause the application to crash or corrupt stored data?
Likelihood: What's the probability that the 'Worst Thing' will happen?
Impact: Could the exploitation of the 'Worst Thing' result in significant damage to your assets or your users?
Likelihood: What is the probability that a hacker will be able to exploit the 'Worst Thing'?
Security hotspots are not assigned severities as it is unknown whether there is truly an underlying vulnerability until they are reviewed.
For a comprehensive list of available rules, see our rules catalog here.