Expand my Community achievements bar.

Code quality rules for local SonarQube server

Avatar

Level 2

We would like to use a local SonarQube server to perform code quality scans in our development environments prior to submitting a branch for deployment in AEM Cloud Manager.  This would enable us to resolve issues without the overhead of uploading code to Cloud Manager and waiting for the deployment to our stage environment.  It would also enable multiple developers on our team to perform scans before merging our code together.

 

The Quality Profiles delivered with SonarQube - the "Sonar Way" - do not appear to match up fully with what is used by Cloud Manager.  For instance, the scan in Cloud Manager flags some of our code that returns copies of mutable members (https://rules.sonarsource.com/java/RSPEC-2384), but local SonarQube does not flag the same code.  The Cloud Manager scan also appears to focus on rules having specific tags, especially "cert" and "cwe".

 

Is there a Quality Profile available that we could import into a local SonarQube environment that matches what is in Cloud Manager?  (The name of the profile used by Cloud Manager appears to be "CQ-Rules-Java-Profile", according to the logs.  It may be connected to a "SonarQube Java plugin for CQ", also mentioned in the logs.)

 

We are aware of the AEM Rules for SonarQube project (https://github.com/wttech/AEM-Rules-for-SonarQube), but this looks to be separate from the base Java rules.

 

The closer we can mirror the Cloud Manager rules locally, the better we can ensure code quality before submitting to the pipeline, making our development more efficient and robust.

 

6 Replies

Avatar

Level 2
Thank you for these links. Both of these resources are about the basic setup of a local SonarQube server. We have already managed to do this. What we need instead is the specific quality rules used by Cloud Manager. Do you know if these are available?

Avatar

Community Advisor

Hi @bgsueeid 

 did you manage to import cloud manager rules to local sonarqube instance?

 

Thanks

Dipti

Avatar

Level 2

Thank you for checking in regarding this question.

We requested the rules from Adobe Support but were told that they could not be shared.  Support advised us to set up a Code Quality Only pipeline as an alternative.

 

Avatar

Level 2

Facing the same challenge. Can we get the sonarqube profile which is executed on cloud manager? 

 

@bgsueeid Were you able to setup you local sonarqube server with all the rules?

Avatar

Employee

Exact same sonar rules at cloud manager are Adobe proprietary and cannot be shared however list can be seen here [1]

[1]

https://experienceleague.adobe.com/docs/experience-manager-cloud-manager/assets/CodeQuality-rules-la...