We would like to use a local SonarQube server to perform code quality scans in our development environments prior to submitting a branch for deployment in AEM Cloud Manager. This would enable us to resolve issues without the overhead of uploading code to Cloud Manager and waiting for the deployment to our stage environment. It would also enable multiple developers on our team to perform scans before merging our code together.
The Quality Profiles delivered with SonarQube - the "Sonar Way" - do not appear to match up fully with what is used by Cloud Manager. For instance, the scan in Cloud Manager flags some of our code that returns copies of mutable members (https://rules.sonarsource.com/java/RSPEC-2384), but local SonarQube does not flag the same code. The Cloud Manager scan also appears to focus on rules having specific tags, especially "cert" and "cwe".
Is there a Quality Profile available that we could import into a local SonarQube environment that matches what is in Cloud Manager? (The name of the profile used by Cloud Manager appears to be "CQ-Rules-Java-Profile", according to the logs. It may be connected to a "SonarQube Java plugin for CQ", also mentioned in the logs.)
We are aware of the AEM Rules for SonarQube project (https://github.com/wttech/AEM-Rules-for-SonarQube), but this looks to be separate from the base Java rules.
The closer we can mirror the Cloud Manager rules locally, the better we can ensure code quality before submitting to the pipeline, making our development more efficient and robust.
Thank you for checking in regarding this question.
We requested the rules from Adobe Support but were told that they could not be shared. Support advised us to set up a Code Quality Only pipeline as an alternative.
Exact same sonar rules at cloud manager are Adobe proprietary and cannot be shared however list can be seen here