I assume by "sonar properties" you mean setting blanket exclusions at the POM level?
It's typically unwise to blanket exclude entire packages/classes from code quality checks.
What you should do is:
1. Review violations reported by Cloud Manager, and fix the ones you can
1. There may be reported issues that aren't for whatever reason you do not want to/cannot change, for these, it is better to explicitly suppress that exact warning for just that method/class similar to [1]. This way if you evolve that code, and introduce a violation you should correct, Cloud Manager can alert you about it - if you completely exclude packages/classes for being scanned, this is a good way to result in an unstable/vulnerable app.
Also, FWIW - in my experience the "estimated time to resolve" issues in the Cloud Manager violation repo is exceedingly generous. It usually takes me a maybe .. 1/10th of the estimated time to resolve most issues - so don't let that # scare you off from improving your code base.
[1] https://github.com/Adobe-Marketing-Cloud/asset-share-commons/blob/bc16654589301bd2990302a82c701558b5...