Understanding SonarQube: Quantifying Software Quality, Rule Types, Severity Levels, and Metrics

Using tools such as SonarQube can raise developer productivity and code quality, promoting a degree of standardization that is crucial when software components are shared among multiple people.

Through static analysis of source code, SonarQube evaluates reliability, maintainability, security, complexity, test coverage, and code duplication, assigning a score based on the severity of detected defects.

When software quality remains high, it ensures greater security, lowers lifecycle costs, reduces maintenance time, and creates value for producers, customers, and financiers.

How to Quantify Software Quality

High‑quality software is associated with the following benefits:

Reduced testing and delivery time

More than 50% reduction in maintenance and rework

Higher customer satisfaction

Lower post‑release maintenance cost

Fewer project contract disputes

Fewer cancelled projects

Improved reliability

Fewer security vulnerabilities in released applications

SonarQube Rule Categories

SonarQube classifies rules into four types for code analysis: Code Smells , Bugs , Vulnerabilities , and Security Hotspots .

Code Smells indicate programming flaws that do not cause incorrect behavior but make the code harder to maintain.

Bugs are unintended or incorrect behaviors that reduce program reliability.

Vulnerabilities are weaknesses that can be exploited to compromise system security.

Security Hotspots are not defects yet may become vulnerabilities, such as improper cookie settings, non‑standard encryption algorithms, or insecure protocol usage.

New rules can be created on the SonarQube platform and associated with specific languages.

Severity Levels

Each rule violation creates an issue with a severity level:

Blocker : An error that can change program behavior and must be fixed.

Critical : An error unlikely to change behavior but represents a security flaw; requires review.

Major : Defects that reduce developer productivity, such as duplicated code or unused variables.

Minor : Defects that slightly reduce productivity, like overly long lines or switch statements with fewer than three cases.

Info : Not a true defect, e.g., TODO comments or deprecated structures.

Five Issue States

An issue can be in one of five states after creation: (1) Open , (2) Confirmed , (3) Resolved (when the change has been made), (4) Reopened (if reported as fixed but not truly corrected), and (5) Closed (when SonarQube no longer recognizes it as an issue). Issues are closed when they are fixed or when the associated rule becomes unavailable.

Metric Ratings

Metrics used to define code quality include complexity, duplication, maintainability, reliability, security, size, and test coverage.

Reliability Rating

A = 0 bugs

B = at least one minor bug

C = at least one major bug

D = at least one critical bug

E = at least one blocker bug

Security Rating

A = 0 vulnerabilities

B = at least one minor vulnerability

C = at least one major vulnerability

D = at least one critical vulnerability

E = at least one blocker vulnerability

Technical Debt Rating

Based on the Technical Debt Ratio (TD % = debt / estimated development time, calculated as LOC × 30 min):

A = TD ≤ 5 %

B = 6 % ≤ TD ≤ 10 %

C = 10 % < TD ≤ 20 %

D = 21 % ≤ TD ≤ 50 %

E = TD ≥ 50 %

High‑Quality Software Reduces Production Costs

If you embrace continuous integration, you cannot ignore SonarQube, as it checks code on every change, helping to maintain high software quality at all times.

Happy coding!

About Us

We are DevOps practitioners focusing on enterprise‑level DevOps operations and development technology sharing, covering new Linux operations, DevOps courses, and practical experience. Our courses are practical, recognized by many students, and sourced from real‑world enterprise applications.