Dealing with SonarQube Cloud: Initial Results from a Mining Software Repository Study
2025 (English)In: International Symposium on Empirical Software Engineering and Measurement, IEEE Computer Society, 2025, p. 372-378Conference paper, Published paper (Refereed)
Abstract [en]
Background: Static Code Analysis (SCA) tools are widely adopted to enforce code quality standards. However, little is known about how open-source projects use and customize these tools. Aims: This paper investigates how GitHub projects use and customize a popular SCA tool, namely SonarQube Cloud.
Method: We conducted a mining study of GitHub projects that are linked through GitHub Actions to SonarQube Cloud projects.
Results: Among 321 GitHub projects using SonarQube Cloud, 81% of them are correctly connected to SonarQube Cloud projects, while others exhibit misconfigurations or restricted access. Among 265 accessible SonarQube Cloud projects, 75% use the organization's default quality gate, i.e., a set of conditions that deployed source code must meet to pass automated checks. While 55% of the projects use the built-in quality gate provided by SonarQube Cloud, 45% of them customize their quality gate with different conditions. Overall, the most common quality conditions align with SonarQube Cloud's 'Clean as You Code' principle and enforce security, maintainability, reliability, coverage, and a few duplicates on newly added or modified source code.
Conclusions: Many projects rely on predefined configurations, yet a significant portion customize their configurations to meet specific quality goals. Building on our initial results, we envision a future research agenda linking quality gate configurations to actual software outcomes (e.g., improvement of software security). This would enable evidence-based recommendations for configuring SCA tools like SonarQube Cloud in various contexts.
Place, publisher, year, edition, pages
IEEE Computer Society, 2025. p. 372-378
Series
International Symposium on Empirical Software Engineering and Measurement, ISSN 1949-3770, E-ISSN 1949-3789
Keywords [en]
Automation Policies, Coding Issues, Continuous Integration and Delivery, SonarCloud, SonarLint, SonarQube, Static Code Analysis tools, Automation, Codes (symbols), Computer programming languages, Data mining, Open source software, Open systems, Quality control, Automation policy, Coding issue, Condition, Continuous integrations, Quality gates, Sonar
National Category
Software Engineering
Identifiers
URN: urn:nbn:se:bth-29285DOI: 10.1109/ESEM64174.2025.00035Scopus ID: 2-s2.0-105032656974ISBN: 9798331591472 (print)OAI: oai:DiVA.org:bth-29285DiVA, id: diva2:2049064
Conference
2025 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement, ESEM 2025, Honolulu, Oct 2-3, 2025
Projects
NEXTGenerationEU
Funder
European Commission2026-03-272026-03-272026-03-27Bibliographically approved