Dealing with SonarQube Cloud: Initial Results from a Mining Software Repository Study
Sabato Nocera, Davide Fucci, Giuseppe Scanniello
TL;DR
This study explores how open-source GitHub projects utilize and customize SonarQube Cloud for static code analysis, revealing prevalent default configurations and customizations to meet diverse quality standards.
Contribution
It provides the first empirical insights into SonarQube Cloud usage and customization patterns in open-source projects on GitHub.
Findings
81% of projects are correctly connected to SonarQube Cloud
75% of accessible projects use the default quality gate
55% of projects customize their quality gate
Abstract
Background: Static Code Analysis (SCA) tools are widely adopted to enforce code quality standards. However, little is known about how open-source projects use and customize these tools. Aims: This paper investigates how GitHub projects use and customize a popular SCA tool, namely SonarQube Cloud. Method: We conducted a mining study of GitHub projects that are linked through GitHub Actions to SonarQube Cloud projects. Results: Among 321 GitHub projects using SonarQube Cloud, 81% of them are correctly connected to SonarQube Cloud projects, while others exhibit misconfigurations or restricted access. Among 265 accessible SonarQube Cloud projects, 75% use the organization's default quality gate, i.e., a set of conditions that deployed source code must meet to pass automated checks. While 55% of the projects use the built-in quality gate provided by SonarQube Cloud, 45% of them customize…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.