SonarQube Quality Profiles and Rules

A Quality Profile is a named collection of rules that SonarQube applies when analyzing code in a specific language. This topic explains how rules and profiles work together, and how to customize them to fit your team's standards.

What Is a Rule

A rule is one specific check. For example: "Methods should not have more than 10 parameters" or "HTTP connections should be secured with SSL/TLS." SonarQube ships with thousands of built-in rules covering bugs, vulnerabilities, code smells, and security hotspots across all supported languages.

RULE ANATOMY
+------------------------------------------------+
| Rule Name: "Null pointers should not be        |
|             dereferenced"                      |
|                                                |
| Type:     Bug                                  |
| Severity: Blocker                              |
| Language: Java                                 |
| Tags:     error-handling, suspicious           |
|                                                |
| Description: Accessing a field or method of    |
| a null reference will cause a                  |
| NullPointerException at runtime.               |
|                                                |
| Non-compliant:  obj.method();  // obj is null  |
| Compliant:      if (obj != null) obj.method(); |
+------------------------------------------------+

What Is a Quality Profile

A Quality Profile is the rulebook for one language. It says: "When analyzing Java code, check these 350 rules." You can enable or disable individual rules within a profile, and you can change each rule's severity.

QUALITY PROFILE: "Sonar way" for Java
+----------------------------------------+
| Total rules available: 633             |
| Rules active in this profile: 407      |
| Rules inactive: 226                    |
|                                        |
| Blocker:  12 rules active              |
| Critical: 87 rules active              |
| Major:   193 rules active              |
| Minor:    98 rules active              |
| Info:     17 rules active              |
+----------------------------------------+

The Default Profile: Sonar Way

SonarQube provides a built-in profile called Sonar Way for every supported language. This profile is maintained by Sonarsource and updated with each SonarQube release. The Sonar Way profile represents a widely accepted baseline of rules that most projects should follow.

The built-in Sonar Way profiles are read-only. To customize rules, you must create a copy.

Creating a Custom Quality Profile

Go to Quality Profiles in the top navigation. Select a language, then click Copy next to the Sonar Way profile for that language. Name your copy and save it.

QUALITY PROFILES PAGE
+-------------------------------------------------+
| LANGUAGE   | PROFILE NAME    | # RULES | DEFAULT|
+------------+-----------------+---------+--------+
| Java       | Sonar way       | 407     |   *    |
| Java       | Our Java Rules  | 420     |        |
| JavaScript | Sonar way       | 289     |   *    |
| Python     | Sonar way       | 153     |   *    |
+-------------------------------------------------+

Activating and Deactivating Rules

Open your custom profile and click Activate More Rules to add rules from the inactive list. To remove a rule, find it in the active list and click Deactivate.

When to Deactivate a Rule

  • The rule is not relevant to your technology stack
  • The rule conflicts with your company's coding standards
  • The rule produces too many false positives for your codebase

When to Activate Additional Rules

  • Your project has security compliance requirements (PCI-DSS, HIPAA)
  • Your team uses a framework with specific best practices (Spring, Django)
  • You want stricter style enforcement than the default

Changing Rule Severity in a Profile

Within your custom profile, you can change the severity of any active rule. For example, your team might decide that using a deprecated API method should be a Blocker (must fix before merge) rather than a Minor issue.

RULE: "Deprecated methods should not be used"
DEFAULT SEVERITY: Minor

YOUR PROFILE OVERRIDE:
Changed to: Critical

Effect: Any use of deprecated methods in your project
now appears as a Critical issue and affects the
Maintainability rating more strongly.

Rule Parameters

Some rules have configurable parameters. For example, the "Methods should not have too many parameters" rule defaults to a maximum of 7. You can change this to 5 or 10 based on your team's preference.

RULE: "Methods should not have too many parameters"
+-----------------------------------------------+
| Parameter: max                                |
| Default value: 7                              |
| Your override: 5                              |
|                                               |
| Effect: Methods with 6+ parameters are flagged|
+-----------------------------------------------+

Extending a Profile with a Parent

You can set another profile as the parent of your custom profile. The child profile inherits all active rules from the parent. You can then add more rules in the child without duplicating the parent configuration. This is useful when you have a company-wide base profile and each team adds their own rules on top.

COMPANY BASE PROFILE (parent)
  |-- 400 rules active
  |
  +-- BACKEND TEAM PROFILE (child)
  |     Inherits 400 rules + adds 20 backend-specific rules
  |
  +-- FRONTEND TEAM PROFILE (child)
        Inherits 400 rules + adds 15 frontend-specific rules

Assigning a Profile to a Project

By default, all projects use the default profile for each language. To assign your custom profile to a specific project:

  1. Go to the project dashboard
  2. Click Project Settings > Quality Profiles
  3. Select your custom profile for the relevant language
  4. Save

Comparing Profiles

SonarQube can show you a side-by-side comparison of two profiles. This is useful when upgrading from an older profile version or reviewing what rules differ between a base profile and a team profile. Go to a profile page and click Compare.

PROFILE COMPARISON: Sonar Way vs Our Java Rules
+-------------------------------------------+
| Only in Sonar way (10 rules):             |
|   - Method names should follow convention |
|   - ...                                   |
|                                           |
| Only in Our Java Rules (23 rules):        |
|   - Spring beans should be properly typed |
|   - JPA queries should use named params   |
|   - ...                                   |
|                                           |
| Different severity (5 rules):             |
|   - Deprecated methods: Minor -> Critical |
+-------------------------------------------+

Updating Profiles When SonarQube Upgrades

When you upgrade SonarQube, the built-in Sonar Way profiles update automatically with new rules. Your custom profiles do not update automatically. SonarQube displays a notification on the profile page when new rules are available in the parent profile. Review and activate them manually to keep your profile current.

Exporting and Importing Profiles

You can export a Quality Profile as an XML file. This lets you back up your configuration or share it with another SonarQube instance — for example, copying a configuration from a staging server to a production server.

Previous lessons
Back to courses
Next lessons

Leave a Comment

Your email address will not be published. Required fields are marked *