Overview
Introducing new features into a system requires a quality check processes to ensure desired level or security and quality is achieved. To manage everything, code quality management process aims to standardize the procedures to perform the quality checks. All new code to be introduced in the repository will should be within the metrics below.
Tools to assess the code quality will be as follows:
SonarQube - SonarQube SAST Guideline
SonarQube Metrics
Metric | Operator | Value |
---|---|---|
Coverage | is greater than | 60.0% |
Duplicated Lines (%) | is not greater than | 3.0% |
Maintainability Rating | is not worse than | A |
Reliability Rating | is not worse than | A |
Security Hotspots Reviewed | is greater than | 90% |
Security Rating | is not worse than | A |
Issue Severity | is not greater than | 0 - Blocker 0 - Critical 5 - Major 10 - Minor 20 - Informational |
Results Analysis
If so happen that the SonarQube results fails the metrics and no possible workaround. Developers can request assistance to Application Security and Architecture team if needed to adjust the baseline due to challenges or limitations. Based on the results analysis, both teams should decide if a re-baseline is needed to adjust the current policy or suggest a solution to be implemented by developers based on
https://safibank.atlassian.net/wiki/spaces/ITArch/pages/146309121/Security+Development#%F0%9F%94%8E-Implementation-Review.