1

In Sonarqube versions prior to 5.5 there was the possibility to change the way that technical debt is calculated in order to take into account the complexity, but after 5.5 I can’t see how to change it. Did you remove this configuration?

IMHO, the cost of remediation is much harder in a complex code than in a simpler one. Here is a post where you can see and compare two similar projects with similar technical debt based on size, but with quite different technical debt based on complexity. Also, coverage is affecting to this measure; and I think that it is easier to modify code when you have enough tests and coverage that assures that you are not breaking anything.

In sonarqube documentation, the formula that is used to calculate the technical debt ratio is:

Remediation cost / (Cost to develop 1 line of code * Number of lines of code)

But the remediation cost is a fixed amount of time configured on each rule, isn't it?. So it is independent from the complexity you can find in the code.

Here is an image where you can see how this could be done in version 5.1.2: Technical debt with complexity

Is there any way to configure, in LTS or version 6.x , the technical debt so that the complexity is taken into account like it was in previous versions?

If not, is that in your road map? Do you have any reference that complexity or coverage does not affect to remediation cost?

Thanks in advance.

Note: The new concept of cognitive complexity seems very interesting, we're talking again about complexity, it would be a good candidate. But I haven't seen how to see it in Sonarqube 6.3.1, is it possible?

Borja Lázaro de Rafael
  • 41
  • 3

2 Answers2

1

SonarQube 5.6 introduces the SonarQube Quality Model, which consists of Bugs, Vulnerabilities, and Code Smells. For Code Smells, technical debt is considered the important metric. For Bugs and Vulnerabilities it's the highest severity.

In adopting this new quality model, the ability to calculate technical debt based on complexity has indeed been dropped and there's no plan to reinstate it. At the same time, "Technical Debt" no longer includes the time to remediate Bugs and Vulnerabilities; it's only Code Smells.

G. Ann - SonarSource Team
  • 20,814
  • 3
  • 32
  • 60
1

Since the G.Ann answer explains it is not feasible anymore with SonarQube, on .NET code, you can still use the tool NDepend.

With NDepend a code rule is a C# LINQ query and it can embed a formula to estimate the cost of remediation, and also a formula to estimate the annual interest (the cost per year of not fixing the issue, its business impact in other words). The issue severity is estimated from the Annual Interest estimation through thresholds

For example if you want to have a code rule that warns about complex methods not well covered by tests, that provides custom and realistic Debt and Annual Interest estimations, the rule can look like:

// <Name>Complex method must be covered by tests</Name>
warnif count > 0 
from m in Application.Methods
where m.PercentageCoverage < 80 &&
      m.CyclomaticComplexity > 10select new { 
   m,
   m.PercentageCoverage,
   m.CyclomaticComplexity,
   m.NbLinesOfCodeNotCovered,
   Debt = (10 + 3*(m.CyclomaticComplexity -10) + 4*m.NbLinesOfCodeNotCovered)
          .ToMinutes().ToDebt(),
   AnnualInterest = (20 + 2*(m.CyclomaticComplexity) + 6*m.NbLinesOfCodeNotCovered)
                    .ToMinutes().ToAnnualInterest()
}

Here we choose simple linear formulas but it can virtually be any formula, it is just a C# query that is ran against a code model dedicated to be queried for code quality.

The rule edited in Visual Studio with its result look like that, and these issues and estimations can be imported into the SonarQube system:

NDepend custom formulas to estimate tech-debt

Disclaimer: I work for NDepend

Patrick from NDepend team
  • 12,441
  • 4
  • 53
  • 72