CodeScan SCA Results
Whenever you run static code analysis, Copado generates a SCA Result record. To locate the latest SCA Results from a User Story or a Credential, navigate to the Static Code Analysis Results related list.
Let's take a look at the different sections and fields you can find in a Static Code Analysis result record.
- Details: This field contains the link to review the CodeScan violations in the CodeScan site.
- Score: This field shows the aggregate of all rule violation scores. The scoring of a rule violation is calculated by subtracting the priority number of the violated rule from 6. Violated rules with a high priority number will throw a high static code analysis result, which means that the higher the result the more probable it is to reach the maximum static code analysis score:
- Bug (Reliability domain).
- Vulnerability (Security domain).
- Code Smell (Maintainability domain):
- Blocker: Priority 1. Bug with a high probability to impact the behavior of the application in production.
- Critical: Priority 2. Either a bug with a low probability to impact the behavior of the application in production or an issue that represents a security flaw.
- Major: Priority 3. The quality flaw which can highly impact the developer's productivity.
- Minor: Priority 4. The quality flaw which can slightly impact the developer's productivity.
- Info: Priority 5. Neither a bug nor a quality flaw, just a finding:
Closed issues will have one of these two resolutions:
- Fixed: When a subsequent SCA Analysis run shows that the issue has been corrected or the file is no longer available.
- Removed: When the related rule is no longer available.
Resolved issues will have one of these two resolutions:
- False Positive
- Won't Fix
- Open: Set by SonarQube on new issues
- Confirmed: Set manually to indicate that the issue is valid
- Resolved: Set manually to indicate that the next analysis should Close the issue
- Reopened: Set automatically by SonarQube when a Resolved issue hasn't actually been corrected
- Closed: Set automatically by SonarQube for automatically created issues: