CodeScan SCA Results

Updated 1 week ago by Copado Solutions

Whenever you run a Static Code Analysis, Copado generates a SCA Result record. To locate the latest SCA Results from a User Story or an Org Credential, navigate to the Static Code Analysis Results related list.

In the SCA Result record:

Details
  • Details: It contains the link to review the CodeScan violations in the CodeScan site.
  • Score: It is the aggregate of all Rule Violations score. The scoring of a rule violation is calculated by subtracting the violated rule’s priority number from 6. Violated rules with a high priority number will throw a high static code analysis result, which means that the higher the result the more probable it is to reach the Maximum Static Code Analysis Score.

Type
  • Bug (Reliability domain)
  • Vulnerability (Security domain)
  • Code Smell (Maintainability domain).

Severity
  • Blocker: Priority 1. Bug with a high probability to impact the behavior of the application in production.
  • Critical: Priority 2. Either a bug with a low probability to impact the behavior of the application in production or an issue which represents a security flaw.
  • Major: Priority 3. Quality flaw which can highly impact the developer productivity.
  • Minor: Priority 4. Quality flaw which can slightly impact the developer productivity.
  • Info: Priority 5. Neither a bug nor a quality flaw, just a finding.

Resolution

Closed issues will have one of two resolutions:

  • Fixed - When a subsequent SCA Analysis run shows that the issue has been corrected or the file is no longer available.
  • Removed - When the related rule is no longer available.

Resolved issues will have one of two resolutions:

  • False Positive
  • Won't Fix

Status
  • Open - set by SonarQube on new issues
  • Confirmed - set manually to indicate that the issue is valid
  • Resolved - set manually to indicate that the next analysis should Close the issue
  • Reopened - set automatically by SonarQube when a Resolved issue hasn't actually been corrected
  • Closed - set automatically by SonarQube for automatically created issues.

Additional Reading

CodeScan SCA Violations


How did we do?