SONARJAVA-6205 Add an agentic focused quality profile for Java

[dorian-burihabwa-sonarsource]

No description provided.

[hashicorp-vault-sonar-prod]

SONARJAVA-6205

[sonar-review-alpha]

Summary

This PR refactors quality profile handling and adds a new "Sonar agentic AI" profile focused on AI-assisted development.

Key Changes:

1. New base class BuiltInJavaQualityProfile: Consolidates common profile logic (JSON loading, ProfileRegistrar integration, security rule reflection) that was previously duplicated in JavaSonarWayProfile
2. Removed DBD reflection: The dataflow-bug-detection rules are now loaded automatically via ProfileRegistrar instead of reflection, simplifying the code
3. Refactored JavaSonarWayProfile: Now extends the base class, reducing ~40 lines of duplicate code while maintaining identical behavior
4. Added JavaAgenticWayProfile: A new quality profile with 467 rules curated for AI-assisted development, registered alongside the existing Sonar Way profile
5. Updated tests: Changed method invocations from static to instance methods, removed DBD-specific test, added comprehensive test for the new agentic profile including a CSV utility method

What reviewers should know

Where to start:

• Review BuiltInJavaQualityProfile.java first — this is the new abstraction layer
• Check how JavaSonarWayProfile.java is simplified by extending it
• Review JavaAgenticWayProfile.java to understand the new profile implementation
• Check Sonar_agentic_ai_profile.json to see the 467 selected rules

Non-obvious decisions:

• Security rules still use reflection (line 78-84) with a FIXME pointing to SONARJAVA-6207 for future removal — this is a known limitation
• The disabled test utility (generate_ai_quality_profile) shows how the agentic rule set was generated from CSV; reviewers may want to understand the curation criteria
• ProfileRegistrars now handle DBD rules automatically, so that reflection code was intentionally removed

Things to verify:

• The 467 rules in the agentic profile are appropriate for AI/agent-assisted development (check if the selection aligns with coding quality vs. style)
• Ensure backward compatibility: Sonar Way remains the default profile and hasn't changed functionally
• Test counts in JavaPluginTest were updated from 36→37 and 37→38; verify this matches the added extensions
• The commons-csv dependency is only in tests (appropriate for the CSV generation utility)

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[rombirli]

LGTM! I just have two questions about external rules inclusion mechanism and the purpose of profileRegistrars

[rombirli]

In test JavaAgenticWayProfileTest, profileRegistrars is always null and this part is never covered, is there a reason ?

[rombirli]

This string constant could be extracted in a constant SONAR_AGENTIC_WAY_PATH like SONAR_WAY_PATH in JavaSonarWayProfile

[rombirli]

These lines and the creation of agenticWay (or sonarWay) are repeated in JavaSonarWayProfile, maybe it could be refactored in QualityProfileUtils

static void createQualityProfile(String title, Set<RuleKey> ruleKeys) {
  NewBuiltInQualityProfile way = context.createBuiltInQualityProfile(title, Java.KEY);
  ruleKeys.forEach(ruleKey -> way.activateRule(ruleKey.repository(), ruleKey.rule()));
    way.done();
  }
}

[rombirli]

Is there a reason this mechanism to include external rules is not present in JavaAgenticWayProfile? (Why the implementations diverge? Is there a justification?)

[rombirli]

Agentic_way_profile.json seems to be wrong

[rombirli]

Is this file auto-generated from the CSV with a script? Could we add the script to the repo? It seems to be wrong!
S100 shouldn't be included according to the spreadsheet.

[rombirli]

LGTM i get the exact same json quality profile file, I still have 2 refactoring proposals :

• use tsv format instead of csv to get rid of csv library (so we can simply split with '\t' instead of ';')
• use a single class that take qp name and json path instead of duplicated logic (we could also get rid of qualityprofileutils.java and put everything in this class)

[sonar-review-alpha]

Conclusion: Clean refactoring overall — the base class extraction is well-done and the agentic profile is properly wired up. Two issues in the generator utility method worth fixing before someone uses it to regenerate the profile.

🗣️ Give feedback

[sonar-review-alpha]

Path.endsWith(String) does not work like String.endsWith(String). On a Path, it checks whether the path ends with a complete path segment named exactly "_profile.json", not whether the filename string ends with that suffix. This predicate is always false, so profile JSON files (Sonar_way_profile.json, Agentic_way_profile.json, etc.) are never excluded from keysOfImplementedRules.

The bug is harmless today because profile filenames won't appear as rule IDs in the CSV, but the filter silently does nothing. Fix:

.filter(path -> !path.getFileName().toString().endsWith("_profile.json"))

• Mark as noise

[sonar-review-alpha]

generate_ai_quality_profile() is missing @Test. In JUnit 5, @Disabled without @Test is a no-op — the framework never discovers the method, so the annotation provides no documentation value and could mislead a future developer into thinking this was intentionally skipped rather than just a utility method. Either add @Test so @Disabled works as intended, or remove @Disabled and leave it as a plain utility method with a descriptive Javadoc comment.

• Mark as noise

[sonarqube-next]

Quality Gate passed

Issues
0 New issues
1 Fixed issue
1 Accepted issue

Measures
0 Security Hotspots
0 Dependency risks
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[sonar-review-alpha]

LGTM! ✅

Solid refactoring with no new bugs. The two previously flagged issues (the Path.endsWith no-op filter and @Disabled without @Test) are the only items to address before merge.

🗣️ Give feedback