SONARJAVA-6205 Add an agentic focused quality profile for Java

[dorian-burihabwa-sonarsource]

No description provided.

[hashicorp-vault-sonar-prod]

SONARJAVA-6205

[sonar-review-alpha]

Summary

This PR introduces a new "AI Quality Profile" for Java code analysis that activates 467 specific rules, complementing the existing Sonar Way profile. The profile is designed for agentic/AI-focused quality checks and explicitly excludes 36 other rules.

The changes also refactor shared quality profile logic into a reusable utility class (QualityProfileUtils) to eliminate duplication between the existing JavaSonarWayProfile and the new JavaAgenticWayProfile. A commons-csv dependency is added to support test utilities for regenerating the profile from CSV inputs.

What reviewers should know

Where to start: Look at the new JavaAgenticWayProfile class first — it's straightforward and follows the same pattern as the existing JavaSonarWayProfile. Then review QualityProfileUtils to understand what logic was extracted.

Key points for review:

• The JSON file Agentic_way_profile.json contains the actual rule list (467 rules) — verify these are appropriate for the AI-focused use case
• The test method profile_is_registered_as_expected() explicitly checks that 36 specific rules are excluded (S100, S110, etc.) — confirm this list is intentional
• The refactoring of JavaSonarWayProfile is purely mechanical (extract-replace) and shouldn't change behavior — verify the sonarJavaSonarWayRuleKeys() method still works the same
• The disabled test method generate_ai_quality_profile() documents how to regenerate the profile from CSV — this is tooling, not production code
• The commons-csv dependency is only used in the disabled test method; if you want production code only, this dependency could be test-only or removed

No architectural surprises: Registration in JavaPlugin is straightforward; test assertion counts were updated correctly (36→37, 37→38).

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[sonar-review-alpha]

Conclusion

Clean, well-structured PR. The QualityProfileUtils extraction is the right call — it removes real duplication between the two profile classes and makes future profiles trivial to add.

🗣️ Give feedback

[rombirli]

LGTM! I just have two questions about external rules inclusion mechanism and the purpose of profileRegistrars

[rombirli]

In test JavaAgenticWayProfileTest, profileRegistrars is always null and this part is never covered, is there a reason ?

[rombirli]

This string constant could be extracted in a constant SONAR_AGENTIC_WAY_PATH like SONAR_WAY_PATH in JavaSonarWayProfile

[rombirli]

These lines and the creation of agenticWay (or sonarWay) are repeated in JavaSonarWayProfile, maybe it could be refactored in QualityProfileUtils

static void createQualityProfile(String title, Set<RuleKey> ruleKeys) {
  NewBuiltInQualityProfile way = context.createBuiltInQualityProfile(title, Java.KEY);
  ruleKeys.forEach(ruleKey -> way.activateRule(ruleKey.repository(), ruleKey.rule()));
    way.done();
  }
}

[rombirli]

Is there a reason this mechanism to include external rules is not present in JavaAgenticWayProfile? (Why the implementations diverge? Is there a justification?)

[rombirli]

Agentic_way_profile.json seems to be wrong

[rombirli]

Is this file auto-generated from the CSV with a script? Could we add the script to the repo? It seems to be wrong!
S100 shouldn't be included according to the spreadsheet.

[sonarqube-next]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube