Call for tenders' details
Status
Submission date
13/09/2023
Answer date
20/09/2023
Language
Status
Answered
Question details
Subject
Static Code Analysis
Question
Who will define the baseline (e.g. definition of quality gates) for the static code analysis to be used in SonarQube - the PSO or the Main Contractor? Is there a White Book with best coding practices applied by DG CONNECT? Should the PSO contractor provide such a coding guide? Does the Commission apply specific rules/standards upon which the static code analysis is based?
Answer
20/09/2023
It is up to the PSO contractor to define the definition of the quality gates which shall be shared with the main contractor. There are no best coding practices specific to DG Connect. However, as inferred from the tender, DevSecOps should be used to automate the full pipeline from Initiation phase (continuous integration) to production (continuous delivery), with an objective for the code's journey to be be automated, secured, and monitored throughout. As to static code analysis, all requirements are already specified in the tender specifications.