PLUGINAPI-189 Add new metrics

[OrlovAlexander85]

Validation from SQC:

Severity values added to be align with severity of metrics added by SCA recently

For SonarSourcers:

Check before making the PR ready for review

• Create a JIRA ticket if the API is impacted
• Prefix the commit message with the ticket number
• Document the change in CHANGELOG.md
• When adding a new API:
  • Explain in the JavaDoc the purpose of the new API
  • Add a @since X.Y in the JavaDoc
• When deprecating an API:
  • Annotate the deprecated element with @Deprecated
  • Add a @deprecated since X.Y in the JavaDoc
  • Document the replacement in the JavaDoc (if any)
• When dropping an API:
  • Make sure it respects the deprecation policy
  • Bump the major version (breaking change)
• Make sure the tests adhere to the convention:
  • All test method names should use snake_case, for example: test_validate_input. It can also start with the methodName
• Make sure checks are green: build passes, Quality Gate is green
• Merge after getting approval by at least one member of the guild
  • If no review is made within 3 days, gently ping the reviewers
  • The guild member reviewing the code can explicitly request someone else (typically another guild member representing another team) to check the impact on the specific product
  • In some cases, the guild may deem it necessary that multiple or even all members approve a PR. This is more likely in complex changes or changes directly impacting all teams using the API.

For external contributors:

Please be aware that we are not actively looking for feature contributions. The truth is that it's extremely difficult for someone outside SonarSource to comply with our roadmap and expectations. Therefore, we typically only accept minor cosmetic changes and typo fixes. If you would like to see a new feature, please create a new thread in the forum "Suggest new features".

With that in mind, if you would like to submit a code contribution, make sure that you adhere to the following guidelines and all tests are passing:

Please explain your motives to contribute this change: what problem you are trying to fix, what improvement you are trying to make
Use the following formatting style: SonarSource/sonar-developer-toolset
Provide a unit test for any code you changed
If there is a JIRA ticket available, please make your commits and pull request start with the ticket ID (PLUGINAPI-XXXX)

Please note that opening the PR will notify all the squad members. Please make sure you keep it in DRAFT and mark it ready, when all the checks are green.

We will try to give you feedback on your contribution as quickly as possible.

Thank You! The SonarSource Team

[hashicorp-vault-sonar-prod]

PLUGINAPI-189

[sonar-review-alpha]

Summary

This PR adds six new severity-based metrics to track the worst severity level of issues in new code, across both the MQR (Reliability/Security/Maintainability) and standard SonarQube quality models. A new SeverityValues utility class provides integer constants (0, 5, 10, 15, 20, 25) representing severity levels (NO_ISSUES through BLOCKER), with guidance on quality gate configuration. CHANGELOG is updated.

What reviewers should know

Where to start: Check CoreMetrics.java line 1050+ and line 1209+ for the three pairs of new metrics (6 total). Then review the new SeverityValues.java to understand the severity integer mapping.

Key patterns to verify:

• All six new metrics follow the same pattern: key constant + Metric<Integer> object with matching configuration
• All use DIRECTION_WORST (higher value = worse), setDeleteHistoricalData(true), and best/worst values tied to SeverityValues constants
• Severity integers are spaced by 5; the comment in SeverityValues explains why (quality gate thresholds use value - 1 with GREATER_THAN)

Watch for:

• Consistency across the three metric pairs—verify all have the same builder configuration
• The severity constant values (0, 5, 10, 15, 20, 25) and the quality gate guidance in the Javadoc are aligned
• The @since 13.6 tags are correct

Integration note: These metrics expose severity distribution data rather than just counts; confirm this aligns with how SonarQube/SonarCloud will populate these metrics in practice.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[sonar-review-alpha]

Some previously flagged issues are still open.

🗣️ Give feedback

[sonarqube-next]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[antoine-vinot-sonarsource]

LGTM!

[zipengwu]

This library is used in all our products, we need to add mapping with RuleSeverity and ImpactSeverity here.