Background

We are experimenting with using jqassistant for automatic audit compliance checking. As is typical in that area, there are a lot of constraints, but they are not necessarily hard constraints.

For example, in software architecture, a guideline violation can only lead to two possible outcomes: either, the code has to change to match the constraint, or the guideline, and hence, the constraint has to be changed.

When you go into compliance, however, there is essentially a third option: the violation of the constraint is willfully accepted and a justification is given for why it is ok to violate it in these specific circumstances.

A concrete example: you plan projects, and generally, there is a rule that you have to do certain risk management tasks. However, that one project is a tiny 2-3 days project, where the impact of any risks is negligible. So it doesn't make any sense to run a full risk management process.

Problem at hand

Let's get this back together with jqassistant: there are a whole bunch of constraints that need to be verified. However, a certain constraint, which checks that a risk management overview document exists, should be ignored in this scenario.

How do you best do that?

Is there some configuration parameter that allows the explicit exclusion of certain constraints? Or maybe I'm thinking about all of this in a wrong way?

Ideas that don't work

I'm aware of being able to explicitly specify the individual or groups of constraints that shall be checked with the -constraints or -groups parameters. However, using these has two major flaws:

1. There is potentially a lot that has to be redefined then. When I leave out the group with the constraint C that I want to exclude, I need to instead include all other constraints from that group explicitly and redefine all parent groups, that still contain the original group.
2. The set of groups and constraints is maintained elsewhere. So even if I specify the remaining constraints explicitly - when someone else adds a new constraint to that group, I may not know of it and it will not be checked.

Currently rules (i.e. concepts, constraints and groups) can only be included but not excluded. So at this moment I see two options:

1. If there's a way of having several constraints always executed together then they should be put into groups that are then included in a top-level group. This approach is simple but still there's a chance that a certain group is missed.

2. A more complex approach (not verified but should work): a top-level group "default" includes all known constraints but also includes a group "overrides" that is not defined but must be made available for each analysis project expclitly. It includes the constraints lowering their severity from MAJOR to MINOR or INFO, see http://buschmais.github.io/jqassistant/doc/1.6.0/#_severity_of_rules for an example.