LLM code quality reality
Sonar tests 53 LLMs on 4,444 Java tasks, finds GPT-5 4x more verbose than Gemini and Claude most vulnerable AI EngineerTL;DW
- Sonar evaluated 53+ LLMs on 4,444 Java assignments; Gemini 3.1 Pro High leads with 84.17% pass rate but generates verbose, complex code with 210 security issues per million lines.
- Claude Sonnet 4.6 generates 627,000 lines of code for test suite with 300 security issues per million lines; GPT-4 variants produce 1.2 million lines, creating severe verbosity problems.
- LLM code quality issues stem from mixed-quality training data, inbuilt security flaws in datasets, hidden logic errors, probabilistic generation, limited context, and lack of explainability.
- Newer LLM models generate progressively more lines of code and higher cyclomatic/cognitive complexity than earlier versions, creating harder-to-understand and harder-to-maintain solutions.
- 55% of developers regularly use AI agents for coding per March 2024 Pragmatic Engineer Survey, but functional correctness metrics (80%+ pass rates) miss real-world reliability, security, and maintainability gaps.
- Sonar's ACDC framework addresses LLM code quality through three stages: Guide (context augmentation, data treatment), Verify (runtime agentic analysis in 1-5 seconds before commit), Solve (remediation agent for tech debt).
- SonarQube agentic analysis runs in 1-5 seconds before code commit, catching issues faster than CI/CD (1-5 minutes) and enabling agents to fix problems before code submission.
- Sonar remediation agent auto-fixes issues and tech debt by creating per-issue PRs, re-analyzing and recompiling to prevent regressions before delivering code to developers.
- Cyclomatic complexity measures code branches (ifs, loops, conditions); cognitive complexity measures human readability and maintainability difficulty—LLMs score high on both, requiring expert review.
- LLM leaderboards focus on functional correctness (80%+ accuracy) but ignore security density, bug rates (614+ per million lines), complexity, verbosity, and maintainability—critical for enterprise readiness.
TL;DW
- Sonar evaluated 53+ LLMs on 4,444 Java assignments; Gemini 3.1 Pro High leads with 84.17% pass rate but generates verbose, complex code with 210 security issues per million lines.
- Claude Sonnet 4.6 generates 627,000 lines of code for test suite with 300 security issues per million lines; GPT-4 variants produce 1.2 million lines, creating severe verbosity problems.
- LLM code quality issues stem from mixed-quality training data, inbuilt security flaws in datasets, hidden logic errors, probabilistic generation, limited context, and lack of explainability.
- Newer LLM models generate progressively more lines of code and higher cyclomatic/cognitive complexity than earlier versions, creating harder-to-understand and harder-to-maintain solutions.
- 55% of developers regularly use AI agents for coding per March 2024 Pragmatic Engineer Survey, but functional correctness metrics (80%+ pass rates) miss real-world reliability, security, and maintainability gaps.
- Sonar's ACDC framework addresses LLM code quality through three stages: Guide (context augmentation, data treatment), Verify (runtime agentic analysis in 1-5 seconds before commit), Solve (remediation agent for tech debt).
- SonarQube agentic analysis runs in 1-5 seconds before code commit, catching issues faster than CI/CD (1-5 minutes) and enabling agents to fix problems before code submission.
- Sonar remediation agent auto-fixes issues and tech debt by creating per-issue PRs, re-analyzing and recompiling to prevent regressions before delivering code to developers.
- Cyclomatic complexity measures code branches (ifs, loops, conditions); cognitive complexity measures human readability and maintainability difficulty—LLMs score high on both, requiring expert review.
- LLM leaderboards focus on functional correctness (80%+ accuracy) but ignore security density, bug rates (614+ per million lines), complexity, verbosity, and maintainability—critical for enterprise readiness.
Evaluated against enterprise dimensions—security, maintainability, reliability—LLMs that pass functional benchmarks at 80–84% still generate excessive complexity and bugs. GPT-5 produces 1.2M lines vs. Gemini's 300K for identical tasks; Claude Sonnet logs 300 security issues per million LOC. Sonar's ACDC framework adds real-time agentic analysis and auto-remediation before merge.
