[BUILD-542] Experiment with Sonarqube Created: 23/Sep/21  Updated: 17/Apr/23  Resolved: 17/Apr/23

Status: Closed
Project: Build
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Neutral
Reporter: Maxime Michel Assignee: Christoph Meier
Resolution: Obsolete Votes: 0
Labels: artt
Remaining Estimate: Not Specified
Time Spent: 3d 0.5h
Original Estimate: Not Specified

Issue Links:
Relates
relates to MGNLTEST-213 Enable SonarQube to use (on some) "co... Closed
relation
is related to MGNLTEST-213 Enable SonarQube to use (on some) "co... Closed
Template:
Acceptance criteria:
Empty
Date of First Response:
Team: Foundation

 Description   

It could either run on PRs such as here: https://github.com/apache/jackrabbit-filevault/pull/167#issuecomment-924846894

Or on our codebase in general. There, we would need a strategy to tackle issues and not simply get reports about them.

Sonarqube supports Bitbucket Server: https://docs.sonarqube.org/latest/analysis/bitbucket-integration/

Unliked SonarCloud, Sonarqube can be run locally: https://docs.sonarqube.org/latest/setup/get-started-2-minutes/

We need to set it up on a developer's machine and get a feel for what’s possible with it. Sonarqube offers standard quality checks. mgeljic can also help when it comes to enforcing simple policies such as Lombok usage.

Only in a second step should we look into writing custom checks, possibly across modules (e.g. code in pages should have test coverage in CE as well).



 Comments   
Comment by Maxime Michel [ 03/Jan/22 ]

Another example of checks to run with security hot spots: https://rules.sonarsource.com/java/type/Security%20Hotspot/RSPEC-4512

Comment by Mikaël Geljić [ 12/Apr/22 ]

Should we rather aim to integrate w/ Bitbucket (than Jenkins), through the Code Insights feature, with the Sonar for Bitbucket app? Would be worth a try.

Comment by Christoph Meier [ 13/Apr/22 ]

Thanks mgeljic  - that was a very good hint! I just discussed it with mmichel  - and it looks like that would be the way to go.

As long as we do not expect PR-decoration. (I just watched a video, I got the URL via bitbucket via Maxime https://www.youtube.com/watch?v=KaoI4jiySkQ) ... that would be nice ... but ...

PR decoration only works with SonarQube Developer Edition and above - which is not for free. It is paid by a model with lines of code - and amanzoni  told me that it gets super expensive.
See https://docs.sonarqube.org/8.5/analysis/pr-decoration/ 
That's actually a bummer  

The SonarQube for free version is Community Edition - that's also the one used by Services (for PaaS).
We (foundation) thought about also using the CE version - at least to start with.
With the CE version - SonarQube kicks in when someone tries to merge/commit.

Still I think we should setup SonarQube in a way that it does the job on Bitbucket - but we need to figure how helpful it really is, of it "only" works when trying to merge. Any it s also limited to 1 branch!

 

P.S.
This ticket is "done" / I should close it.
We have now a story  -> MGNLTEST-213 

Comment by Maxime Michel [ 17/Apr/23 ]

Superseded by MGNLTEST-213.

Generated at Sun Feb 11 23:42:50 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.