[BUILD-542] Experiment with Sonarqube Created: 23/Sep/21 Updated: 17/Apr/23 Resolved: 17/Apr/23 |
|
| Status: | Closed |
| Project: | Build |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Neutral |
| Reporter: | Maxime Michel | Assignee: | Christoph Meier |
| Resolution: | Obsolete | Votes: | 0 |
| Labels: | artt | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | 3d 0.5h | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Template: |
|
||||||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||||||
| Date of First Response: | |||||||||||||||||
| Team: | |||||||||||||||||
| Description |
|
It could either run on PRs such as here: https://github.com/apache/jackrabbit-filevault/pull/167#issuecomment-924846894 Or on our codebase in general. There, we would need a strategy to tackle issues and not simply get reports about them. Sonarqube supports Bitbucket Server: https://docs.sonarqube.org/latest/analysis/bitbucket-integration/ Unliked SonarCloud, Sonarqube can be run locally: https://docs.sonarqube.org/latest/setup/get-started-2-minutes/ We need to set it up on a developer's machine and get a feel for what’s possible with it. Sonarqube offers standard quality checks. mgeljic can also help when it comes to enforcing simple policies such as Lombok usage. Only in a second step should we look into writing custom checks, possibly across modules (e.g. code in pages should have test coverage in CE as well). |
| Comments |
| Comment by Maxime Michel [ 03/Jan/22 ] |
|
Another example of checks to run with security hot spots: https://rules.sonarsource.com/java/type/Security%20Hotspot/RSPEC-4512 |
| Comment by Mikaël Geljić [ 12/Apr/22 ] |
|
Should we rather aim to integrate w/ Bitbucket (than Jenkins), through the Code Insights feature, with the Sonar for Bitbucket app? Would be worth a try. |
| Comment by Christoph Meier [ 13/Apr/22 ] |
|
Thanks mgeljic - that was a very good hint! I just discussed it with mmichel - and it looks like that would be the way to go. As long as we do not expect PR-decoration. (I just watched a video, I got the URL via bitbucket via Maxime https://www.youtube.com/watch?v=KaoI4jiySkQ) ... that would be nice ... but ... PR decoration only works with SonarQube Developer Edition and above - which is not for free. It is paid by a model with lines of code - and amanzoni told me that it gets super expensive. The SonarQube for free version is Community Edition - that's also the one used by Services (for PaaS). Still I think we should setup SonarQube in a way that it does the job on Bitbucket - but we need to figure how helpful it really is, of it "only" works when trying to merge. Any it s also limited to 1 branch!
P.S. |
| Comment by Maxime Michel [ 17/Apr/23 ] |
|
Superseded by |