[jira] [Commented] (CASSANDRA-18390) Run Sonar analyzer over the Cassandra project
[ https://issues.apache.org/jira/browse/CASSANDRA-18390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17711053#comment-17711053 ] Maxim Muzafarov commented on CASSANDRA-18390: - I have updated the PR according to my research with the same aim in relation to the Apache Ignite project. Here are the results and how it may look like for Cassandra: https://sonarcloud.io/summary/overall?id=apache_ignite In summary, to achieve a complete solution for source code analysis, we need to prepare the developer's side and the server's side of the solution. For the server side, we need to: - Prepare automation jobs to upload branch check results to sonarcloud.io and the same for pull request analysis, I suggest we can use Github Actions here; - Prepare the right token to upload sonar analysis results (contact the INFRA team); - As some checks can take a considerable amount of time, we need to configure a "quality profile" for the Cassandra project on sonarcloid.io (project administrators can do this, see INFRA-24196); - Test coverage should be excluded from the initial version of the server-side changes, as running tests could take a large amount of time, so it would be better to fetch coverage results from Jenkins or CircleCI for efficiency; For the developer side, we need to: - Update the documentation and "how to" guides with steps to install the SonarLint plugin (available for InetllijIDEA, Eclipse); - Communicate to the community for tokens to use for this plugin and how these tokens might be received; > Run Sonar analyzer over the Cassandra project > - > > Key: CASSANDRA-18390 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18390 > Project: Cassandra > Issue Type: Task > Components: Build >Reporter: Maxim Muzafarov >Assignee: Maxim Muzafarov >Priority: Normal > Time Spent: 10m > Remaining Estimate: 0h > > As we already have Cassandra's project configured for the sonarcloud.io > INFRA-24196, I wonder if we will be able to release branches, trunk, and pull > requests to get analyzed by the SonarAnalyzer tool. > Sonar is a code quality and security tool that is free to open-source > projects and recommended by the INFRA team: > https://cwiki.apache.org/confluence/display/INFRA/SonarCloud+for+ASF+projects > It can have the following benefits without introducing any drawbacks (except > for a few lines of source code) > - visualise the LFH problems to work on; > - see the trends in the source code; > - add an extra layer of static code analysis; > Changes below I have tested it locally with my SonarQube deployed on > http://localhost:9000 and run the `act` for the GA part of the PR. It seems > to work and parse classes correctly, but there are a few steps that need to > be done by Cassandra's Committer or PMC (I do not have sufficient privileges): > - Get the {{sonar.projectKey}} from the INFRA team; > - make sure that the {{SONARCLOUD_TOKEN}} is available for GA and enabled for > the project; -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18390) Run Sonar analyzer over the Cassandra project
[ https://issues.apache.org/jira/browse/CASSANDRA-18390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17707439#comment-17707439 ] Maxim Muzafarov commented on CASSANDRA-18390: - Ok, I seem to have configured the SonarLint plugin as follows (we can probably update the documentation pages once we decide to move on): - installed the SonarLint plugin; - logged in with my ASF credentials through GitHub to https://sonarcloud.io/ ; - generated a new token for myself on My Account -> Security tag (any ASF member could also provide this token for a member who doesn't have the ASF membership); - configured a new cloud connection (supported for IntelliJ IDEA, Eclipse only) for the Sonarlint plugin using the given token Settings -> Tools -> SonarLint; - bind the project to the connection: Settings -> Tools -> SonarLint -> Bind to Sonarcloud , and use the "apache_cassandra" as projectKey pulled from the Sonarcloud; I think the main concern here is "where can I get a sonar auth token", so it shouldn't be a problem for an ASF member. For the others, a user can ask someone on the @dev slack channel for it, I guess, as according to this note it is quite legal to share tokens: {code} If you want to enforce security by not providing credentials of a real SonarCloud user to run your code scan or to invoke web services, you can provide a User Token as a replacement of the user login. This will increase the security of your installation by not letting your analysis user's password going through your network. {code} > Run Sonar analyzer over the Cassandra project > - > > Key: CASSANDRA-18390 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18390 > Project: Cassandra > Issue Type: Task > Components: Build >Reporter: Maxim Muzafarov >Assignee: Maxim Muzafarov >Priority: Normal > Time Spent: 10m > Remaining Estimate: 0h > > As we already have Cassandra's project configured for the sonarcloud.io > INFRA-24196, I wonder if we will be able to release branches, trunk, and pull > requests to get analyzed by the SonarAnalyzer tool. > Sonar is a code quality and security tool that is free to open-source > projects and recommended by the INFRA team: > https://cwiki.apache.org/confluence/display/INFRA/SonarCloud+for+ASF+projects > It can have the following benefits without introducing any drawbacks (except > for a few lines of source code) > - visualise the LFH problems to work on; > - see the trends in the source code; > - add an extra layer of static code analysis; > Changes below I have tested it locally with my SonarQube deployed on > http://localhost:9000 and run the `act` for the GA part of the PR. It seems > to work and parse classes correctly, but there are a few steps that need to > be done by Cassandra's Committer or PMC (I do not have sufficient privileges): > - Get the {{sonar.projectKey}} from the INFRA team; > - make sure that the {{SONARCLOUD_TOKEN}} is available for GA and enabled for > the project; -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18390) Run Sonar analyzer over the Cassandra project
[ https://issues.apache.org/jira/browse/CASSANDRA-18390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17707020#comment-17707020 ] Josh McKenzie commented on CASSANDRA-18390: --- Right. Hence the documentation angle; the sonarlint plugin should integrate w/the sonarqube instance and pick up the rules there. Was a passing thought on the "auto-magically do this as part of generating idea files", but likely wouldn't work since it requires the plugin + likely auth. > Run Sonar analyzer over the Cassandra project > - > > Key: CASSANDRA-18390 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18390 > Project: Cassandra > Issue Type: Task > Components: Build >Reporter: Maxim Muzafarov >Assignee: Maxim Muzafarov >Priority: Normal > Time Spent: 10m > Remaining Estimate: 0h > > As we already have Cassandra's project configured for the sonarcloud.io > INFRA-24196, I wonder if we will be able to release branches, trunk, and pull > requests to get analyzed by the SonarAnalyzer tool. > Sonar is a code quality and security tool that is free to open-source > projects and recommended by the INFRA team: > https://cwiki.apache.org/confluence/display/INFRA/SonarCloud+for+ASF+projects > It can have the following benefits without introducing any drawbacks (except > for a few lines of source code) > - visualise the LFH problems to work on; > - see the trends in the source code; > - add an extra layer of static code analysis; > Changes below I have tested it locally with my SonarQube deployed on > http://localhost:9000 and run the `act` for the GA part of the PR. It seems > to work and parse classes correctly, but there are a few steps that need to > be done by Cassandra's Committer or PMC (I do not have sufficient privileges): > - Get the {{sonar.projectKey}} from the INFRA team; > - make sure that the {{SONARCLOUD_TOKEN}} is available for GA and enabled for > the project; -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18390) Run Sonar analyzer over the Cassandra project
[ https://issues.apache.org/jira/browse/CASSANDRA-18390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17706601#comment-17706601 ] Maxim Muzafarov commented on CASSANDRA-18390: - [~jmckenzie] I think these are different sides of the same coin. We can't force developers and new contributors to install plugins for their IDEs. However, for example, if we enable checkstyle for the build, a developer might want to check their changes before committing and failing the build, so they will look for documentation about our recommendations (installing plugins, how to run the build locally). So the Sonar -> Sonarlint plugin path looks better to me than Sonarlint -> Sonar, but it is still the same coin. The downside of having ant generate-idea-files scripts is that we have to maintain them for different IDEs and make them backwards compatible for those IDEs, instead of focusing on the project goals. I think a better approach might be to make the code styles shareable (plugins are still out of scope, but inspections are) - I have created an issue for this CASSANDRA-18277, so I could move forward with that with your help :-) > Run Sonar analyzer over the Cassandra project > - > > Key: CASSANDRA-18390 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18390 > Project: Cassandra > Issue Type: Task > Components: Build >Reporter: Maxim Muzafarov >Assignee: Maxim Muzafarov >Priority: Normal > Time Spent: 10m > Remaining Estimate: 0h > > As we already have Cassandra's project configured for the sonarcloud.io > INFRA-24196, I wonder if we will be able to release branches, trunk, and pull > requests to get analyzed by the SonarAnalyzer tool. > Sonar is a code quality and security tool that is free to open-source > projects and recommended by the INFRA team: > https://cwiki.apache.org/confluence/display/INFRA/SonarCloud+for+ASF+projects > It can have the following benefits without introducing any drawbacks (except > for a few lines of source code) > - visualise the LFH problems to work on; > - see the trends in the source code; > - add an extra layer of static code analysis; > Changes below I have tested it locally with my SonarQube deployed on > http://localhost:9000 and run the `act` for the GA part of the PR. It seems > to work and parse classes correctly, but there are a few steps that need to > be done by Cassandra's Committer or PMC (I do not have sufficient privileges): > - Get the {{sonar.projectKey}} from the INFRA team; > - make sure that the {{SONARCLOUD_TOKEN}} is available for GA and enabled for > the project; -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18390) Run Sonar analyzer over the Cassandra project
[ https://issues.apache.org/jira/browse/CASSANDRA-18390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17706561#comment-17706561 ] Josh McKenzie commented on CASSANDRA-18390: --- Might want to update IDE config (assuming there's something to do in ant generate-idea-files) or documentation to point to [sonarlint plugin integration|https://www.sonarsource.com/products/sonarlint/features/jetbrains/]. I've been using this for the past few weeks since the eclipse topic came up and been pleased with the quick feedback cycles of having these checks locally available and integrated with the IDE, and the closer we can get to people conforming with the stylistic guidance of whatever subset of linter rules we want to enforce the more we can expect the burden of that conformance to go down. > Run Sonar analyzer over the Cassandra project > - > > Key: CASSANDRA-18390 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18390 > Project: Cassandra > Issue Type: Task > Components: Build >Reporter: Maxim Muzafarov >Assignee: Maxim Muzafarov >Priority: Normal > Time Spent: 10m > Remaining Estimate: 0h > > As we already have Cassandra's project configured for the sonarcloud.io > INFRA-24196, I wonder if we will be able to release branches, trunk, and pull > requests to get analyzed by the SonarAnalyzer tool. > Sonar is a code quality and security tool that is free to open-source > projects and recommended by the INFRA team: > https://cwiki.apache.org/confluence/display/INFRA/SonarCloud+for+ASF+projects > It can have the following benefits without introducing any drawbacks (except > for a few lines of source code) > - visualise the LFH problems to work on; > - see the trends in the source code; > - add an extra layer of static code analysis; > Changes below I have tested it locally with my SonarQube deployed on > http://localhost:9000 and run the `act` for the GA part of the PR. It seems > to work and parse classes correctly, but there are a few steps that need to > be done by Cassandra's Committer or PMC (I do not have sufficient privileges): > - Get the {{sonar.projectKey}} from the INFRA team; > - make sure that the {{SONARCLOUD_TOKEN}} is available for GA and enabled for > the project; -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org