[jira] [Commented] (CASSANDRA-18390) Run Sonar analyzer over the Cassandra project
[
https://issues.apache.org/jira/browse/CASSANDRA-18390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17711053#comment-17711053
]
Maxim Muzafarov commented on CASSANDRA-18390:
-
I have updated the PR according to my research with the same aim in relation to
the Apache Ignite project. Here are the results and how it may look like for
Cassandra:
https://sonarcloud.io/summary/overall?id=apache_ignite
In summary, to achieve a complete solution for source code analysis, we need to
prepare the developer's side and the server's side of the solution.
For the server side, we need to:
- Prepare automation jobs to upload branch check results to sonarcloud.io and
the same for pull request analysis, I suggest we can use Github Actions here;
- Prepare the right token to upload sonar analysis results (contact the INFRA
team);
- As some checks can take a considerable amount of time, we need to configure a
"quality profile" for the Cassandra project on sonarcloid.io (project
administrators can do this, see INFRA-24196);
- Test coverage should be excluded from the initial version of the server-side
changes, as running tests could take a large amount of time, so it would be
better to fetch coverage results from Jenkins or CircleCI for efficiency;
For the developer side, we need to:
- Update the documentation and "how to" guides with steps to install the
SonarLint plugin (available for InetllijIDEA, Eclipse);
- Communicate to the community for tokens to use for this plugin and how these
tokens might be received;
> Run Sonar analyzer over the Cassandra project
> -
>
> Key: CASSANDRA-18390
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18390
> Project: Cassandra
> Issue Type: Task
> Components: Build
>Reporter: Maxim Muzafarov
>Assignee: Maxim Muzafarov
>Priority: Normal
> Time Spent: 10m
> Remaining Estimate: 0h
>
> As we already have Cassandra's project configured for the sonarcloud.io
> INFRA-24196, I wonder if we will be able to release branches, trunk, and pull
> requests to get analyzed by the SonarAnalyzer tool.
> Sonar is a code quality and security tool that is free to open-source
> projects and recommended by the INFRA team:
> https://cwiki.apache.org/confluence/display/INFRA/SonarCloud+for+ASF+projects
> It can have the following benefits without introducing any drawbacks (except
> for a few lines of source code)
> - visualise the LFH problems to work on;
> - see the trends in the source code;
> - add an extra layer of static code analysis;
> Changes below I have tested it locally with my SonarQube deployed on
> http://localhost:9000 and run the `act` for the GA part of the PR. It seems
> to work and parse classes correctly, but there are a few steps that need to
> be done by Cassandra's Committer or PMC (I do not have sufficient privileges):
> - Get the {{sonar.projectKey}} from the INFRA team;
> - make sure that the {{SONARCLOUD_TOKEN}} is available for GA and enabled for
> the project;
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18390) Run Sonar analyzer over the Cassandra project
[
https://issues.apache.org/jira/browse/CASSANDRA-18390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17707439#comment-17707439
]
Maxim Muzafarov commented on CASSANDRA-18390:
-
Ok, I seem to have configured the SonarLint plugin as follows (we can probably
update the documentation pages once we decide to move on):
- installed the SonarLint plugin;
- logged in with my ASF credentials through GitHub to https://sonarcloud.io/ ;
- generated a new token for myself on My Account -> Security tag (any ASF
member could also provide this token for a member who doesn't have the ASF
membership);
- configured a new cloud connection (supported for IntelliJ IDEA, Eclipse only)
for the Sonarlint plugin using the given token Settings -> Tools -> SonarLint;
- bind the project to the connection: Settings -> Tools -> SonarLint -> Bind to
Sonarcloud , and use the "apache_cassandra" as projectKey pulled from the
Sonarcloud;
I think the main concern here is "where can I get a sonar auth token", so it
shouldn't be a problem for an ASF member. For the others, a user can ask
someone on the @dev slack channel for it, I guess, as according to this note it
is quite legal to share tokens:
{code}
If you want to enforce security by not providing credentials of a real
SonarCloud user to run your code scan or to invoke web services, you can
provide a User Token as a replacement of the user login. This will increase the
security of your installation by not letting your analysis user's password
going through your network.
{code}
> Run Sonar analyzer over the Cassandra project
> -
>
> Key: CASSANDRA-18390
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18390
> Project: Cassandra
> Issue Type: Task
> Components: Build
>Reporter: Maxim Muzafarov
>Assignee: Maxim Muzafarov
>Priority: Normal
> Time Spent: 10m
> Remaining Estimate: 0h
>
> As we already have Cassandra's project configured for the sonarcloud.io
> INFRA-24196, I wonder if we will be able to release branches, trunk, and pull
> requests to get analyzed by the SonarAnalyzer tool.
> Sonar is a code quality and security tool that is free to open-source
> projects and recommended by the INFRA team:
> https://cwiki.apache.org/confluence/display/INFRA/SonarCloud+for+ASF+projects
> It can have the following benefits without introducing any drawbacks (except
> for a few lines of source code)
> - visualise the LFH problems to work on;
> - see the trends in the source code;
> - add an extra layer of static code analysis;
> Changes below I have tested it locally with my SonarQube deployed on
> http://localhost:9000 and run the `act` for the GA part of the PR. It seems
> to work and parse classes correctly, but there are a few steps that need to
> be done by Cassandra's Committer or PMC (I do not have sufficient privileges):
> - Get the {{sonar.projectKey}} from the INFRA team;
> - make sure that the {{SONARCLOUD_TOKEN}} is available for GA and enabled for
> the project;
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18390) Run Sonar analyzer over the Cassandra project
[
https://issues.apache.org/jira/browse/CASSANDRA-18390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17707020#comment-17707020
]
Josh McKenzie commented on CASSANDRA-18390:
---
Right. Hence the documentation angle; the sonarlint plugin should integrate
w/the sonarqube instance and pick up the rules there. Was a passing thought on
the "auto-magically do this as part of generating idea files", but likely
wouldn't work since it requires the plugin + likely auth.
> Run Sonar analyzer over the Cassandra project
> -
>
> Key: CASSANDRA-18390
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18390
> Project: Cassandra
> Issue Type: Task
> Components: Build
>Reporter: Maxim Muzafarov
>Assignee: Maxim Muzafarov
>Priority: Normal
> Time Spent: 10m
> Remaining Estimate: 0h
>
> As we already have Cassandra's project configured for the sonarcloud.io
> INFRA-24196, I wonder if we will be able to release branches, trunk, and pull
> requests to get analyzed by the SonarAnalyzer tool.
> Sonar is a code quality and security tool that is free to open-source
> projects and recommended by the INFRA team:
> https://cwiki.apache.org/confluence/display/INFRA/SonarCloud+for+ASF+projects
> It can have the following benefits without introducing any drawbacks (except
> for a few lines of source code)
> - visualise the LFH problems to work on;
> - see the trends in the source code;
> - add an extra layer of static code analysis;
> Changes below I have tested it locally with my SonarQube deployed on
> http://localhost:9000 and run the `act` for the GA part of the PR. It seems
> to work and parse classes correctly, but there are a few steps that need to
> be done by Cassandra's Committer or PMC (I do not have sufficient privileges):
> - Get the {{sonar.projectKey}} from the INFRA team;
> - make sure that the {{SONARCLOUD_TOKEN}} is available for GA and enabled for
> the project;
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18390) Run Sonar analyzer over the Cassandra project
[
https://issues.apache.org/jira/browse/CASSANDRA-18390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17706601#comment-17706601
]
Maxim Muzafarov commented on CASSANDRA-18390:
-
[~jmckenzie] I think these are different sides of the same coin. We can't force
developers and new contributors to install plugins for their IDEs. However, for
example, if we enable checkstyle for the build, a developer might want to check
their changes before committing and failing the build, so they will look for
documentation about our recommendations (installing plugins, how to run the
build locally). So the Sonar -> Sonarlint plugin path looks better to me than
Sonarlint -> Sonar, but it is still the same coin.
The downside of having ant generate-idea-files scripts is that we have to
maintain them for different IDEs and make them backwards compatible for those
IDEs, instead of focusing on the project goals. I think a better approach might
be to make the code styles shareable (plugins are still out of scope, but
inspections are) - I have created an issue for this CASSANDRA-18277, so I could
move forward with that with your help :-)
> Run Sonar analyzer over the Cassandra project
> -
>
> Key: CASSANDRA-18390
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18390
> Project: Cassandra
> Issue Type: Task
> Components: Build
>Reporter: Maxim Muzafarov
>Assignee: Maxim Muzafarov
>Priority: Normal
> Time Spent: 10m
> Remaining Estimate: 0h
>
> As we already have Cassandra's project configured for the sonarcloud.io
> INFRA-24196, I wonder if we will be able to release branches, trunk, and pull
> requests to get analyzed by the SonarAnalyzer tool.
> Sonar is a code quality and security tool that is free to open-source
> projects and recommended by the INFRA team:
> https://cwiki.apache.org/confluence/display/INFRA/SonarCloud+for+ASF+projects
> It can have the following benefits without introducing any drawbacks (except
> for a few lines of source code)
> - visualise the LFH problems to work on;
> - see the trends in the source code;
> - add an extra layer of static code analysis;
> Changes below I have tested it locally with my SonarQube deployed on
> http://localhost:9000 and run the `act` for the GA part of the PR. It seems
> to work and parse classes correctly, but there are a few steps that need to
> be done by Cassandra's Committer or PMC (I do not have sufficient privileges):
> - Get the {{sonar.projectKey}} from the INFRA team;
> - make sure that the {{SONARCLOUD_TOKEN}} is available for GA and enabled for
> the project;
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18390) Run Sonar analyzer over the Cassandra project
[
https://issues.apache.org/jira/browse/CASSANDRA-18390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17706561#comment-17706561
]
Josh McKenzie commented on CASSANDRA-18390:
---
Might want to update IDE config (assuming there's something to do in ant
generate-idea-files) or documentation to point to [sonarlint plugin
integration|https://www.sonarsource.com/products/sonarlint/features/jetbrains/].
I've been using this for the past few weeks since the eclipse topic came up
and been pleased with the quick feedback cycles of having these checks locally
available and integrated with the IDE, and the closer we can get to people
conforming with the stylistic guidance of whatever subset of linter rules we
want to enforce the more we can expect the burden of that conformance to go
down.
> Run Sonar analyzer over the Cassandra project
> -
>
> Key: CASSANDRA-18390
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18390
> Project: Cassandra
> Issue Type: Task
> Components: Build
>Reporter: Maxim Muzafarov
>Assignee: Maxim Muzafarov
>Priority: Normal
> Time Spent: 10m
> Remaining Estimate: 0h
>
> As we already have Cassandra's project configured for the sonarcloud.io
> INFRA-24196, I wonder if we will be able to release branches, trunk, and pull
> requests to get analyzed by the SonarAnalyzer tool.
> Sonar is a code quality and security tool that is free to open-source
> projects and recommended by the INFRA team:
> https://cwiki.apache.org/confluence/display/INFRA/SonarCloud+for+ASF+projects
> It can have the following benefits without introducing any drawbacks (except
> for a few lines of source code)
> - visualise the LFH problems to work on;
> - see the trends in the source code;
> - add an extra layer of static code analysis;
> Changes below I have tested it locally with my SonarQube deployed on
> http://localhost:9000 and run the `act` for the GA part of the PR. It seems
> to work and parse classes correctly, but there are a few steps that need to
> be done by Cassandra's Committer or PMC (I do not have sufficient privileges):
> - Get the {{sonar.projectKey}} from the INFRA team;
> - make sure that the {{SONARCLOUD_TOKEN}} is available for GA and enabled for
> the project;
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
