This is an automated email from the ASF dual-hosted git repository.
weichiu pushed a commit to branch HDDS-9225-website-v2
in repository https://gitbox.apache.org/repos/asf/ozone-site.git
The following commit(s) were added to refs/heads/HDDS-9225-website-v2 by this
push:
new 27299665a HDDS-14300. added static code analysis page (#312)
27299665a is described below
commit 27299665a7b0e65e7db9b753c89366427330f9c8
Author: Andrey Yarovoy <[email protected]>
AuthorDate: Thu Feb 5 19:36:09 2026 -0500
HDDS-14300. added static code analysis page (#312)
Co-authored-by: Wei-Chiu Chuang <[email protected]>
---
cspell.yaml | 1 +
.../03-test/05-static-analysis.md | 177 ++++++++++++++++++++-
2 files changed, 175 insertions(+), 3 deletions(-)
diff --git a/cspell.yaml b/cspell.yaml
index b98d7535d..d6d93e00c 100644
--- a/cspell.yaml
+++ b/cspell.yaml
@@ -112,6 +112,7 @@ words:
- matomo
- qube
- PKI
+- PMD
- proto
- protolock
- protolocks
diff --git a/docs/08-developer-guide/03-test/05-static-analysis.md
b/docs/08-developer-guide/03-test/05-static-analysis.md
index 5870a6b1f..eeb530cb6 100644
--- a/docs/08-developer-guide/03-test/05-static-analysis.md
+++ b/docs/08-developer-guide/03-test/05-static-analysis.md
@@ -2,8 +2,179 @@
sidebar_label: Static Analysis
---
-# Static Analysis With SonarQube
+# Static Code Analysis
-**TODO:** File a subtask under
[HDDS-9861](https://issues.apache.org/jira/browse/HDDS-9861) and complete this
page or section.
+Apache Ozone uses static code analysis tools to identify potential bugs, code
smells, security vulnerabilities, and other issues before they make it into
production. SonarQube is the primary tool used for comprehensive code quality
analysis.
-Document how Ozone uses SonarQube, how to access it, view results, and fix
issues.
+## SonarQube Overview
+
+[SonarQube](https://www.sonarqube.org/) is an open-source platform for
continuous inspection of code quality. It performs automatic reviews with
static analysis to detect:
+
+- Bugs and logic errors
+- Code smells (maintainability issues)
+- Security vulnerabilities
+- Duplicated code
+- Test coverage gaps
+- Coding standard violations
+
+## SonarCloud for Apache Ozone
+
+Apache Ozone uses SonarCloud, a cloud-based version of SonarQube, for
continuous code quality analysis.
+
+### Accessing SonarCloud
+
+The Ozone project's SonarCloud dashboard is publicly available at:
https://sonarcloud.io/project/overview?id=hadoop-ozone
+
+### When Analysis Runs
+
+SonarCloud analysis is triggered automatically on:
+
+- Merges to the main branch
+- Release tag creation
+
+The analysis is integrated into the GitHub Actions CI workflow in
.github/workflows/ci.yml.
+
+## Understanding SonarQube Results
+
+### Dashboard Overview
+
+The SonarCloud dashboard provides high-level metrics including:
+
+- **Quality Gate Status**: Overall pass/fail status based on quality thresholds
+- **Bugs**: Logic errors and potential runtime issues
+- **Vulnerabilities**: Security issues
+- **Code Smells**: Maintainability issues
+- **Coverage**: Percentage of code covered by tests
+- **Duplications**: Percentage of duplicated code
+
+### Issue Severity Levels
+
+SonarQube categorizes issues by severity:
+
+- **Blocker**: Issues that must be fixed immediately (risk of system failure)
+- **Critical**: High-impact issues requiring urgent attention
+- **Major**: Default severity for most issues
+- **Minor**: Low-impact issues with minimal risk
+- **Info**: Non-critical issues that represent best practice violations
+
+## Addressing SonarQube Issues
+
+### Fixing Common Issues
+
+#### 1. Code Smells
+
+Typically maintenance-related issues like:
+
+```java
+// Before: Magic number
+if (retryCount > 5) {
+// Retry logic
+}
+
+// After: Named constant
+private static final int MAX_RETRY_COUNT = 5;
+
+if (retryCount > MAX_RETRY_COUNT) {
+// Retry logic
+}
+```
+
+#### 2. Bugs
+
+Logic errors that could cause runtime issues:
+
+```java
+// Before: Potential NullPointerException
+String value = map.get("key").toString();
+
+// After: Null check
+String rawValue = map.get("key");
+String value = rawValue != null ? rawValue.toString() : "";
+```
+
+#### 3. Security Vulnerabilities
+
+Issues that could expose security weaknesses:
+
+```java
+// Before: Hardcoded credentials
+private static final String PASSWORD = "p@ssw0rd";
+
+// After: Configuration-based approach
+private String password = configuration.get("security.password");
+```
+
+## Other Static Analysis Tools
+
+In addition to SonarQube, Ozone uses several other static analysis tools:
+
+### 1. SpotBugs (Formerly FindBugs)
+
+Detects potential bugs in Java code through bytecode analysis.
+
+```shell
+# Run SpotBugs
+cd hadoop-ozone/dev-support/checks
+./findbugs.sh
+```
+
+Configuration is `in hadoop-ozone/dev-support/checks/findbugs.sh`
+
+### 2. PMD
+
+Source code analyzer that finds common programming flaws.
+
+```shell
+# Run PMD
+cd hadoop-ozone/dev-support/checks
+./pmd.sh
+```
+
+Rules are defined in `dev-support/pmd/pmd-ruleset.xml`
+
+### 3. Checkstyle
+
+Enforces coding standards and conventions.
+
+```shell
+# Run Checkstyle
+cd hadoop-ozone/dev-support/checks
+./checkstyle.sh
+```
+
+### 4. RAT
+
+Enforces Apache license header in all files
+
+```shell
+# Run rat
+cd hadoop-ozone/dev-support/checks
+./rat.sh
+```
+
+Exclusions are defined in `dev-support/rat/rat-exclusions.txt`
+
+## Best Practices
+
+1. **Fix issues early**: Address static analysis findings as you develop
+2. **Prioritize by severity**: Focus on Blocker and Critical issues first
+3. **Maintain test coverage**: Keep coverage high to catch regressions
+4. **Understand false positives**: Some issues may be false alarms; use
`@SuppressWarnings` with care
+5. **Run locally before pushing**: Run static analysis checks locally to catch
issues early
+
+```shell
+# Run all static analysis checks
+cd hadoop-ozone/dev-support/checks
+./findbugs.sh
+./pmd.sh
+./checkstyle.sh
+./rat.sh
+```
+
+## Resources
+
+- [SonarSource Rules](https://rules.sonarsource.com/java/) - Detailed
explanations of Java rules
+- [SpotBugs Bug
Patterns](https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html) -
Explanations of bug patterns
+- [PMD Rules](https://pmd.github.io/latest/pmd_rules_java.html) - Complete
list of PMD rules
+- [Checkstyle Checks](https://checkstyle.sourceforge.io/checks.html) -
Available Checkstyle checks
+cspell.yaml
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
