TomMD commented on pull request #250: URL: https://github.com/apache/shiro/pull/250#issuecomment-675565439
@bdemers The goal of Muse is to be a platform that is easy for tool authors and developers alike. For this repo it ran infer, errorprone (only the errors, not the warnings or lesser messages), and findsecbugs. There is a tool API so if the default set isn't large enough you can bring your own tool (or just tell me what you'd like to see and I'll try to get to it). Workflow wise, each of these checks are ran on PRs and only new bugs get posted as comments - so anything pre-existing (such as prior false positives) won't disrupt the dev workflow. Empirically, it's pretty quiet (that's by design) and comments are easy to ignore/resolve regardless of being true or false positives. The console (details link from github) is available with the full gory detail of each bug from each tool, but if they weren't commented to github then they aren't relevant to the current PR. You can make configurations to further reduce false positives. If you are familiar with a tool's configuration (ex: infer's .inferconfig file) then that is absolutely the right place to make tool-specific adjustments. Alternatively, you can globally set which issues are ignored with a `.muse/config.toml` filtering out the loudest issues or even disabling the noisy tools. The false positive rate varies a lot with the code base. Looking at the results on Shiro things appear to be decent especially if we mute the "missing override" warning from Errorprone (`.muse/config.toml` of `ignore = ["MissingOverride"]`). ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
