I have used SonarQube for many years, including integrating for the Geode codebase in the past and using it now my current day job, and like it a lot. The ASF hosts a server at https://builds.apache.org/analysis/, however, the version is quite old and does not have features such as Quality Gating or PR decoration. There is now a cloud version at https://sonarcloud.io, which is free for open source projects.
As Dan said, in order to make them productive, they need to be integrated into the CI pipeline or the issues will end up as noise. --Mark On Tue, Jun 4, 2019 at 11:30 AM Dan Smith <dsm...@pivotal.io> wrote: > We're currently running PMD as part of the gradle build. PMD is just > running a couple of rules specifically to look for mutable statics. We've > also enabled integration with lgtm to get a report - > https://lgtm.com/projects/g/apache/geode/. > <https://lgtm.com/projects/g/apache/geode/> > > I think added more static analysis is a good idea. I'm not that particular > about which tool(s) we are using - although maybe we should focus on open > source tools? I do think that in order to be valuable, the static analysis > rules need to fail the build like we're doing with spotless and PMD. So I > think an approach of cleaning up and enforcing one rule at a time is better > than just generating a report with a bunch of rule violations. > > -Dan > > > On Tue, Jun 4, 2019 at 6:56 AM Peter Tran <pt...@pivotal.io> wrote: > > > Hi all, > > > > Has anyone had experience using static analysis tools such as SonarQube? > > Were there helpful? And favourites that worked well? > > > > Thanks > > >
