Hi, I configured the lgtm service to let it scan my hudi repository(the mirror of the official apache-hudi).
It found 50 alerts in the project. And I exported them into a file(sarif format and attached it as an attachment). We can use "sarif-web-component"[1] to view it. Generally speaking, each alert it found can show you a rule detail page.[2] However, I can not find a completed rule list. Best, Vino [1]: https://microsoft.github.io/sarif-web-component/ [2]: https://lgtm.com/rules/9980075/ vino yang <[email protected]> 于2021年3月5日周五 下午5:33写道: > OK, let me try to know more about it and test it via one PR. > > nishith agarwal <[email protected]> 于2021年3月5日周五 上午2:20写道: > >> I see, thanks Vino! >> >> "*Prevent bugs from ever making it to your project' - *That's an >> extremely bold statement for anyone to make :) >> >> Like it mentions, although it tries to reduce the false positive rate, we >> probably still will get some noise. Can we try it with one of the PR's to >> see it's worth before adopting it ? >> >> -Nishith >> >> >> On Wed, Mar 3, 2021 at 6:23 PM vino yang <[email protected]> wrote: >> >>> Hi, >>> >>> It did not provide much public information, but gave a description on >>> the official website: >>> >>> >>> >>> *“Prevent bugs from ever making it to your project by using automated >>> reviews that let you know when your code changes would introduce alerts >>> into your project. We support GitHub and Bitbucket.We put a large emphasis >>> on reducing the false positive rate of our standard queries, so you won’t >>> suffer from a torrent of uninteresting alerts every time someone submits >>> code.”* >>> >>> From the official website, you can see that it supports mainstream >>> programming languages: C/C++, C#, Go, Java, JavaScript, Python. >>> >>> I speculate that maybe it integrates some bug static scanning tools. >>> >>> Best, >>> Vino >>> >>> nishith agarwal <[email protected]> 于2021年3月4日周四 上午4:43写道: >>> >>>> This is a good idea @vino yang <[email protected]> >>>> >>>> Have you looked into what the "automated code review" actually does ? >>>> >>>> -Nishith >>>> >>>> On Wed, Mar 3, 2021 at 7:38 AM vino yang <[email protected]> wrote: >>>> >>>>> Hi guys, >>>>> >>>>> I want to introduce a code analysis service called lgtm[1] in the >>>>> community. Recently, in the Kylin community, I found it in my >>>>> colleague's >>>>> PR.[2] >>>>> >>>>> lgtm is a code analysis platform for finding zero-days and preventing >>>>> critical vulnerabilities. Some features listed here (copied from its >>>>> official website): [1] >>>>> >>>>> >>>>> - Unparalleled security analysis; >>>>> - Automated code review >>>>> - Free for open source >>>>> >>>>> >>>>> We can see that it can be integrated with Github[3] and exist in the >>>>> form >>>>> of a robot triggered by a git hook.[2] >>>>> >>>>> With the development of the community, more and more people >>>>> participate in >>>>> the development of the community, and the workload of the code review >>>>> has >>>>> become more onerous. Introducing it, we can use some of the existing >>>>> automated scanning and analysis capabilities to make up for the lack of >>>>> knowledge or experience of the reviewer. >>>>> >>>>> WDYT? >>>>> >>>>> Any thoughts and opinions are welcome and appreciated! >>>>> >>>>> [1]: https://lgtm.com/ >>>>> [2]: https://github.com/apache/kylin/pull/1596#issuecomment-788935493 >>>>> [3]: https://github.com/marketplace/lgtm >>>>> >>>>> Best, >>>>> Vino >>>>> >>>>
