[
https://issues.apache.org/jira/browse/CAMEL-22752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18052817#comment-18052817
]
Pasquale Congiusti commented on CAMEL-22752:
--------------------------------------------
I have dedicated some time to this one. Beside adding the coverage from the
existing execution, I think we cannot do much more. The problem is that we
cannot expose the sonar security token on a PR for security reasons. That would
be the best solution as it would report exactly the quality gate check we may
include in a PR comment.
Due to this limitation, the only viable alternative would be to include a few
static maven plugins (spotbugs, pmd, errorprone, jacoco check) which could
provide some useful metric to report back to the PR comment. However, this
would execute check on the entire project, not incrementally. Also, given the
very wide integration of external components of a big framework as Camel, it
will likely produce an exaggerate number of false positive, turning the tool
into something useless.
The best thing to do at this stage is to better understand how to extend the
awareness about the evolution of Sonarqube report. For example, we can send a
monthly email reporting the status of the thing.
> [build] send message with merge sonar check failure
> ---------------------------------------------------
>
> Key: CAMEL-22752
> URL: https://issues.apache.org/jira/browse/CAMEL-22752
> Project: Camel
> Issue Type: Improvement
> Components: build system
> Reporter: Pasquale Congiusti
> Assignee: Pasquale Congiusti
> Priority: Major
> Fix For: 4.x
>
>
> Right now, when we merge a PR, the commit triggers a Sonarqube analysis. The
> analysis is also showing a report which can be verified, for example
> something like https://github.com/apache/camel/runs/57072611015:
> {code}
> Quality Gate failed
> Failed conditions
> 125 Security Hotspots
> 0.0% Coverage on New Code (required ≥ 80%)
> 12.7% Duplication on New Code (required ≤ 3%)
> E Reliability Rating on New Code (required ≥ A)
> See analysis details on SonarQube Cloud
> {code}
> This information is however overlooked as we don't receive it as a normal
> message. We may think to either use it during PR with a quality gate check or
> at least expect the information to be sent to contributors to be aware of the
> potential introduction of quality degradation or potential
> bugs/vulnerabilities.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
