yandrey321 commented on code in PR #312: URL: https://github.com/apache/ozone-site/pull/312#discussion_r2771290477
########## docs/08-developer-guide/03-test/05-static-analysis.md: ########## @@ -2,8 +2,177 @@ sidebar_label: Static Analysis --- -# Static Analysis With SonarQube +# Static Code Analysis -**TODO:** File a subtask under [HDDS-9861](https://issues.apache.org/jira/browse/HDDS-9861) and complete this page or section. +Apache Ozone uses static code analysis tools to identify potential bugs, code smells, security vulnerabilities, and other issues before they make it into production. SonarQube is the primary tool used for comprehensive code quality analysis. -Document how Ozone uses SonarQube, how to access it, view results, and fix issues. +## SonarQube Overview + +[SonarQube](https://www.sonarqube.org/) is an open-source platform for continuous inspection of code quality. It performs automatic reviews with static analysis to detect: + +- Bugs and logic errors +- Code smells (maintainability issues) +- Security vulnerabilities +- Duplicated code +- Test coverage gaps +- Coding standard violations + +## SonarCloud for Apache Ozone + +Apache Ozone uses SonarCloud, a cloud-based version of SonarQube, for continuous code quality analysis. + +### Accessing SonarCloud + +The Ozone project's SonarCloud dashboard is publicly available at: https://sonarcloud.io/project/overview?id=hadoop-ozone + +### When Analysis Runs + +SonarCloud analysis is triggered automatically on: + +- Pull Request submissions +- Merges to the main branch +- Release branch creation Review Comment: fixed ########## docs/08-developer-guide/03-test/05-static-analysis.md: ########## @@ -2,8 +2,177 @@ sidebar_label: Static Analysis --- -# Static Analysis With SonarQube +# Static Code Analysis -**TODO:** File a subtask under [HDDS-9861](https://issues.apache.org/jira/browse/HDDS-9861) and complete this page or section. +Apache Ozone uses static code analysis tools to identify potential bugs, code smells, security vulnerabilities, and other issues before they make it into production. SonarQube is the primary tool used for comprehensive code quality analysis. -Document how Ozone uses SonarQube, how to access it, view results, and fix issues. +## SonarQube Overview + +[SonarQube](https://www.sonarqube.org/) is an open-source platform for continuous inspection of code quality. It performs automatic reviews with static analysis to detect: + +- Bugs and logic errors +- Code smells (maintainability issues) +- Security vulnerabilities +- Duplicated code +- Test coverage gaps +- Coding standard violations + +## SonarCloud for Apache Ozone + +Apache Ozone uses SonarCloud, a cloud-based version of SonarQube, for continuous code quality analysis. + +### Accessing SonarCloud + +The Ozone project's SonarCloud dashboard is publicly available at: https://sonarcloud.io/project/overview?id=hadoop-ozone + +### When Analysis Runs + +SonarCloud analysis is triggered automatically on: + +- Pull Request submissions +- Merges to the main branch +- Release branch creation + +The analysis is integrated into the GitHub Actions CI workflow in .github/workflows/ci.yml. + +## Understanding SonarQube Results + +### Dashboard Overview + +The SonarCloud dashboard provides high-level metrics including: + +- **Quality Gate Status**: Overall pass/fail status based on quality thresholds +- **Bugs**: Logic errors and potential runtime issues +- **Vulnerabilities**: Security issues +- **Code Smells**: Maintainability issues +- **Coverage**: Percentage of code covered by tests +- **Duplications**: Percentage of duplicated code + +### Issue Severity Levels + +SonarQube categorizes issues by severity: + +- **Blocker**: Issues that must be fixed immediately (risk of system failure) +- **Critical**: High-impact issues requiring urgent attention +- **Major**: Default severity for most issues +- **Minor**: Low-impact issues with minimal risk +- **Info**: Non-critical issues that represent best practice violations + +## Addressing SonarQube Issues + +### Viewing PR-Specific Issues + +For Pull Requests, SonarCloud posts a comment with analysis results directly in the PR conversation. This includes: + +- New issues introduced by the PR +- Code coverage changes +- Overall status of the quality gate + Review Comment: Fixed -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
