Re: Code scanning on github
Hello, We have deployed a SonarQube instance hosted by SonarCloud and managed by ASF Infra [1]. It's currently linked with our CI [2] and generating reports for every build. Unfortunately, at the moment, it is unable to provide automatic analysis of the contributions sent via PR (as in, automatically analyzing the patches for problems) due to apparent limitations in the SonarQube plugin when working w/ Github PRs and secrets [3]. I'll continue to work w/ INFRA to investigate a way to include this automated analysis and/or explore some alternatives for this. 1. https://sonarcloud.io/project/overview?id=apache_camel 2. https://ci-builds.apache.org/job/Camel/job/Apache%20Camel/job/main/ 3. https://issues.apache.org/jira/browse/INFRA-22713 Kind regards On Wed, Dec 8, 2021 at 12:55 PM Otavio Rodolfo Piske wrote: > BTW, it seems that Apache has a SonarCloud account [1] [2]. > SonarCloud/SonarQube is not listed there, but it does seem to be available > [3]. So, maybe that's something to consider as well. > > 1. https://cwiki.apache.org/confluence/display/INFRA/SonarQube+Analysis > 2. https://sonarcloud.io/organizations/apache/projects > 3. https://github.com/apps/sonarcloud > > > On Wed, Dec 8, 2021 at 11:52 AM Otavio Rodolfo Piske > wrote: > >> Claus, I think that it would be helpful and volunteer to help with >> anything that is needed. >> >> Given the size and complexity of our code base, issues may pass through - >> even with the attentive eyes of the community. So, for me, it's a big +1. >> >> Kind regards >> >> On Wed, Dec 8, 2021 at 9:39 AM Claus Ibsen wrote: >> >>> Hi >>> >>> I wonder if we should setup code scanning on github for Apache Camel >>> https://github.com/apache/camel/security/code-scanning >>> >>> And in such case which one? Should we go with the one from github >>> (CodeQL Analysis) >>> >>> >>> -- >>> Claus Ibsen >>> - >>> http://davsclaus.com @davsclaus >>> Camel in Action 2: https://www.manning.com/ibsen2 >>> >> >> >> -- >> Otavio R. Piske >> http://orpiske.net >> > > > -- > Otavio R. Piske > http://orpiske.net > -- Otavio R. Piske http://orpiske.net
Re: Code scanning on github
Actually sorry, that's just the dependabot alerts, but we should set these up as well. To enable code scanning, you can see how it was done for CXF here: https://github.com/apache/cxf/tree/master/.github Colm. On Thu, Dec 9, 2021 at 3:56 PM Colm O hEigeartaigh wrote: > > We can enable GitHub code scanning just by filing an INFRA ticket, > e.g. https://issues.apache.org/jira/browse/INFRA-22348 > > Colm. > > On Wed, Dec 8, 2021 at 11:55 AM Otavio Rodolfo Piske > wrote: > > > > BTW, it seems that Apache has a SonarCloud account [1] [2]. > > SonarCloud/SonarQube is not listed there, but it does seem to be available > > [3]. So, maybe that's something to consider as well. > > > > 1. https://cwiki.apache.org/confluence/display/INFRA/SonarQube+Analysis > > 2. https://sonarcloud.io/organizations/apache/projects > > 3. https://github.com/apps/sonarcloud > > > > > > On Wed, Dec 8, 2021 at 11:52 AM Otavio Rodolfo Piske > > wrote: > > > > > Claus, I think that it would be helpful and volunteer to help with > > > anything that is needed. > > > > > > Given the size and complexity of our code base, issues may pass through - > > > even with the attentive eyes of the community. So, for me, it's a big +1. > > > > > > Kind regards > > > > > > On Wed, Dec 8, 2021 at 9:39 AM Claus Ibsen wrote: > > > > > >> Hi > > >> > > >> I wonder if we should setup code scanning on github for Apache Camel > > >> https://github.com/apache/camel/security/code-scanning > > >> > > >> And in such case which one? Should we go with the one from github > > >> (CodeQL Analysis) > > >> > > >> > > >> -- > > >> Claus Ibsen > > >> - > > >> http://davsclaus.com @davsclaus > > >> Camel in Action 2: https://www.manning.com/ibsen2 > > >> > > > > > > > > > -- > > > Otavio R. Piske > > > http://orpiske.net > > > > > > > > > -- > > Otavio R. Piske > > http://orpiske.net
Re: Code scanning on github
We can enable GitHub code scanning just by filing an INFRA ticket, e.g. https://issues.apache.org/jira/browse/INFRA-22348 Colm. On Wed, Dec 8, 2021 at 11:55 AM Otavio Rodolfo Piske wrote: > > BTW, it seems that Apache has a SonarCloud account [1] [2]. > SonarCloud/SonarQube is not listed there, but it does seem to be available > [3]. So, maybe that's something to consider as well. > > 1. https://cwiki.apache.org/confluence/display/INFRA/SonarQube+Analysis > 2. https://sonarcloud.io/organizations/apache/projects > 3. https://github.com/apps/sonarcloud > > > On Wed, Dec 8, 2021 at 11:52 AM Otavio Rodolfo Piske > wrote: > > > Claus, I think that it would be helpful and volunteer to help with > > anything that is needed. > > > > Given the size and complexity of our code base, issues may pass through - > > even with the attentive eyes of the community. So, for me, it's a big +1. > > > > Kind regards > > > > On Wed, Dec 8, 2021 at 9:39 AM Claus Ibsen wrote: > > > >> Hi > >> > >> I wonder if we should setup code scanning on github for Apache Camel > >> https://github.com/apache/camel/security/code-scanning > >> > >> And in such case which one? Should we go with the one from github > >> (CodeQL Analysis) > >> > >> > >> -- > >> Claus Ibsen > >> - > >> http://davsclaus.com @davsclaus > >> Camel in Action 2: https://www.manning.com/ibsen2 > >> > > > > > > -- > > Otavio R. Piske > > http://orpiske.net > > > > > -- > Otavio R. Piske > http://orpiske.net
Re: Code scanning on github
BTW, it seems that Apache has a SonarCloud account [1] [2]. SonarCloud/SonarQube is not listed there, but it does seem to be available [3]. So, maybe that's something to consider as well. 1. https://cwiki.apache.org/confluence/display/INFRA/SonarQube+Analysis 2. https://sonarcloud.io/organizations/apache/projects 3. https://github.com/apps/sonarcloud On Wed, Dec 8, 2021 at 11:52 AM Otavio Rodolfo Piske wrote: > Claus, I think that it would be helpful and volunteer to help with > anything that is needed. > > Given the size and complexity of our code base, issues may pass through - > even with the attentive eyes of the community. So, for me, it's a big +1. > > Kind regards > > On Wed, Dec 8, 2021 at 9:39 AM Claus Ibsen wrote: > >> Hi >> >> I wonder if we should setup code scanning on github for Apache Camel >> https://github.com/apache/camel/security/code-scanning >> >> And in such case which one? Should we go with the one from github >> (CodeQL Analysis) >> >> >> -- >> Claus Ibsen >> - >> http://davsclaus.com @davsclaus >> Camel in Action 2: https://www.manning.com/ibsen2 >> > > > -- > Otavio R. Piske > http://orpiske.net > -- Otavio R. Piske http://orpiske.net
Re: Code scanning on github
Claus, I think that it would be helpful and volunteer to help with anything that is needed. Given the size and complexity of our code base, issues may pass through - even with the attentive eyes of the community. So, for me, it's a big +1. Kind regards On Wed, Dec 8, 2021 at 9:39 AM Claus Ibsen wrote: > Hi > > I wonder if we should setup code scanning on github for Apache Camel > https://github.com/apache/camel/security/code-scanning > > And in such case which one? Should we go with the one from github > (CodeQL Analysis) > > > -- > Claus Ibsen > - > http://davsclaus.com @davsclaus > Camel in Action 2: https://www.manning.com/ibsen2 > -- Otavio R. Piske http://orpiske.net
Code scanning on github
Hi I wonder if we should setup code scanning on github for Apache Camel https://github.com/apache/camel/security/code-scanning And in such case which one? Should we go with the one from github (CodeQL Analysis) -- Claus Ibsen - http://davsclaus.com @davsclaus Camel in Action 2: https://www.manning.com/ibsen2