Hi.
Le mer. 7 déc. 2022 à 14:11, Alex Herbert a écrit :
>
> The [rng] project was signed up to LGTM.com analysis (I presume at
> their website).
I don't recall that anything had been done on our part for the analyses
of Commons repositories to appear on their web site.
> This is now being decommissioned. The underlying
> analysis engine is CodeQL and this is migrating to direct support as a
> Github action.
>
> Do we want to continue with this for [rng]? There is a PR open by
> their bot to enable it [1].
They were able provide a (nice) graphical interface without interfering
with the repository. IMHO, this offer is thus a regression.
Gilles
>
> AFAICR the analysis has never noticed any issues. We get far more
> feedback from using the sonarcloud analysis that is run by the Jenkins
> CI build [2].
>
> I compared their recommended GH workflow to the one configured to
> [lang]. It appears mostly the same. I note that both ask for write
> permission to the security events. I do not know how this fits with
> the security policy to not publicly disclose events until reviewed and
> patched, i.e. I do not know if the security tab for the GH page is
> restricted, and where event notifications will be sent. So I do not
> want to enable this without further investigation, unless someone can
> confirm what exactly the CodeQL build analysis will do if it finds
> something.
>
> Alex
>
> [1] https://github.com/apache/commons-rng/pull/119
> [2] https://sonarcloud.io/project/overview?id=commons-rng
>
-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org