[DISCUSS] Introduce lgtm to analyze the changes of PR and simplify the cost of code review

[vino yang <vi...@apache.org>]

Hi guys,

I want to introduce a code analysis service called lgtm[1] in the
community. Recently, in the Kylin community, I found it in my colleague's
PR.[2]

lgtm is a code analysis platform for finding zero-days and preventing
critical vulnerabilities. Some features listed here (copied from its
official website): [1]


   - Unparalleled security analysis;
   - Automated code review
   - Free for open source


We can see that it can be integrated with Github[3] and exist in the form
of a robot triggered by a git hook.[2]

With the development of the community, more and more people participate in
the development of the community, and the workload of the code review has
become more onerous. Introducing it, we can use some of the existing
automated scanning and analysis capabilities to make up for the lack of
knowledge or experience of the reviewer.

WDYT?

Any thoughts and opinions are welcome and appreciated!

[1]: https://lgtm.com/
[2]: https://github.com/apache/kylin/pull/1596#issuecomment-788935493
[3]: https://github.com/marketplace/lgtm

Best,
Vino

Re: [DISCUSS] Introduce lgtm to analyze the changes of PR and simplify the cost of code review

[vino yang <ya...@gmail.com>]

Hi,

I configured the lgtm service to let it scan my hudi repository(the mirror
of the official apache-hudi).

It found 50 alerts in the project. And I exported them into a file(sarif
format and attached it as an attachment).

We can use "sarif-web-component"[1]  to view it.

Generally speaking, each alert it found can show you a rule detail page.[2]
However, I can not find a completed rule list.

Best,
Vino

[1]: https://microsoft.github.io/sarif-web-component/
[2]: https://lgtm.com/rules/9980075/

vino yang <ya...@gmail.com> 于2021年3月5日周五 下午5:33写道：

> OK, let me try to know more about it and test it via one PR.
>
> nishith agarwal <n3...@gmail.com> 于2021年3月5日周五 上午2:20写道：
>
>> I see, thanks Vino!
>>
>> "*Prevent bugs from ever making it to your project'  - *That's an
>> extremely bold statement for anyone to make :)
>>
>> Like it mentions, although it tries to reduce the false positive rate, we
>> probably still will get some noise. Can we try it with one of the PR's to
>> see it's worth before adopting it ?
>>
>> -Nishith
>>
>>
>> On Wed, Mar 3, 2021 at 6:23 PM vino yang <ya...@gmail.com> wrote:
>>
>>> Hi,
>>>
>>> It did not provide much public information, but gave a description on
>>> the official website:
>>>
>>>
>>>
>>> *“Prevent bugs from ever making it to your project by using automated
>>> reviews that let you know when your code changes would introduce alerts
>>> into your project. We support GitHub and Bitbucket.We put a large emphasis
>>> on reducing the false positive rate of our standard queries, so you won’t
>>> suffer from a torrent of uninteresting alerts every time someone submits
>>> code.”*
>>>
>>> From the official website, you can see that it supports mainstream
>>> programming languages: C/C++, C#, Go, Java, JavaScript, Python.
>>>
>>> I speculate that maybe it integrates some bug static scanning tools.
>>>
>>> Best,
>>> Vino
>>>
>>> nishith agarwal <n3...@gmail.com> 于2021年3月4日周四 上午4:43写道：
>>>
>>>> This is a good idea @vino yang <ya...@gmail.com>
>>>>
>>>> Have you looked into what the "automated code review" actually does ?
>>>>
>>>> -Nishith
>>>>
>>>> On Wed, Mar 3, 2021 at 7:38 AM vino yang <vi...@apache.org> wrote:
>>>>
>>>>> Hi guys,
>>>>>
>>>>> I want to introduce a code analysis service called lgtm[1] in the
>>>>> community. Recently, in the Kylin community, I found it in my
>>>>> colleague's
>>>>> PR.[2]
>>>>>
>>>>> lgtm is a code analysis platform for finding zero-days and preventing
>>>>> critical vulnerabilities. Some features listed here (copied from its
>>>>> official website): [1]
>>>>>
>>>>>
>>>>>    - Unparalleled security analysis;
>>>>>    - Automated code review
>>>>>    - Free for open source
>>>>>
>>>>>
>>>>> We can see that it can be integrated with Github[3] and exist in the
>>>>> form
>>>>> of a robot triggered by a git hook.[2]
>>>>>
>>>>> With the development of the community, more and more people
>>>>> participate in
>>>>> the development of the community, and the workload of the code review
>>>>> has
>>>>> become more onerous. Introducing it, we can use some of the existing
>>>>> automated scanning and analysis capabilities to make up for the lack of
>>>>> knowledge or experience of the reviewer.
>>>>>
>>>>> WDYT?
>>>>>
>>>>> Any thoughts and opinions are welcome and appreciated!
>>>>>
>>>>> [1]: https://lgtm.com/
>>>>> [2]: https://github.com/apache/kylin/pull/1596#issuecomment-788935493
>>>>> [3]: https://github.com/marketplace/lgtm
>>>>>
>>>>> Best,
>>>>> Vino
>>>>>
>>>>

Re: [DISCUSS] Introduce lgtm to analyze the changes of PR and simplify the cost of code review

[vino yang <ya...@gmail.com>]

OK, let me try to know more about it and test it via one PR.

nishith agarwal <n3...@gmail.com> 于2021年3月5日周五 上午2:20写道：

> I see, thanks Vino!
>
> "*Prevent bugs from ever making it to your project'  - *That's an
> extremely bold statement for anyone to make :)
>
> Like it mentions, although it tries to reduce the false positive rate, we
> probably still will get some noise. Can we try it with one of the PR's to
> see it's worth before adopting it ?
>
> -Nishith
>
>
> On Wed, Mar 3, 2021 at 6:23 PM vino yang <ya...@gmail.com> wrote:
>
>> Hi,
>>
>> It did not provide much public information, but gave a description on the
>> official website:
>>
>>
>>
>> *“Prevent bugs from ever making it to your project by using automated
>> reviews that let you know when your code changes would introduce alerts
>> into your project. We support GitHub and Bitbucket.We put a large emphasis
>> on reducing the false positive rate of our standard queries, so you won’t
>> suffer from a torrent of uninteresting alerts every time someone submits
>> code.”*
>>
>> From the official website, you can see that it supports mainstream
>> programming languages: C/C++, C#, Go, Java, JavaScript, Python.
>>
>> I speculate that maybe it integrates some bug static scanning tools.
>>
>> Best,
>> Vino
>>
>> nishith agarwal <n3...@gmail.com> 于2021年3月4日周四 上午4:43写道：
>>
>>> This is a good idea @vino yang <ya...@gmail.com>
>>>
>>> Have you looked into what the "automated code review" actually does ?
>>>
>>> -Nishith
>>>
>>> On Wed, Mar 3, 2021 at 7:38 AM vino yang <vi...@apache.org> wrote:
>>>
>>>> Hi guys,
>>>>
>>>> I want to introduce a code analysis service called lgtm[1] in the
>>>> community. Recently, in the Kylin community, I found it in my
>>>> colleague's
>>>> PR.[2]
>>>>
>>>> lgtm is a code analysis platform for finding zero-days and preventing
>>>> critical vulnerabilities. Some features listed here (copied from its
>>>> official website): [1]
>>>>
>>>>
>>>>    - Unparalleled security analysis;
>>>>    - Automated code review
>>>>    - Free for open source
>>>>
>>>>
>>>> We can see that it can be integrated with Github[3] and exist in the
>>>> form
>>>> of a robot triggered by a git hook.[2]
>>>>
>>>> With the development of the community, more and more people participate
>>>> in
>>>> the development of the community, and the workload of the code review
>>>> has
>>>> become more onerous. Introducing it, we can use some of the existing
>>>> automated scanning and analysis capabilities to make up for the lack of
>>>> knowledge or experience of the reviewer.
>>>>
>>>> WDYT?
>>>>
>>>> Any thoughts and opinions are welcome and appreciated!
>>>>
>>>> [1]: https://lgtm.com/
>>>> [2]: https://github.com/apache/kylin/pull/1596#issuecomment-788935493
>>>> [3]: https://github.com/marketplace/lgtm
>>>>
>>>> Best,
>>>> Vino
>>>>
>>>

Re: [DISCUSS] Introduce lgtm to analyze the changes of PR and simplify the cost of code review

[nishith agarwal <n3...@gmail.com>]

I see, thanks Vino!

"*Prevent bugs from ever making it to your project'  - *That's an extremely
bold statement for anyone to make :)

Like it mentions, although it tries to reduce the false positive rate, we
probably still will get some noise. Can we try it with one of the PR's to
see it's worth before adopting it ?

-Nishith


On Wed, Mar 3, 2021 at 6:23 PM vino yang <ya...@gmail.com> wrote:

> Hi,
>
> It did not provide much public information, but gave a description on the
> official website:
>
>
>
> *“Prevent bugs from ever making it to your project by using automated
> reviews that let you know when your code changes would introduce alerts
> into your project. We support GitHub and Bitbucket.We put a large emphasis
> on reducing the false positive rate of our standard queries, so you won’t
> suffer from a torrent of uninteresting alerts every time someone submits
> code.”*
>
> From the official website, you can see that it supports mainstream
> programming languages: C/C++, C#, Go, Java, JavaScript, Python.
>
> I speculate that maybe it integrates some bug static scanning tools.
>
> Best,
> Vino
>
> nishith agarwal <n3...@gmail.com> 于2021年3月4日周四 上午4:43写道：
>
>> This is a good idea @vino yang <ya...@gmail.com>
>>
>> Have you looked into what the "automated code review" actually does ?
>>
>> -Nishith
>>
>> On Wed, Mar 3, 2021 at 7:38 AM vino yang <vi...@apache.org> wrote:
>>
>>> Hi guys,
>>>
>>> I want to introduce a code analysis service called lgtm[1] in the
>>> community. Recently, in the Kylin community, I found it in my colleague's
>>> PR.[2]
>>>
>>> lgtm is a code analysis platform for finding zero-days and preventing
>>> critical vulnerabilities. Some features listed here (copied from its
>>> official website): [1]
>>>
>>>
>>>    - Unparalleled security analysis;
>>>    - Automated code review
>>>    - Free for open source
>>>
>>>
>>> We can see that it can be integrated with Github[3] and exist in the form
>>> of a robot triggered by a git hook.[2]
>>>
>>> With the development of the community, more and more people participate
>>> in
>>> the development of the community, and the workload of the code review has
>>> become more onerous. Introducing it, we can use some of the existing
>>> automated scanning and analysis capabilities to make up for the lack of
>>> knowledge or experience of the reviewer.
>>>
>>> WDYT?
>>>
>>> Any thoughts and opinions are welcome and appreciated!
>>>
>>> [1]: https://lgtm.com/
>>> [2]: https://github.com/apache/kylin/pull/1596#issuecomment-788935493
>>> [3]: https://github.com/marketplace/lgtm
>>>
>>> Best,
>>> Vino
>>>
>>

Re: [DISCUSS] Introduce lgtm to analyze the changes of PR and simplify the cost of code review

[vino yang <ya...@gmail.com>]

Hi,

It did not provide much public information, but gave a description on the
official website:



*“Prevent bugs from ever making it to your project by using automated
reviews that let you know when your code changes would introduce alerts
into your project. We support GitHub and Bitbucket.We put a large emphasis
on reducing the false positive rate of our standard queries, so you won’t
suffer from a torrent of uninteresting alerts every time someone submits
code.”*

From the official website, you can see that it supports mainstream
programming languages: C/C++, C#, Go, Java, JavaScript, Python.

I speculate that maybe it integrates some bug static scanning tools.

Best,
Vino

nishith agarwal <n3...@gmail.com> 于2021年3月4日周四 上午4:43写道：

> This is a good idea @vino yang <ya...@gmail.com>
>
> Have you looked into what the "automated code review" actually does ?
>
> -Nishith
>
> On Wed, Mar 3, 2021 at 7:38 AM vino yang <vi...@apache.org> wrote:
>
>> Hi guys,
>>
>> I want to introduce a code analysis service called lgtm[1] in the
>> community. Recently, in the Kylin community, I found it in my colleague's
>> PR.[2]
>>
>> lgtm is a code analysis platform for finding zero-days and preventing
>> critical vulnerabilities. Some features listed here (copied from its
>> official website): [1]
>>
>>
>>    - Unparalleled security analysis;
>>    - Automated code review
>>    - Free for open source
>>
>>
>> We can see that it can be integrated with Github[3] and exist in the form
>> of a robot triggered by a git hook.[2]
>>
>> With the development of the community, more and more people participate in
>> the development of the community, and the workload of the code review has
>> become more onerous. Introducing it, we can use some of the existing
>> automated scanning and analysis capabilities to make up for the lack of
>> knowledge or experience of the reviewer.
>>
>> WDYT?
>>
>> Any thoughts and opinions are welcome and appreciated!
>>
>> [1]: https://lgtm.com/
>> [2]: https://github.com/apache/kylin/pull/1596#issuecomment-788935493
>> [3]: https://github.com/marketplace/lgtm
>>
>> Best,
>> Vino
>>
>

Re: [DISCUSS] Introduce lgtm to analyze the changes of PR and simplify the cost of code review

[nishith agarwal <n3...@gmail.com>]

This is a good idea @vino yang <ya...@gmail.com>

Have you looked into what the "automated code review" actually does ?

-Nishith

On Wed, Mar 3, 2021 at 7:38 AM vino yang <vi...@apache.org> wrote:

> Hi guys,
>
> I want to introduce a code analysis service called lgtm[1] in the
> community. Recently, in the Kylin community, I found it in my colleague's
> PR.[2]
>
> lgtm is a code analysis platform for finding zero-days and preventing
> critical vulnerabilities. Some features listed here (copied from its
> official website): [1]
>
>
>    - Unparalleled security analysis;
>    - Automated code review
>    - Free for open source
>
>
> We can see that it can be integrated with Github[3] and exist in the form
> of a robot triggered by a git hook.[2]
>
> With the development of the community, more and more people participate in
> the development of the community, and the workload of the code review has
> become more onerous. Introducing it, we can use some of the existing
> automated scanning and analysis capabilities to make up for the lack of
> knowledge or experience of the reviewer.
>
> WDYT?
>
> Any thoughts and opinions are welcome and appreciated!
>
> [1]: https://lgtm.com/
> [2]: https://github.com/apache/kylin/pull/1596#issuecomment-788935493
> [3]: https://github.com/marketplace/lgtm
>
> Best,
> Vino
>