Static Analysis Tools such as SonarQube or others?

[Peter Tran <pt...@pivotal.io>]

Hi all,

Has anyone had experience using static analysis tools such as SonarQube?
Were there helpful? And favourites that worked well?

Thanks

Re: Static Analysis Tools such as SonarQube or others?

[Charlie Black <cb...@pivotal.io>]

Recommend run them all - It will at least enable the broader community to
work on what is most important to them.

On Wed, Jun 5, 2019 at 7:58 AM Peter Tran <pt...@pivotal.io> wrote:

> From Dan:
> >So I think an approach of cleaning up and enforcing one rule at a time is
> better than just generating a report with a bunch of rule violations.
>
> Yes - Love this idea!
>
>
>
> On Tue, Jun 4, 2019 at 4:46 PM Charlie Black <cb...@pivotal.io> wrote:
>
> > I used SonarQube on a project it helped the team where to focus on next.
> >  The reports that it generates are extremely useful to help see how the
> > code progresses over time across the many dimensions.
> >
> >
> > On Tue, Jun 4, 2019 at 12:46 PM Mark Bretl <mb...@apache.org> wrote:
> >
> > > I have used SonarQube for many years, including integrating for the
> Geode
> > > codebase in the past and using it now my current day job, and like it a
> > > lot. The ASF hosts a server at https://builds.apache.org/analysis/,
> > > however, the version is quite old and does not have features such as
> > > Quality Gating or PR decoration. There is now a cloud version at
> > > https://sonarcloud.io, which is free for open source projects.
> > >
> > > As Dan said, in order to make them productive, they need to be
> integrated
> > > into the CI pipeline or the issues will end up as noise.
> > >
> > > --Mark
> > >
> > > On Tue, Jun 4, 2019 at 11:30 AM Dan Smith <ds...@pivotal.io> wrote:
> > >
> > > > We're currently running PMD as part of the gradle build. PMD is just
> > > > running a couple of rules specifically to look for mutable statics.
> > We've
> > > > also enabled integration with lgtm to get a report -
> > > > https://lgtm.com/projects/g/apache/geode/.
> > > > <https://lgtm.com/projects/g/apache/geode/>
> > > >
> > > > I think added more static analysis is a good idea. I'm not that
> > > particular
> > > > about which tool(s) we are using - although maybe we should focus on
> > open
> > > > source tools? I do think that in order to be valuable, the static
> > > analysis
> > > > rules need to fail the build like we're doing with spotless and PMD.
> > So I
> > > > think an approach of cleaning up and enforcing one rule at a time is
> > > better
> > > > than just generating a report with a bunch of rule violations.
> > > >
> > > > -Dan
> > > >
> > > >
> > > > On Tue, Jun 4, 2019 at 6:56 AM Peter Tran <pt...@pivotal.io> wrote:
> > > >
> > > > > Hi all,
> > > > >
> > > > > Has anyone had experience using static analysis tools such as
> > > SonarQube?
> > > > > Were there helpful? And favourites that worked well?
> > > > >
> > > > > Thanks
> > > > >
> > > >
> > >
> >
> >
> > --
> > Charlie Black | cblack@pivotal.io
> >
>


-- 
Charlie Black | cblack@pivotal.io

Re: Static Analysis Tools such as SonarQube or others?

[Peter Tran <pt...@pivotal.io>]

From Dan:
>So I think an approach of cleaning up and enforcing one rule at a time is
better than just generating a report with a bunch of rule violations.

Yes - Love this idea!



On Tue, Jun 4, 2019 at 4:46 PM Charlie Black <cb...@pivotal.io> wrote:

> I used SonarQube on a project it helped the team where to focus on next.
>  The reports that it generates are extremely useful to help see how the
> code progresses over time across the many dimensions.
>
>
> On Tue, Jun 4, 2019 at 12:46 PM Mark Bretl <mb...@apache.org> wrote:
>
> > I have used SonarQube for many years, including integrating for the Geode
> > codebase in the past and using it now my current day job, and like it a
> > lot. The ASF hosts a server at https://builds.apache.org/analysis/,
> > however, the version is quite old and does not have features such as
> > Quality Gating or PR decoration. There is now a cloud version at
> > https://sonarcloud.io, which is free for open source projects.
> >
> > As Dan said, in order to make them productive, they need to be integrated
> > into the CI pipeline or the issues will end up as noise.
> >
> > --Mark
> >
> > On Tue, Jun 4, 2019 at 11:30 AM Dan Smith <ds...@pivotal.io> wrote:
> >
> > > We're currently running PMD as part of the gradle build. PMD is just
> > > running a couple of rules specifically to look for mutable statics.
> We've
> > > also enabled integration with lgtm to get a report -
> > > https://lgtm.com/projects/g/apache/geode/.
> > > <https://lgtm.com/projects/g/apache/geode/>
> > >
> > > I think added more static analysis is a good idea. I'm not that
> > particular
> > > about which tool(s) we are using - although maybe we should focus on
> open
> > > source tools? I do think that in order to be valuable, the static
> > analysis
> > > rules need to fail the build like we're doing with spotless and PMD.
> So I
> > > think an approach of cleaning up and enforcing one rule at a time is
> > better
> > > than just generating a report with a bunch of rule violations.
> > >
> > > -Dan
> > >
> > >
> > > On Tue, Jun 4, 2019 at 6:56 AM Peter Tran <pt...@pivotal.io> wrote:
> > >
> > > > Hi all,
> > > >
> > > > Has anyone had experience using static analysis tools such as
> > SonarQube?
> > > > Were there helpful? And favourites that worked well?
> > > >
> > > > Thanks
> > > >
> > >
> >
>
>
> --
> Charlie Black | cblack@pivotal.io
>

Re: Static Analysis Tools such as SonarQube or others?

[Charlie Black <cb...@pivotal.io>]

I used SonarQube on a project it helped the team where to focus on next.
 The reports that it generates are extremely useful to help see how the
code progresses over time across the many dimensions.


On Tue, Jun 4, 2019 at 12:46 PM Mark Bretl <mb...@apache.org> wrote:

> I have used SonarQube for many years, including integrating for the Geode
> codebase in the past and using it now my current day job, and like it a
> lot. The ASF hosts a server at https://builds.apache.org/analysis/,
> however, the version is quite old and does not have features such as
> Quality Gating or PR decoration. There is now a cloud version at
> https://sonarcloud.io, which is free for open source projects.
>
> As Dan said, in order to make them productive, they need to be integrated
> into the CI pipeline or the issues will end up as noise.
>
> --Mark
>
> On Tue, Jun 4, 2019 at 11:30 AM Dan Smith <ds...@pivotal.io> wrote:
>
> > We're currently running PMD as part of the gradle build. PMD is just
> > running a couple of rules specifically to look for mutable statics. We've
> > also enabled integration with lgtm to get a report -
> > https://lgtm.com/projects/g/apache/geode/.
> > <https://lgtm.com/projects/g/apache/geode/>
> >
> > I think added more static analysis is a good idea. I'm not that
> particular
> > about which tool(s) we are using - although maybe we should focus on open
> > source tools? I do think that in order to be valuable, the static
> analysis
> > rules need to fail the build like we're doing with spotless and PMD. So I
> > think an approach of cleaning up and enforcing one rule at a time is
> better
> > than just generating a report with a bunch of rule violations.
> >
> > -Dan
> >
> >
> > On Tue, Jun 4, 2019 at 6:56 AM Peter Tran <pt...@pivotal.io> wrote:
> >
> > > Hi all,
> > >
> > > Has anyone had experience using static analysis tools such as
> SonarQube?
> > > Were there helpful? And favourites that worked well?
> > >
> > > Thanks
> > >
> >
>


-- 
Charlie Black | cblack@pivotal.io

Re: Static Analysis Tools such as SonarQube or others?

[Mark Bretl <mb...@apache.org>]

I have used SonarQube for many years, including integrating for the Geode
codebase in the past and using it now my current day job, and like it a
lot. The ASF hosts a server at https://builds.apache.org/analysis/,
however, the version is quite old and does not have features such as
Quality Gating or PR decoration. There is now a cloud version at
https://sonarcloud.io, which is free for open source projects.

As Dan said, in order to make them productive, they need to be integrated
into the CI pipeline or the issues will end up as noise.

--Mark

On Tue, Jun 4, 2019 at 11:30 AM Dan Smith <ds...@pivotal.io> wrote:

> We're currently running PMD as part of the gradle build. PMD is just
> running a couple of rules specifically to look for mutable statics. We've
> also enabled integration with lgtm to get a report -
> https://lgtm.com/projects/g/apache/geode/.
> <https://lgtm.com/projects/g/apache/geode/>
>
> I think added more static analysis is a good idea. I'm not that particular
> about which tool(s) we are using - although maybe we should focus on open
> source tools? I do think that in order to be valuable, the static analysis
> rules need to fail the build like we're doing with spotless and PMD. So I
> think an approach of cleaning up and enforcing one rule at a time is better
> than just generating a report with a bunch of rule violations.
>
> -Dan
>
>
> On Tue, Jun 4, 2019 at 6:56 AM Peter Tran <pt...@pivotal.io> wrote:
>
> > Hi all,
> >
> > Has anyone had experience using static analysis tools such as SonarQube?
> > Were there helpful? And favourites that worked well?
> >
> > Thanks
> >
>

Re: Static Analysis Tools such as SonarQube or others?

[Dan Smith <ds...@pivotal.io>]

We're currently running PMD as part of the gradle build. PMD is just
running a couple of rules specifically to look for mutable statics. We've
also enabled integration with lgtm to get a report -
https://lgtm.com/projects/g/apache/geode/.
<https://lgtm.com/projects/g/apache/geode/>

I think added more static analysis is a good idea. I'm not that particular
about which tool(s) we are using - although maybe we should focus on open
source tools? I do think that in order to be valuable, the static analysis
rules need to fail the build like we're doing with spotless and PMD. So I
think an approach of cleaning up and enforcing one rule at a time is better
than just generating a report with a bunch of rule violations.

-Dan


On Tue, Jun 4, 2019 at 6:56 AM Peter Tran <pt...@pivotal.io> wrote:

> Hi all,
>
> Has anyone had experience using static analysis tools such as SonarQube?
> Were there helpful? And favourites that worked well?
>
> Thanks
>