New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: Integrate SonarCloud #573
ci: Integrate SonarCloud #573
Conversation
@qleisan @mlasch @sbernard31 @sbertin-telular Would like to hear your opinions on this. |
I never did that but if we want to I guess I need to ask for permission to eclipse webmaster ( see https://bugs.eclipse.org/bugs/show_bug.cgi?id=572407)
No strong opinion on it. I didn't play so much with sonar, so I guess I can not give you relevant feedback. |
I think there are two aspects:
|
153d4fb
to
8663bab
Compare
8663bab
to
3b4ffb7
Compare
I just rebased the branch. Now that I have committer permission, I think I am able to open the relevant issues in the Eclipse Bugzilla myself. @sbernard31 Given I am taking care of the initial (just me) and ongoing maintenance (adjusting rules, help with findings in PRs, etc.) would you be OK with moving forward? |
🎉 @rettichschnidi should you get feedback from other members of the team before to open bugzilla ? |
@qleisan @mlasch @sbernard31 @sbertin-telular Any feedback regarding my proposal? |
Pushed this branch to my wakaama fork repo and got sonarcloud to execute (after setup)
|
The findings do already exist in the master code, but since master never got scanned, those show up now for the first time, causing the PR to get rejected. Looking good (as expected) to me. I intend to triage those findings in the master branch (in SonarCloud), but can do so only once this PR got merged. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. I'm in favor of using sonarcloud
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks very promising 👍
c778bba
to
94acd13
Compare
@sbernard31 We are facing some issues with the setup of SonarCloud. Can I please get your +1 so that I can get admin temporary permissions on this repository to debug/fix the issue? |
@rettichschnidi, done. Sorry for the delay but I was out of office yesterday. By the way this will probably happen often during april/may because I will work something like 3 days by week during this period. (too many day off accumulated 😬 ) |
cadfcdf
to
8f11561
Compare
This will give us details coverage and static and static code analysis for every push. To enable the integration, take the following steps: - Log in to https://sonarcloud.io/ using your GitHub account - Visit https://sonarcloud.io/projects/create, add Wakaama (fairly self-explanatory) - Create a PR in your repository to verify the integration PRs do not get checked because it is tricky to do it in a secure fashion: - https://jira.sonarsource.com/browse/MMF-1371 - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ Signed-off-by: Reto Schneider <code@reto-schneider.ch>
8f11561
to
f83bb20
Compare
Not a problem at all - enjoy your time! |
Turns out, that running SonarCloud for arbitrary external PRs can not be done in a secure fashion [1][2]. I will change my PR to run the analysis only on commits, not on PRs. I might come up with an improvement which allows committers to selectively run PRs using a combination of pull_request_target [3] and labels [2], but this will take a while, will be a separate PR. [1] https://jira.sonarsource.com/browse/MMF-1371 |
Found by SonarCloud. Signed-off-by: Reto Schneider <code@reto-schneider.ch>
SonarCloud has complained before. Signed-off-by: Reto Schneider <code@reto-schneider.ch>
As found by SonarCloud. Signed-off-by: Reto Schneider <code@reto-schneider.ch>
f83bb20
to
b7bb296
Compare
This will give us details coverage and static and static code analysis on every code push, which includes the most recent commit in master.
It also allows us to enforce certain code quality attributes.Example analysis of the current master:
Please note:
To enable the integration for your own fork, take the following steps: