Upgrade to Gradle 8.8 and cleanup build

build.gradle

@@ -1,101 +1,11 @@
-///// ################ SONARCLOUD PLUGIN #############################
-///////// MANUAL SONAR ////// triggered with ./gradlew sonar
-// plugins {
-//     id 'java-library'
-//     id 'maven-publish'
-//     id "org.sonarqube" version "3.0"
-// }
-// apply plugin: "org.sonarqube"
-
-///////// update below keys and project name based on OCI
-// sonarqube {
-//   properties {
-//     property "sonar.projectKey", "oci-labs_check-ins"
-//     property "sonar.organization", "oci-labs"
-//     property "sonar.host.url", "https://sonarcloud.io"
-//     property "sonar.login", "76d54e72c4fbab6a5d7928cc95e2e9248986b1c5"
-//   }
-// }
-
-/////// AUTOMATIC SONAR ///////// commit or pull requests trigger analysis
 plugins {
-    id 'java-library'
-    id 'maven-publish'
-    id "jacoco"
-    id "java"
-    id "org.sonarqube" version "3.5.0.2730"
-}
-
-
-sonarqube {
-    properties {
-        property "sonar.sourceEncoding", "UTF-8"
-    }
+    id "org.sonarqube" version "5.0.0.4638"
 }
 
-project(":server") {
-    assemble {
-        dependsOn ":web-ui:assemble"
-    }
-    sonarqube {
-        properties {
-            property "sonar.coverage.jacoco.xmlReportPaths", "build/reports/jacoco/test/jacocoTestReport.xml"
-            property "sonar.cpd.exclusions", "**/*DTO.java"
-        }
-    }
+tasks.named("sonarqube") {
+    dependsOn ":web-ui:yarn_run_coverage", ":server:jacocoTestReport"
 }
 
-project(":web-ui") {
-    sonarqube {
-        properties {
-            property "sonar.sources", "src/"
-            property "sonar.exclusions", "**/*.stories.js,**/*.test.js,**/*.spec.js,**/*.stories.jsx,**/*.test.jsx,**/*.spec.jsx"
-            property "sonar.coverage.exclusions", "**/*.stories.js,**/*.test.js,**/*.spec.js,**/*.stories.jsx,**/*.test.jsx,**/*.spec.jsx"
-            property "sonar.javascript.lcov.reportPaths", "coverage/lcov.info"
-        }
-    }
-}
-
-project.tasks["sonarqube"].dependsOn ":web-ui:yarn_run_coverage", ":server:jacocoTestReport"
-////// ################### SONARCLOUD PLUGIN END#########################
-
-
-//plugins {
-//    id 'java-library'
-//    id 'maven-publish'
-//}
-
-// task test {
-
-// }
-
-
-// task check {
-
-// }
-
-publishing {
-     publications {
-        checkInsProject(MavenPublication) {
-            version "0.7.0"
-            group "com.objectcomputing.checkins"         
-            from components.java
-
-        }
-    }
-
-    repositories {
-        maven {
-            name = "CheckInsProject"
-            url = "https://maven.pkg.github.com/objectcomputing/check-ins"
-            credentials {
-            username = System.getenv("GITHUB_ACTOR")!=null?System.getenv("GITHUB_ACTOR"):"OCI-LABS"
-            password = System.getenv("GITHUB_TOKEN")!=null?System.getenv("GITHUB_TOKEN"):"OCI-LABS"
-            }
-        }
-    }
+tasks.named("sonar") {
+    dependsOn ":web-ui:yarn_run_coverage", ":server:jacocoTestReport"
 }
-
-
-
-

docs/getting-started/static-analysis/index.md

@@ -0,0 +1,96 @@
+---
+title: Static Analysis
+parent: Getting Started
+nav_order: 4
+---
+
+# Introduction
+
+We have integrated the build with the Sonar static analysis tools to gain information on code coverage, code quality, and other metrics.
+
+# Running Sonarqube locally
+
+To run a local development copy of Sonar, you will need to have Docker installed on your machine. You can run the following command to start a local instance of Sonar:
+
+```shell
+docker run -d --name sonarqube -p 9000:9000 sonarqube
+```
+
+This starts the latest version of sonarqube in a container named `sonarqube` and exposes it on port 9000.
+It takes a couple of minutes to become available after running the command.
+When it is ready, the logs will show `SonarQube is operational`.
+
+# Setting up Sonar
+
+Navigate to [http://localhost:9000](http://localhost:9000) in your browser and login with the default credentials `admin`/`admin`.
+
+![empty login screen](login.png)
+
+You will be prompted to change the default password.
+After changing the password, you will be taken to the empty Sonar dashboard.
+
+![empty dashboard](dashboard.png)
+
+Click "Create a local project", and give it the name and key of `check-ins`.
+Then click `Next`, select `Use the Global setting`, and then click `Create Project`.
+
+![choose locally analysis method](method.png)
+
+Choose `Locally` for the analysis method, then on the next screen click `Generate` to create a token.
+Then select `Gradle` as the build description and you will be presented with the command to run the analysis.
+
+![run analysis](run.png)
+
+Copy the command to your clipboard, and run it in a terminal in the checkins project directory.
+
+```shell
+❯ ./gradlew sonar \
+  -Dsonar.projectKey=check-ins \
+  -Dsonar.projectName='check-ins' \
+  -Dsonar.host.url=http://localhost:9000 \
+  -Dsonar.token=<<token>>
+
+...snip...
+
+...runs all the tests...
+
+BUILD SUCCESSFUL in 4m 27s
+13 actionable tasks: 8 executed, 5 up-to-date
+```
+
+And the browser will then show the results of the analysis.
+
+![analysis results](results.png)
+
+# Actioning the results
+
+## Issues
+
+Some results will be actual issues that should be fixed, more are likely false positives.
+False positives can be annotated in the source with something similar to:
+
+```java
+@SuppressWarnings("java:S116") // All caps naming makes the code here easier to read 
+```
+
+The comment helps people understand what the suppression was addressing, as otherwise it may not be clear when it can be removed when and if the code changes.
+
+Multiple suppressions can be added on different lines with comments and a trailing comma:
+
+```java
+@SuppressWarnings({
+        "java:S116", // All caps naming makes the code here easier to read
+        "java:S117", // Some other comment about this suppression
+}) 
+```
+
+## Security Hotspots
+
+Security hotspots are areas of the code that may be vulnerable to attack.
+These should be reviewed and fixed as necessary.
+False positives are also possible here.
+
+## Coverage
+Coverage should not been seen as a 100% target.
+To get to 100%, you need to write brittle tests that have prior knowledge of the internal machinery or make use of excessive mocking.
+In my experience, more than 70% coverage is a good target to aim for.

gradle/wrapper/gradle-wrapper.properties

@@ -1,5 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.7-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.8-bin.zip
+networkTimeout=10000
+validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists

gradlew

@@ -55,7 +55,7 @@
 #       Darwin, MinGW, and NonStop.
 #
 #   (3) This script is generated from the Groovy template
-#       https://github.com/gradle/gradle/blob/master/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
+#       https://github.com/gradle/gradle/blob/HEAD/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
 #       within the Gradle project.
 #
 #       You can find Gradle at https://github.com/gradle/gradle/.
@@ -80,13 +80,11 @@ do
     esac
 done
 
-APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
-
-APP_NAME="Gradle"
+# This is normally unused
+# shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
-
-# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
-DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
+# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
+APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
@@ -133,22 +131,29 @@ location of your Java installation."
     fi
 else
     JAVACMD=java
-    which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+    if ! command -v java >/dev/null 2>&1
+    then
+        die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
 
 Please set the JAVA_HOME variable in your environment to match the
 location of your Java installation."
+    fi
 fi
 
 # Increase the maximum file descriptors if we can.
 if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
     case $MAX_FD in #(
       max*)
+        # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked.
+        # shellcheck disable=SC2039,SC3045
         MAX_FD=$( ulimit -H -n ) ||
             warn "Could not query maximum file descriptor limit"
     esac
     case $MAX_FD in  #(
       '' | soft) :;; #(
       *)
+        # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked.
+        # shellcheck disable=SC2039,SC3045
         ulimit -n "$MAX_FD" ||
             warn "Could not set maximum file descriptor limit to $MAX_FD"
     esac
@@ -193,18 +198,28 @@ if "$cygwin" || "$msys" ; then
     done
 fi
 
-# Collect all arguments for the java command;
-#   * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of
-#     shell script including quotes and variable substitutions, so put them in
-#     double quotes to make sure that they get re-expanded; and
-#   * put everything else in single quotes, so that it's not re-expanded.
+
+# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
+
+# Collect all arguments for the java command:
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
+#     and any embedded shellness will be escaped.
+#   * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be
+#     treated as '${Hostname}' itself on the command line.
 
 set -- \
         "-Dorg.gradle.appname=$APP_BASE_NAME" \
         -classpath "$CLASSPATH" \
         org.gradle.wrapper.GradleWrapperMain \
         "$@"
 
+# Stop when "xargs" is not available.
+if ! command -v xargs >/dev/null 2>&1
+then
+    die "xargs is not available"
+fi
+
 # Use "xargs" to parse quoted args.
 #
 # With -n1 it outputs one arg per line, with the quotes and backslashes removed.

gradlew.bat

@@ -14,7 +14,7 @@
 @rem limitations under the License.
 @rem
 
-@if "%DEBUG%" == "" @echo off
+@if "%DEBUG%"=="" @echo off
 @rem ##########################################################################
 @rem
 @rem  Gradle startup script for Windows
@@ -25,7 +25,8 @@
 if "%OS%"=="Windows_NT" setlocal
 
 set DIRNAME=%~dp0
-if "%DIRNAME%" == "" set DIRNAME=.
+if "%DIRNAME%"=="" set DIRNAME=.
+@rem This is normally unused
 set APP_BASE_NAME=%~n0
 set APP_HOME=%DIRNAME%
 
@@ -40,13 +41,13 @@ if defined JAVA_HOME goto findJavaFromJavaHome
 
 set JAVA_EXE=java.exe
 %JAVA_EXE% -version >NUL 2>&1
-if "%ERRORLEVEL%" == "0" goto execute
+if %ERRORLEVEL% equ 0 goto execute
 
-echo.
-echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
-echo.
-echo Please set the JAVA_HOME variable in your environment to match the
-echo location of your Java installation.
+echo. 1>&2
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2
+echo. 1>&2
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
+echo location of your Java installation. 1>&2
 
 goto fail
 
@@ -56,11 +57,11 @@ set JAVA_EXE=%JAVA_HOME%/bin/java.exe
 
 if exist "%JAVA_EXE%" goto execute
 
-echo.
-echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
-echo.
-echo Please set the JAVA_HOME variable in your environment to match the
-echo location of your Java installation.
+echo. 1>&2
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2
+echo. 1>&2
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
+echo location of your Java installation. 1>&2
 
 goto fail
 
@@ -75,13 +76,15 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
 
 :end
 @rem End local scope for the variables with windows NT shell
-if "%ERRORLEVEL%"=="0" goto mainEnd
+if %ERRORLEVEL% equ 0 goto mainEnd
 
 :fail
 rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
 rem the _cmd.exe /c_ return code!
-if  not "" == "%GRADLE_EXIT_CONSOLE%" exit 1
-exit /b 1
+set EXIT_CODE=%ERRORLEVEL%
+if %EXIT_CODE% equ 0 set EXIT_CODE=1
+if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE%
+exit /b %EXIT_CODE%
 
 :mainEnd
 if "%OS%"=="Windows_NT" endlocal