Hello!
I took some time to upload a first analysis of our Java based projects to SonarCloud [1]. This is just experimentation at this point, but there are a few interesting findings that should be corrected.
What's missing: * run the analysis regularly, so that we can see trends * host it on our own infrastructure instead of depending on SonarCloud * some discussion on whether we agree with the metrics / issues * lot more
Have fun!
Guillaume
[1] https://sonarcloud.io/organizations/wmftest/projects
I just looked at the reports—and specifically at the suggestions it makes on code I'm familiar with—and while I'm not sure all of the issues warrant fixing, a lot of them are obviously valid improvements. It's also good to have code coverage reports for our plugins.
So, it probably had the effect you desired, in that I now want to write some more tests.
Trey Jones Sr. Software Engineer, Search Platform Wikimedia Foundation
On Fri, Oct 26, 2018 at 11:37 AM Guillaume Lederrey glederrey@wikimedia.org wrote:
Hello!
I took some time to upload a first analysis of our Java based projects to SonarCloud [1]. This is just experimentation at this point, but there are a few interesting findings that should be corrected.
What's missing:
- run the analysis regularly, so that we can see trends
- host it on our own infrastructure instead of depending on SonarCloud
- some discussion on whether we agree with the metrics / issues
- lot more
Have fun!
Guillaume
[1] https://sonarcloud.io/organizations/wmftest/projects
-- Guillaume Lederrey Operations Engineer, Search Platform Wikimedia Foundation UTC+2 / CEST
Discovery mailing list Discovery@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/discovery
Hi!
I took some time to upload a first analysis of our Java based projects to SonarCloud [1]. This is just experimentation at this point, but there are a few interesting findings that should be corrected.
I took a look at it, and it looks interesting, but I think we do need some discussion about the issues it is highlighting and prioritization (I think it is getting some things wrong, but I won't get into it here so we could have proper discussion).
Otherwise, it looks great, but I really feel this needs separation between projects - right now everything is in one place and it looks messy. We need some separation between e.g. CirrusSearch, WDQS and elastic plugins. It would be nice if we could define different profiles for different projects - same issue may be more relevant in Java than PHP and in remotely accessible server more than a maintenance script.
I also wonder how customizeable this is - i.e. can we have a button that would automatically create Phab task? Would it be realistic to use it in CI for ensuring there is no high-level issues? I may have more ideas about this, depending on how scriptable/customizeable this is. But even if it's not, I think it would be useful.
Thanks a lot for doing this - I feel this will be an awesome addition to our toolkit!
On Fri, Oct 26, 2018 at 9:08 PM Stas Malyshev smalyshev@wikimedia.org wrote:
Hi!
I took some time to upload a first analysis of our Java based projects to SonarCloud [1]. This is just experimentation at this point, but there are a few interesting findings that should be corrected.
I took a look at it, and it looks interesting, but I think we do need some discussion about the issues it is highlighting and prioritization (I think it is getting some things wrong, but I won't get into it here so we could have proper discussion).
At the moment, the analysis is using the default "sonar way" profiles. I also disagree with some of their decisions, so yes, discussion is definitely needed!
Otherwise, it looks great, but I really feel this needs separation between projects - right now everything is in one place and it looks messy. We need some separation between e.g. CirrusSearch, WDQS and elastic plugins.
I'm not sure what you mean. All the projects are visible in the main dashboard, but you can then dig into each project separately.
It would be nice if we could define different profiles for different projects - same issue may be more relevant in Java than PHP and in remotely accessible server more than a maintenance script.
The profiles are already different by language, but they are all the default profiles, coming from SonarSource. They can be refined, inherited, multiplied, etc, ad infinitum. What is usually done is to have a generic profile per language at organisation level, and then refine it (add or remove rules) per team. I'm not entirely sure what would make most sense for us, but there are lots of possibilities. I also think we need to push a bit further into making sure the tool works for our workflows before investing in customising profiles.
I also wonder how customizeable this is - i.e. can we have a button that would automatically create Phab task? Would it be realistic to use it in CI for ensuring there is no high-level issues? I may have more ideas about this, depending on how scriptable/customizeable this is. But even if it's not, I think it would be useful.
There is a lot of customization possible, a lot of existing plugins (it looks like there are a few about phabricator integration, but I don't have experience with them). The first question is what kind of workflow we want. There are discussions on that topic in the code health metrics working group, feel free to join!
My thoughts are that integration with gerrit would be more interesting than opening issues in phab. Ideally, we should have SonarQube be a reviewer, leaving inline comments where it detects new issues. And leave the responsibility to the human reviewer of choosing what to do with them.
We could also have discussions about quality gates, but that would be more interesting with some examples.
Thanks a lot for doing this - I feel this will be an awesome addition to our toolkit! -- Stas Malyshev smalyshev@wikimedia.org
<quote name="Guillaume Lederrey" date="2018-10-26" time="22:32:05 +0200">
My thoughts are that integration with gerrit would be more interesting than opening issues in phab. Ideally, we should have SonarQube be a reviewer, leaving inline comments where it detects new issues. And leave the responsibility to the human reviewer of choosing what to do with them.
https://plugins.jenkins.io/sonar-gerrit or so :) Definitely options.