On Fri, Oct 26, 2018 at 9:08 PM Stas Malyshev <smalyshev(a)wikimedia.org> wrote:
Hi!
I took some time to upload a first analysis of
our Java based projects
to SonarCloud [1]. This is just experimentation at this point, but
there are a few interesting findings that should be corrected.
I took a look at it, and it looks interesting, but I think we do need
some discussion about the issues it is highlighting and prioritization
(I think it is getting some things wrong, but I won't get into it here
so we could have proper discussion).
At the moment, the analysis is using the default "sonar way" profiles.
I also disagree with some of their decisions, so yes, discussion is
definitely needed!
Otherwise, it looks great, but I really feel this
needs separation
between projects - right now everything is in one place and it looks
messy. We need some separation between e.g. CirrusSearch, WDQS and
elastic plugins.
I'm not sure what you mean. All the projects are visible in the main
dashboard, but you can then dig into each project separately.
It would be nice if we could define different
profiles
for different projects - same issue may be more relevant in Java than
PHP and in remotely accessible server more than a maintenance script.
The profiles are already different by language, but they are all the
default profiles, coming from SonarSource. They can be refined,
inherited, multiplied, etc, ad infinitum. What is usually done is to
have a generic profile per language at organisation level, and then
refine it (add or remove rules) per team. I'm not entirely sure what
would make most sense for us, but there are lots of possibilities. I
also think we need to push a bit further into making sure the tool
works for our workflows before investing in customising profiles.
I also wonder how customizeable this is - i.e. can we
have a button that
would automatically create Phab task? Would it be realistic to use it in
CI for ensuring there is no high-level issues? I may have more ideas
about this, depending on how scriptable/customizeable this is. But even
if it's not, I think it would be useful.
There is a lot of customization possible, a lot of existing plugins
(it looks like there are a few about phabricator integration, but I
don't have experience with them). The first question is what kind of
workflow we want. There are discussions on that topic in the code
health metrics working group, feel free to join!
My thoughts are that integration with gerrit would be more interesting
than opening issues in phab. Ideally, we should have SonarQube be a
reviewer, leaving inline comments where it detects new issues. And
leave the responsibility to the human reviewer of choosing what to do
with them.
We could also have discussions about quality gates, but that would be
more interesting with some examples.
Thanks a lot for doing this - I feel this will be an
awesome addition to
our toolkit!
--
Stas Malyshev
smalyshev(a)wikimedia.org
--
Guillaume Lederrey
Operations Engineer, Search Platform
Wikimedia Foundation
UTC+2 / CEST