<div dir="ltr">Message below cross posted from <a href="mailto:ops@lists.wikimedia.org">ops@lists.wikimedia.org</a>.<div><br></div><div>Seems that the discussion might be interesting to QA team as well.</div><div><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Guillaume Lederrey</b> <span dir="ltr"><<a href="mailto:glederrey@wikimedia.org">glederrey@wikimedia.org</a>></span><br>Date: Fri, Feb 5, 2016 at 10:43 AM<br>Subject: SonarQube and Puppet<br>To: <a href="mailto:ops@lists.wikimedia.org">ops@lists.wikimedia.org</a><br>Cc: David Racodon <<a href="mailto:david.racodon@gmail.com">david.racodon@gmail.com</a>><br><br><br><div dir="ltr">Hello all !<div><br></div><div>Since I'm fairly new here, I still have a few idea coming from my former life. Time to expose some of them before I forget them...</div><div><br></div><div>While trying to familiarize myself a bit with our Puppet code base, I did run a SonarQube analysis on it. And I remembered having a few discussion about SonarQube during my interview process. So, short presentation:</div><div><br></div><div>SonarQube is an amazing project to manage code quality. It supports a long list of languages, from Java to PHP, from Cobol to ABAP. And of course Puppet [1] (even if that support is still a bit young).</div><div><br></div><div>First things first, how to try it? Of course, docker [2] is our friend (tested myself with v4.5.6). Or David Racodon has a simple package [3] to test the puppet support.</div><div><br></div><div><br></div><div>**Why do we need SonarQube, we already have puppet-lint, rspec-puppet, cucumber-puppet, ...**</div><div><br></div><div>1) SonarQube rules go a bit further than puppet-lint. For example the DuplicateHashKeys rule [4] has no equivalent in puppet-lint and a few violations on our code base that are clear indication of a problem. Note that all puppet-lint rules have been re implemented in the SonarQube plugin. Rules about code complexity, code duplication and quite a few other metrics are also available.</div><div><br></div><div>2) Holistic view of code quality (yes, I know, big words). SonarQube web interface provides a good way to compare quality of projects, to dig into specific issues, keep track of evolution over time. Much richer than a build time check that either pass or fail.</div><div><br></div><div>3) Actually help you improve. A binary check like puppet-lint (or other similar tools) gives you a very simple feedback, you're good or you're not. Reality is usually more complex. We have existing code base which have a history. We might not want to fix all issues right now (after all, our current code is in production, so it is probably mostly good enough) but we want to improve on the long term. We want to introduce new checks, higher quality standards, but not stop everything while we are improving our standards. SonarQube gives us "quality gates", where we define rules about what is good enough. And those rules can be differential. For example: "quality gate passes if the commit does not introduce any new issue (I don't care about existing issues)".</div><div><br></div><div><br></div><div>**Do we need SonarQube at WMF**</div><div><br></div><div>Honestly, I don't know enough about how we manage Puppet (or other code) to have an opinion on this (yet). I have not seen anything scary in my code analysis. You tell me...</div><div><br></div><div><br></div><div>**Disclaimer**</div><div><br></div><div>I have worked with David (the author of the Puppet plugin for SonarQube) for some time. He has convinced me, perverted me and all those things about code quality. Beside being a Nice Guy (tm) he is Pretty Smart (c) and knows SonarQube fairly well. He might be available for a chat if anyone is interested.</div><div><br></div><div><br></div><div>**Note on testing on Docker**</div><div><br></div><div>The Docker image provided by SonarQube only contains a minimal set of plugins. To add Puppet support, go to the web interface (<a href="https://localhost:9000" target="_blank">https://localhost:9000</a>, user: admin, pwd: admin) look for the update center and add the Puppet plugin. Restart required. You'll need to install sonar-runner [5] locally.</div><div><br></div><div><br></div><div><br></div><div>[1] <a href="https://github.com/iwarapter/sonar-puppet" target="_blank">https://github.com/iwarapter/sonar-puppet</a></div><div>[2] <a href="https://hub.docker.com/_/sonarqube/" target="_blank">https://hub.docker.com/_/sonarqube/</a></div><div>[3] <a href="https://github.com/racodond/package-test-sonarqube-puppet" target="_blank">https://github.com/racodond/package-test-sonarqube-puppet</a></div><div>[4] <a href="https://github.com/iwarapter/sonar-puppet/blob/master/puppet-checks/src/main/resources/org/sonar/l10n/pp/rules/puppet/DuplicatedHashKeys.html" target="_blank">https://github.com/iwarapter/sonar-puppet/blob/master/puppet-checks/src/main/resources/org/sonar/l10n/pp/rules/puppet/DuplicatedHashKeys.html</a></div><div>[5] <a href="http://central.maven.org/maven2/org/codehaus/sonar/runner/sonar-runner-dist/2.4/sonar-runner-dist-2.4.zip" target="_blank">http://central.maven.org/maven2/org/codehaus/sonar/runner/sonar-runner-dist/2.4/sonar-runner-dist-2.4.zip</a></div><div><br></div></div>
</div><br></div></div>