I spot checked 10 of the issues it found. Of those, I think maybe 1 was a good fix and that one was quite minor (suggesting a private constructor in a static utility class). Maybe 2 more were arguably something we should do, but they weren't slam dunks and could be disputed. The rest were bad ideas or actively wrong; e.,g. claiming that a variable could be null and thus throw a null polinter exception at a point where it had already been checked for null.
I vote a strong no on this proposal. At this level of reliability, it's just going to waste our time. On Thu, Jan 2, 2025 at 5:47 PM Gerd Aschemann <g...@aschemann.net> wrote: > > I have quickly started to analyze core/maven: > > > https://sonarcloud.io/summary/overall?id=support-and-care_maven&branch=master > > As this project (and almost all of the other Maven projects) does not have > any (JaCoCo) test coverage you can only see static analysis results. > > > On 2. Jan 2025, at 14:19, Elliotte Rusty Harold <elh...@ibiblio.org> wrote: > > > > Can we have some examples of the output? I'd want close to zero false > > positives and no log junk before doing this. > > > > Generally static analysis is useful on a one-off basis, but there are > > rapidly diminishing returns for running it on the same codebase. > > > > > > > > On Thu, Jan 2, 2025 at 1:10 PM Konrad Windszus <k...@apache.org> wrote: > >> > >> Hi, > >> Maven currently does not leverage SonarQube analysis (nor any other static > >> code analysis). Although onboarding currently requires one INFRA ticket > >> per repo > >> (https://cwiki.apache.org/confluence/pages/viewpage.action?spaceKey=INFRA&title=SonarCloud+for+ASF+projects) > >> this is a one time action and the benefits from my PoV outweigh the > >> efforts. > >> > >> The UI exposes important metrics (look e.g. at > >> https://sonarcloud.io/summary/new_code?id=apache_jackrabbit-filevault-package-maven-plugin&branch=master) > >> and there is also integration in GitHub PRs > >> (https://docs.sonarsource.com/sonarqube-cloud/improving/pull-request-analysis/) > >> and IDEs > >> (https://docs.sonarsource.com/sonarqube-cloud/improving/sonarlint/). In > >> addition one can configure quality gates with regards to code coverage or > >> issues > >> (https://docs.sonarsource.com/sonarqube-cloud/improving/quality-gates/). > >> > >> Leveraging this would improve the code quality and gives some pointers on > >> PR quality. > >> WDYT about enabling this for https://github.com/apache/maven? > >> > >> Regards, > >> Konrad > >> > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > >> For additional commands, e-mail: dev-h...@maven.apache.org > >> > > > > > > -- > > Elliotte Rusty Harold > > elh...@ibiblio.org > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > -- > Gerd Aschemann --- Veröffentlichen heißt Verändern (Carmen Thomas) > +49/173/3264070 -- g...@aschemann.net -- http://www.aschemann.net > -- Elliotte Rusty Harold elh...@ibiblio.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
