I spot checked 10 of the issues it found. Of those, I think maybe 1
was a good fix and that one was quite minor (suggesting a private
constructor in a static utility class). Maybe 2 more were arguably
something we should do, but they weren't slam dunks and could be
disputed. The rest were bad ideas or actively wrong; e.,g. claiming
that a variable could be null and thus throw a null polinter exception
at a point where it had already been checked for null.

I vote a strong no on this proposal. At this level of reliability,
it's just going to waste our time.


On Thu, Jan 2, 2025 at 5:47 PM Gerd Aschemann <g...@aschemann.net> wrote:
>
> I have quickly started to analyze core/maven:
>
>         
> https://sonarcloud.io/summary/overall?id=support-and-care_maven&branch=master
>
> As this project (and almost all of the other Maven projects) does not have 
> any (JaCoCo) test coverage you can only see static analysis results.
>
> > On 2. Jan 2025, at 14:19, Elliotte Rusty Harold <elh...@ibiblio.org> wrote:
> >
> > Can we have some examples of the output? I'd want close to zero false
> > positives and no log junk before doing this.
> >
> > Generally static analysis is useful on a one-off basis, but there are
> > rapidly diminishing returns for running it on the same codebase.
> >
> >
> >
> > On Thu, Jan 2, 2025 at 1:10 PM Konrad Windszus <k...@apache.org> wrote:
> >>
> >> Hi,
> >> Maven currently does not leverage SonarQube analysis (nor any other static 
> >> code analysis). Although onboarding currently requires one INFRA ticket 
> >> per repo 
> >> (https://cwiki.apache.org/confluence/pages/viewpage.action?spaceKey=INFRA&title=SonarCloud+for+ASF+projects)
> >>  this is a one time action and the benefits from my PoV outweigh the 
> >> efforts.
> >>
> >> The UI exposes important metrics (look e.g. at 
> >> https://sonarcloud.io/summary/new_code?id=apache_jackrabbit-filevault-package-maven-plugin&branch=master)
> >>  and there is also integration in GitHub PRs 
> >> (https://docs.sonarsource.com/sonarqube-cloud/improving/pull-request-analysis/)
> >>  and IDEs 
> >> (https://docs.sonarsource.com/sonarqube-cloud/improving/sonarlint/). In 
> >> addition one can configure quality gates with regards to code coverage or 
> >> issues 
> >> (https://docs.sonarsource.com/sonarqube-cloud/improving/quality-gates/).
> >>
> >> Leveraging this would improve the code quality and gives some pointers on 
> >> PR quality.
> >> WDYT about enabling this for https://github.com/apache/maven?
> >>
> >> Regards,
> >> Konrad
> >>
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> >> For additional commands, e-mail: dev-h...@maven.apache.org
> >>
> >
> >
> > --
> > Elliotte Rusty Harold
> > elh...@ibiblio.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> > For additional commands, e-mail: dev-h...@maven.apache.org
> >
>
> --
> Gerd Aschemann --- Veröffentlichen heißt Verändern (Carmen Thomas)
> +49/173/3264070 -- g...@aschemann.net -- http://www.aschemann.net
>


--
Elliotte Rusty Harold
elh...@ibiblio.org

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org

Reply via email to