Re: Sonar for the Django rpoject

Hello, Here is my blog post about setting up SonarQube. I think it takes about 15 minutes, so you can run it yourself if you want (and if you have time of course). Have a good day! Regards, Ivan On Friday, S

Re: Sonar for the Django rpoject

Hello, I installed some older versions of SonarQube and unfortunately the rules are not the same and the report generated is not full. But I reviewed the issues and I did not find any security issues or something that is absolutely critical. There are 40 major issues that are marked as bugs. M

Re: Sonar for the Django rpoject

Hello, I'm back from the vacation. @Hanne Moa - As far as I know, you can skip packages, files and everything can be customized. It's the same with the rules. I did not prioritized the Sonar rules - they are the default ones and Sonar is detecting not only possible bugs and issues but code sme

Re: Sonar for the Django rpoject

On Wed, Aug 31, 2016 at 10:55 AM, Alex Gaynor wrote: > If these are what qualifies as critical, I don't think this is a good use > of our time. > > > Agreed. If those are the critical things, then either Django is really really good, or there are things it's missing. I suspect there are things it

Re: Sonar for the Django rpoject

If these are what qualifies as critical, I don't think this is a good use of our time. Alex On Wed, Aug 31, 2016 at 1:50 PM, Ivan Sevastoyanov < ivan.sevastoya...@gmail.com> wrote: > >

Re: Sonar for the Django rpoject

Hello Ivan, Given that both Django and Sonar are open-source, anyone should be able to reproduce your results easily… If there are security issues, please email them to secur...@djangoproject.com instead of publishing them. That’ll make them a bit less easy t

Re: Sonar for the Django rpoject

Is there a way to ignore django.utils.dateformat? That code is very straight forward, and it is not supposed to be called manually by humans. I can't see how a "fix" would improve things. Munging the second string in the getattr? Adding "upper" and "lower" or something similar to each method-name?

Re: Sonar for the Django rpoject

Hi, I'm on a vacation and far from my PC now so it's possible that I'll not be able to answer some of the questions. @Sergei - Sonar can be applied the same way you have Jenkins. It will be easier to track some issues immediately. Sonar combines all the rules from pylint, pep8 plus some other r

Re: Sonar for the Django rpoject

If there will be sweeping commits to remove six and other py2 concessions, can the cleaning be included then? On 4 September 2016 9:38:05 AM AEST, Sergei Maertens wrote: >I kind of like these reports, since they can take away some of the >early >review work. I would put it on the same level as

Re: Sonar for the Django rpoject

I kind of like these reports, since they can take away some of the early review work. I would put it on the same level as the `isort` checks we have now. On the other hand, adapting the existing codebase to 'resolve' this code smells will introduce quite some 'stupid' commits, so it might be bes

Re: Sonar for the Django rpoject

I'm posting the the 11 criticals. In my opinion, they are not critical, they are just code smells. I will try to export the report so you can review the major issue

Re: Sonar for the Django rpoject

Any security issues should be reported to secur...@djangoproject.com, otherwise it's fine to share the information here. On Wednesday, August 31, 2016 at 2:25:55 AM UTC-4, Ivan Sevastoyanov wrote: > > All the rules are with a default severity so there might be some major > issues that it's worth

Re: Sonar for the Django rpoject

All the rules are with a default severity so there might be some major issues that it's worth reviewing them. I will post the critical issues this evening because I'm at work now. Do you want to post them somewhere else because it's a sensitive information? I will try to find out how to export

Re: Sonar for the Django rpoject

Perhaps you could tell us about some of the critical issues so we could get a sense for that. On Tuesday, August 30, 2016 at 4:26:42 PM UTC-4, Ivan Sevastoyanov wrote: > > >

Re: Sonar for the Django rpoject

That is the report from the Sonar with all the rules included. Unfortunately, I cannot export it as a PDF or some more convenient format. I can describe all the steps

Re: Sonar for the Django rpoject

OK, I will try to do that on my machine and will post the results here (because frankly speaking I haven't done it before on my own). I don't know when I will have enough time to do it but I guess 3 to 4 days. Regards, Ivan On Sunday, August 28, 2016 at 11:16:57 PM UTC+3, Aymeric Augustin wrote

Re: Sonar for the Django rpoject

On 28 Aug 2016, at 21:43, Ivan Sevastoyanov wrote: > My question is do you consider using SonarQube for code quality analysis, > static analysis and find bugs because it's able to do that. I guess that depends on the signal / noise ratio in the things SonarQube flags. Perhaps you could do an

Re: Sonar for the Django rpoject

My mistake. I had to ask with more details. My question is do you consider using SonarQube for code quality analysis, static analysis and find bugs because it's able to do that. I am asking for the Django project as a whole. Sonar can track the commits and show you if there are added some "code

Re: Sonar for the Django rpoject

On 28 Aug 2016, at 20:46, Ivan Sevastoyanov wrote: > Do you consider using SonarQube (or something similar) for code quality > analysis? Hello Ivan, Generally speaking, there isn’t a lot of demand for code changes with no impact on functionality, especially as first time contributions. Such