|
Hello all,
We here at the LF Release Engineering team are working on a move from hosted SonarQube instances to the cloud-based Sonarcloud service. To that end, there is currently a proposed change to all Sonar jobs that would move them to Sonarcloud: https://git.opendaylight.org/gerrit/c/releng/builder/+/85644
Sonarcloud has more features and better language support than SonarQube, and it will remove the hosting and maintenance costs associated with the SonarQube server. Our plan is to decommission the SonarQube server about a month after we make the move to Sonarcloud.
Currently, the only projects showing results are those that have run and passed on the sandbox. Once the change is merged, all projects will show results after their next successful run.
You may notice that while quantitative numbers like code coverage and duplication haven't changed, the number of bugs/vulnerabilities/code smells may have changed significantly (most likely an increase). This is due to Sonarcloud using much more up-to-date Quality Profiles than ODL's SonarQube instance, so this should be considered an improvement in results (even though I understand that it can be a pain to suddenly have a backlog of issues where there were few or none before). These profiles can be customized, so if anyone sees something coming up that absolutely should not be in the results, we can remove it from the Quality Profile.
Please let me know if you have any questions, or if you'd like to bring this up for discussion during the next TSC meeting. Note: ovsdb is using a custom Sonar template. This will need to be changed to work with Sonarcloud, or (preferably) changed to use global-jjb templates. If there's something our global-jjb jobs do not currently support, we should be able to add that functionality.
Eric Ball Release Engineer The Linux Foundation
|
|
|
On 06/11/2019 23:01, Eric Ball wrote:
You can view the OpenDaylight Sonarcloud page
here: https://sonarcloud.io/organizations/opendaylight/projects
Currently, the only projects showing results are those that have run and
passed on the sandbox. Once the change is merged, all projects will show
results after their next successful run.
You may notice that while quantitative numbers like code coverage and
duplication haven't changed, the number of bugs/vulnerabilities/code
smells may have changed significantly (most likely an increase). This is
due to Sonarcloud using much more up-to-date Quality Profiles than ODL's
SonarQube instance, so this should be considered an improvement in
results (even though I understand that it can be a pain to suddenly have
a backlog of issues where there were few or none before). These profiles
can be customized, so if anyone sees something coming up that absolutely
should not be in the results, we can remove it from the Quality Profile.
Please let me know if you have any questions, or if you'd like to bring
this up for discussion during the next TSC meeting.
Another thing: there seems to be no historical data available. I would hate to lose the 4+ years of data accumulated in https://sonar.opendaylight.org/dashboard?id=org.opendaylight.yangtools%3Ayangtools-aggregator. What is being done about that? Regards, Robert
|
|
|
All: I'm going to abandon the previously-linked patch request, and break it out into separate commits by project.
Robert: I've updated the Sonarcloud user permissions to match SonarQube, where all registered users can administer issues. As for the history import, it is not supported. We will have to leave the history behind.
On Wed, Nov 6, 2019 at 3:24 PM Robert Varga < nite@...> wrote: On 06/11/2019 23:01, Eric Ball wrote:
>
> You can view the OpenDaylight Sonarcloud page
> here: https://sonarcloud.io/organizations/opendaylight/projects
> Currently, the only projects showing results are those that have run and
> passed on the sandbox. Once the change is merged, all projects will show
> results after their next successful run.
>
> You may notice that while quantitative numbers like code coverage and
> duplication haven't changed, the number of bugs/vulnerabilities/code
> smells may have changed significantly (most likely an increase). This is
> due to Sonarcloud using much more up-to-date Quality Profiles than ODL's
> SonarQube instance, so this should be considered an improvement in
> results (even though I understand that it can be a pain to suddenly have
> a backlog of issues where there were few or none before). These profiles
> can be customized, so if anyone sees something coming up that absolutely
> should not be in the results, we can remove it from the Quality Profile.
>
> Please let me know if you have any questions, or if you'd like to bring
> this up for discussion during the next TSC meeting.
Another thing: there seems to be no historical data available. I would
hate to lose the 4+ years of data accumulated in
https://sonar.opendaylight.org/dashboard?id=org.opendaylight.yangtools%3Ayangtools-aggregator.
What is being done about that?
Regards,
Robert
|
|
|
Andrew Grimberg
On 11/6/19 2:40 PM, Eric Ball wrote: All: I'm going to abandon the previously-linked patch request, and break it out into separate commits by project.
Robert: I've updated the Sonarcloud user permissions to match SonarQube, where all registered users can administer issues. As for the history import, it is not supported. We will have to leave the history behind. A couple of notes about this: 1) Registered users are going to be users that are logging into SonarCloud using a GitHub account that is associated with the OpenDaylight GitHub organization. We presently have no quick and easy way of figuring out what those identities are so we'll have to do it on a case by case basis right now. 2) We're pushing for this change for a few of reasons. a) This gives the project a fully up to date version Sonar and it will stay up to date since this is being maintained by SonarSource itself. b) It reduces costs to the projects (we're pushing for this across the board everywhere) as it removes a server and a database from the support equation. Since we're being pushed hard by the different boards to reduce costs where possible this is a low hanging fruit type of change. Yes y'all will lose the historical data, there isn't much we can do about that in this case since there is no ability to import data from SonarQube into SonarCloud. -Andy- On Wed, Nov 6, 2019 at 3:24 PM Robert Varga <nite@... <mailto:nite@...>> wrote:
On 06/11/2019 23:01, Eric Ball wrote:
>
> You can view the OpenDaylight Sonarcloud page
> here: https://sonarcloud.io/organizations/opendaylight/projects
> Currently, the only projects showing results are those that have
run and
> passed on the sandbox. Once the change is merged, all projects
will show
> results after their next successful run.
>
> You may notice that while quantitative numbers like code coverage and
> duplication haven't changed, the number of bugs/vulnerabilities/code
> smells may have changed significantly (most likely an increase).
This is
> due to Sonarcloud using much more up-to-date Quality Profiles
than ODL's
> SonarQube instance, so this should be considered an improvement in
> results (even though I understand that it can be a pain to
suddenly have
> a backlog of issues where there were few or none before). These
profiles
> can be customized, so if anyone sees something coming up that
absolutely
> should not be in the results, we can remove it from the Quality
Profile.
>
> Please let me know if you have any questions, or if you'd like to
bring
> this up for discussion during the next TSC meeting.
Another thing: there seems to be no historical data available. I would
hate to lose the 4+ years of data accumulated in
https://sonar.opendaylight.org/dashboard?id=org.opendaylight.yangtools%3Ayangtools-aggregator.
What is being done about that?
Regards,
Robert
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#12184): https://lists.opendaylight.org/g/TSC/message/12184
Mute This Topic: https://lists.opendaylight.org/mt/44622856/517193
Group Owner: TSC+owner@...
Unsubscribe: https://lists.opendaylight.org/g/TSC/unsub [agrimberg@...]
-=-=-=-=-=-=-=-=-=-=-=-
-- Andrew J Grimberg Manager Release Engineering The Linux Foundation
|
|
|
Hi Abhijit:
Please add this thread to the week's TSC call agenda and possibly take a vote on this.
1. ODL Projects needs to vote (+1) before each of these change can be merged on releng/builder. 2. Agree upon a time when Sonarcube ( https://sonar.opendaylight.org) can be decommissioned. Please note, Sonarcloud has better features and language support than SonarQube, and also remove the hosting and maintenance costs associated with the SonarQube server.
Anil
On Thu, Nov 7, 2019 at 8:02 AM Eric Ball < eball@...> wrote: Hello all,
We here at the LF Release Engineering team are working on a move from hosted SonarQube instances to the cloud-based Sonarcloud service. To that end, there is currently a proposed change to all Sonar jobs that would move them to Sonarcloud: https://git.opendaylight.org/gerrit/c/releng/builder/+/85644
Sonarcloud has more features and better language support than SonarQube, and it will remove the hosting and maintenance costs associated with the SonarQube server. Our plan is to decommission the SonarQube server about a month after we make the move to Sonarcloud.
Currently, the only projects showing results are those that have run and passed on the sandbox. Once the change is merged, all projects will show results after their next successful run.
You may notice that while quantitative numbers like code coverage and duplication haven't changed, the number of bugs/vulnerabilities/code smells may have changed significantly (most likely an increase). This is due to Sonarcloud using much more up-to-date Quality Profiles than ODL's SonarQube instance, so this should be considered an improvement in results (even though I understand that it can be a pain to suddenly have a backlog of issues where there were few or none before). These profiles can be customized, so if anyone sees something coming up that absolutely should not be in the results, we can remove it from the Quality Profile.
Please let me know if you have any questions, or if you'd like to bring this up for discussion during the next TSC meeting. Note: ovsdb is using a custom Sonar template. This will need to be changed to work with Sonarcloud, or (preferably) changed to use global-jjb templates. If there's something our global-jjb jobs do not currently support, we should be able to add that functionality.
Eric Ball Release Engineer The Linux Foundation
Links: You receive all messages sent to this group.
View/Reply Online (#12181): https://lists.opendaylight.org/g/TSC/message/12181
Mute This Topic: https://lists.opendaylight.org/mt/44622856/1278122
Group Owner: TSC+owner@...
Unsubscribe: https://lists.opendaylight.org/g/TSC/unsub [abelur@...]
-=-=-=-=-=-=-=-=-=-=-=-
|
|
|
Sure. Keeping the release mailing list in the loop as it requires action by the projects/PTLs.
On Tue, Nov 12, 2019 at 4:28 PM Anil Belur < abelur@...> wrote: Hi Abhijit:
Please add this thread to the week's TSC call agenda and possibly take a vote on this.
1. ODL Projects needs to vote (+1) before each of these change can be merged on releng/builder. 2. Agree upon a time when Sonarcube ( https://sonar.opendaylight.org) can be decommissioned. Please note, Sonarcloud has better features and language support than SonarQube, and also remove the hosting and maintenance costs associated with the SonarQube server.
Anil
On Thu, Nov 7, 2019 at 8:02 AM Eric Ball < eball@...> wrote: Hello all,
We here at the LF Release Engineering team are working on a move from hosted SonarQube instances to the cloud-based Sonarcloud service. To that end, there is currently a proposed change to all Sonar jobs that would move them to Sonarcloud: https://git.opendaylight.org/gerrit/c/releng/builder/+/85644
Sonarcloud has more features and better language support than SonarQube, and it will remove the hosting and maintenance costs associated with the SonarQube server. Our plan is to decommission the SonarQube server about a month after we make the move to Sonarcloud.
Currently, the only projects showing results are those that have run and passed on the sandbox. Once the change is merged, all projects will show results after their next successful run.
You may notice that while quantitative numbers like code coverage and duplication haven't changed, the number of bugs/vulnerabilities/code smells may have changed significantly (most likely an increase). This is due to Sonarcloud using much more up-to-date Quality Profiles than ODL's SonarQube instance, so this should be considered an improvement in results (even though I understand that it can be a pain to suddenly have a backlog of issues where there were few or none before). These profiles can be customized, so if anyone sees something coming up that absolutely should not be in the results, we can remove it from the Quality Profile.
Please let me know if you have any questions, or if you'd like to bring this up for discussion during the next TSC meeting. Note: ovsdb is using a custom Sonar template. This will need to be changed to work with Sonarcloud, or (preferably) changed to use global-jjb templates. If there's something our global-jjb jobs do not currently support, we should be able to add that functionality.
Eric Ball Release Engineer The Linux Foundation
Links: You receive all messages sent to this group.
View/Reply Online (#12181): https://lists.opendaylight.org/g/TSC/message/12181
Mute This Topic: https://lists.opendaylight.org/mt/44622856/1278122
Group Owner: TSC+owner@...
Unsubscribe: https://lists.opendaylight.org/g/TSC/unsub [abelur@...]
-=-=-=-=-=-=-=-=-=-=-=-
|
|
|
On 13/11/2019 01:28, Anil Belur wrote: Hi Abhijit:
Please add this thread to the week's TSC call agenda and possibly take a
vote on this.
1. ODL Projects needs to vote (+1) before each of these change can be
merged on releng/builder.
https://git.opendaylight.org/gerrit/c/releng/builder/+/85644 That patch has been abandoned for a per-project migration (on Andy's request). Furthermore, as I noted in the review, we really should duplicate the sonar jobs, so we can actually evaluate how the projects work with SonarCloud before ... 2. Agree upon a time when Sonarcube (https://sonar.opendaylight.org
<https://sonar.opendaylight.org/>) can be decommissioned. Please note,
Sonarcloud has better features and language support than SonarQube, and
also remove the hosting and maintenance costs associated with the
SonarQube server. ... we decide on this. Regards, Robert
Thanks,
Anil
On Thu, Nov 7, 2019 at 8:02 AM Eric Ball <eball@...
<mailto:eball@...>> wrote:
Hello all,
We here at the LF Release Engineering team are working on a move
from hosted SonarQube instances to the cloud-based Sonarcloud
service. To that end, there is currently a proposed change to all
Sonar jobs that would move them to
Sonarcloud: https://git.opendaylight.org/gerrit/c/releng/builder/+/85644
Sonarcloud has more features and better language support than
SonarQube, and it will remove the hosting and maintenance costs
associated with the SonarQube server. Our plan is to decommission
the SonarQube server about a month after we make the move to Sonarcloud.
You can view the OpenDaylight Sonarcloud page
here: https://sonarcloud.io/organizations/opendaylight/projects
Currently, the only projects showing results are those that have run
and passed on the sandbox. Once the change is merged, all projects
will show results after their next successful run.
You may notice that while quantitative numbers like code coverage
and duplication haven't changed, the number of
bugs/vulnerabilities/code smells may have changed significantly
(most likely an increase). This is due to Sonarcloud using much more
up-to-date Quality Profiles than ODL's SonarQube instance, so this
should be considered an improvement in results (even though I
understand that it can be a pain to suddenly have a backlog of
issues where there were few or none before). These profiles can be
customized, so if anyone sees something coming up that absolutely
should not be in the results, we can remove it from the Quality Profile.
Please let me know if you have any questions, or if you'd like to
bring this up for discussion during the next TSC meeting.
Note: ovsdb is using a custom Sonar template. This will need to be
changed to work with Sonarcloud, or (preferably) changed to use
global-jjb templates. If there's something our global-jjb jobs do
not currently support, we should be able to add that functionality.
Eric Ball
Release Engineer
The Linux Foundation
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#12181):
https://lists.opendaylight.org/g/TSC/message/12181
Mute This Topic: https://lists.opendaylight.org/mt/44622856/1278122
Group Owner: TSC+owner@...
<mailto:TSC%2Bowner@...>
Unsubscribe: https://lists.opendaylight.org/g/TSC/unsub
[abelur@... <mailto:abelur@...>]
-=-=-=-=-=-=-=-=-=-=-=-
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#12218): https://lists.opendaylight.org/g/TSC/message/12218
Mute This Topic: https://lists.opendaylight.org/mt/44622856/1320659
Group Owner: TSC+owner@...
Unsubscribe: https://lists.opendaylight.org/g/TSC/unsub [nite@...]
-=-=-=-=-=-=-=-=-=-=-=-
|
|
|
To get this moving again, I've tested all of the Sonar jobs that are currently passing for SonarQube on the prod Jenkins. There were a few failures, but they appear to be related to something missing from the sandbox (presumably credentials, though I'm not familiar enough with the jobs to say for sure. Any assistance would be appreciated), since the SonarQube versions of the jobs that pass on prod also fail (I labeled the runs of these jobs as "Sonarcloud build" and "SonarQube build" for clarity. All passing jobs are Sonarcloud). The fact that they all work the same is no surprise; moving from SonarQube to Sonarcloud makes essentially no difference to how the scans work. It's really just a change of where the results are going.
To view (and hopefully review) the open code changes, please see here:
On Wed, Nov 13, 2019 at 12:51 AM Robert Varga < nite@...> wrote:
On 13/11/2019 01:28, Anil Belur wrote:
> Hi Abhijit:
>
> Please add this thread to the week's TSC call agenda and possibly take a
> vote on this.
>
> 1. ODL Projects needs to vote (+1) before each of these change can be
> merged on releng/builder.
> https://git.opendaylight.org/gerrit/c/releng/builder/+/85644
That patch has been abandoned for a per-project migration (on Andy's
request).
Furthermore, as I noted in the review, we really should duplicate the
sonar jobs, so we can actually evaluate how the projects work with
SonarCloud before ...
> 2. Agree upon a time when Sonarcube (https://sonar.opendaylight.org
> <https://sonar.opendaylight.org/>) can be decommissioned. Please note,
> Sonarcloud has better features and language support than SonarQube, and
> also remove the hosting and maintenance costs associated with the
> SonarQube server.
... we decide on this.
Regards,
Robert
>
> Thanks,
> Anil
>
> On Thu, Nov 7, 2019 at 8:02 AM Eric Ball <eball@...
> <mailto:eball@...>> wrote:
>
> Hello all,
>
> We here at the LF Release Engineering team are working on a move
> from hosted SonarQube instances to the cloud-based Sonarcloud
> service. To that end, there is currently a proposed change to all
> Sonar jobs that would move them to
> Sonarcloud: https://git.opendaylight.org/gerrit/c/releng/builder/+/85644
>
> Sonarcloud has more features and better language support than
> SonarQube, and it will remove the hosting and maintenance costs
> associated with the SonarQube server. Our plan is to decommission
> the SonarQube server about a month after we make the move to Sonarcloud.
>
> You can view the OpenDaylight Sonarcloud page
> here: https://sonarcloud.io/organizations/opendaylight/projects
> Currently, the only projects showing results are those that have run
> and passed on the sandbox. Once the change is merged, all projects
> will show results after their next successful run.
>
> You may notice that while quantitative numbers like code coverage
> and duplication haven't changed, the number of
> bugs/vulnerabilities/code smells may have changed significantly
> (most likely an increase). This is due to Sonarcloud using much more
> up-to-date Quality Profiles than ODL's SonarQube instance, so this
> should be considered an improvement in results (even though I
> understand that it can be a pain to suddenly have a backlog of
> issues where there were few or none before). These profiles can be
> customized, so if anyone sees something coming up that absolutely
> should not be in the results, we can remove it from the Quality Profile.
>
> Please let me know if you have any questions, or if you'd like to
> bring this up for discussion during the next TSC meeting.
>
> Note: ovsdb is using a custom Sonar template. This will need to be
> changed to work with Sonarcloud, or (preferably) changed to use
> global-jjb templates. If there's something our global-jjb jobs do
> not currently support, we should be able to add that functionality.
>
> Eric Ball
> Release Engineer
> The Linux Foundation
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
>
> View/Reply Online (#12181):
> https://lists.opendaylight.org/g/TSC/message/12181
> Mute This Topic: https://lists.opendaylight.org/mt/44622856/1278122
> Group Owner: TSC+owner@...
> <mailto:TSC%2Bowner@...>
> Unsubscribe: https://lists.opendaylight.org/g/TSC/unsub
> [abelur@... <mailto:abelur@...>]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
>
> View/Reply Online (#12218): https://lists.opendaylight.org/g/TSC/message/12218
> Mute This Topic: https://lists.opendaylight.org/mt/44622856/1320659
> Group Owner: TSC+owner@...
> Unsubscribe: https://lists.opendaylight.org/g/TSC/unsub [nite@...]
> -=-=-=-=-=-=-=-=-=-=-=-
>
|
|
|
On 06/11/2019 23:53, Andrew Grimberg wrote: On 11/6/19 2:40 PM, Eric Ball wrote:
All: I'm going to abandon the previously-linked patch request, and
break it out into separate commits by project.
Robert: I've updated the Sonarcloud user permissions to match
SonarQube, where all registered users can administer issues. As for
the history import, it is not supported. We will have to leave the
history behind. A couple of notes about this:
1) Registered users are going to be users that are logging into
SonarCloud using a GitHub account that is associated with the
OpenDaylight GitHub organization. We presently have no quick and easy
way of figuring out what those identities are so we'll have to do it on
a case by case basis right now. Okay, so what is the process to gain access? We have the controller being analyzed and the number of utterly false positives is not funny and I have no way to close them down. Two examples: https://sonarcloud.io/project/issues?id=opendaylight_controller-sonarcloud&issues=AW6UsvtubRr7khNgdg70&open=AW6UsvtubRr7khNgdg70is so utterly and completely wrong it's hard to describe -- target object type is a simple enum, having no state, hence it all the points about safe publication are utter BS in this context. https://sonarcloud.io/project/issues?id=opendaylight_controller-sonarcloud&issues=AW6Usvo9bRr7khNgdg5r&open=AW6Usvo9bRr7khNgdg5ris also utterly wrong -- there is even a @SuppressFBWarnings(VO_VOLATILE_REFERENCE_TO_ARRAY) to mark that yes, we really know what we are doing (it is a cache of the serialized form, and no, we do not really care about double-checked loading). Furthermore, what is the process to evolve the rule sets? Thanks, Robert
|
|
|
Okay, so what is the process to gain access? We have the controller
being analyzed and the number of utterly false positives is not funny
and I have no way to close them down.
To gain access, you'll need to log into Sonarcloud.io using a Github account. If your Github account is already a member of the github.com/opendaylight org, you'll immediately have access to the Sonarcloud org. If not, you can open an issue at support.linuxfoundation.org, providing your Github username for us to provide access.
Two examples:
https://sonarcloud.io/project/issues?id=opendaylight_controller-sonarcloud&issues=AW6UsvtubRr7khNgdg70&open=AW6UsvtubRr7khNgdg70
is so utterly and completely wrong it's hard to describe -- target
object type is a simple enum, having no state, hence it all the points
about safe publication are utter BS in this context.
https://sonarcloud.io/project/issues?id=opendaylight_controller-sonarcloud&issues=AW6Usvo9bRr7khNgdg5r&open=AW6Usvo9bRr7khNgdg5r
is also utterly wrong -- there is even a
@SuppressFBWarnings(VO_VOLATILE_REFERENCE_TO_ARRAY) to mark that yes, we
really know what we are doing (it is a cache of the serialized form, and
no, we do not really care about double-checked loading).
Furthermore, what is the process to evolve the rule sets?
We can make changes to the Quality Profiles to meet the needs of the projects, if there are rules that should never be applied. Otherwise, like SonarQube, individual issues can be marked as false positives, and/or have their priority lowered.
Thanks,
Robert
|
|
|
On Thu, 5 Dec 2019 at 12:55, Eric Ball < eball@...> wrote: Okay, so what is the process to gain access? We have the controller
being analyzed and the number of utterly false positives is not funny
and I have no way to close them down.
To gain access, you'll need to log into Sonarcloud.io using a Github account. If your Github account is already a member of the github.com/opendaylight org, you'll immediately have access to the Sonarcloud org. If not, you can open an issue at support.linuxfoundation.org, providing your Github username for us to provide access.
Two examples:
https://sonarcloud.io/project/issues?id=opendaylight_controller-sonarcloud&issues=AW6UsvtubRr7khNgdg70&open=AW6UsvtubRr7khNgdg70
is so utterly and completely wrong it's hard to describe -- target
object type is a simple enum, having no state, hence it all the points
about safe publication are utter BS in this context.
https://sonarcloud.io/project/issues?id=opendaylight_controller-sonarcloud&issues=AW6Usvo9bRr7khNgdg5r&open=AW6Usvo9bRr7khNgdg5r
is also utterly wrong -- there is even a
@SuppressFBWarnings(VO_VOLATILE_REFERENCE_TO_ARRAY) to mark that yes, we
really know what we are doing (it is a cache of the serialized form, and
no, we do not really care about double-checked loading).
Furthermore, what is the process to evolve the rule sets?
We can make changes to the Quality Profiles to meet the needs of the projects, if there are rules that should never be applied. Otherwise, like SonarQube, individual issues can be marked as false positives, and/or have their priority lowered.
Hi Eric,
I recall the old sonar system has the "ODL Sonar Way" or something profile. Can we not redo that profile in SonarCloud?
I believe that profile was crafted by the community over the years of using Sonar, it seems like if we are able to reapply the rules from there we don't have to relearn our ruleset all over again. It seems to me like a waste of time to have the community backtrack on configuration that has already been applied in the past.
Regards, Thanh
|
|
|
Ok, I've recreated the "ODL way" Java quality profile (59 of 60 rules; one was deprecated) in Sonarcloud, and set it as the default. Future runs should reflect only those rules that were chosen. I still think this should probably be updated, as it has not changed in 5 years, but for now the results should be closer to what you're getting in SonarQube.
On Thu, Dec 5, 2019 at 11:25 AM Thanh Ha < zxiiro@...> wrote: On Thu, 5 Dec 2019 at 12:55, Eric Ball < eball@...> wrote: Okay, so what is the process to gain access? We have the controller
being analyzed and the number of utterly false positives is not funny
and I have no way to close them down.
To gain access, you'll need to log into Sonarcloud.io using a Github account. If your Github account is already a member of the github.com/opendaylight org, you'll immediately have access to the Sonarcloud org. If not, you can open an issue at support.linuxfoundation.org, providing your Github username for us to provide access.
Two examples:
https://sonarcloud.io/project/issues?id=opendaylight_controller-sonarcloud&issues=AW6UsvtubRr7khNgdg70&open=AW6UsvtubRr7khNgdg70
is so utterly and completely wrong it's hard to describe -- target
object type is a simple enum, having no state, hence it all the points
about safe publication are utter BS in this context.
https://sonarcloud.io/project/issues?id=opendaylight_controller-sonarcloud&issues=AW6Usvo9bRr7khNgdg5r&open=AW6Usvo9bRr7khNgdg5r
is also utterly wrong -- there is even a
@SuppressFBWarnings(VO_VOLATILE_REFERENCE_TO_ARRAY) to mark that yes, we
really know what we are doing (it is a cache of the serialized form, and
no, we do not really care about double-checked loading).
Furthermore, what is the process to evolve the rule sets?
We can make changes to the Quality Profiles to meet the needs of the projects, if there are rules that should never be applied. Otherwise, like SonarQube, individual issues can be marked as false positives, and/or have their priority lowered.
Hi Eric,
I recall the old sonar system has the "ODL Sonar Way" or something profile. Can we not redo that profile in SonarCloud?
I believe that profile was crafted by the community over the years of using Sonar, it seems like if we are able to reapply the rules from there we don't have to relearn our ruleset all over again. It seems to me like a waste of time to have the community backtrack on configuration that has already been applied in the past.
Regards, Thanh
|
|
|
On 09/12/2019 22:36, Eric Ball wrote: Ok, I've recreated the "ODL way" Java quality profile (59 of 60 rules;
one was deprecated) in Sonarcloud, and set it as the default. Future
runs should reflect only those rules that were chosen. I still think
this should probably be updated, as it has not changed in 5 years, but
for now the results should be closer to what you're getting in SonarQube. Yeah, I was going to write that, but haven't gotten to it. We certainly should take the default sonarcloud profile and re-evaluate it. Regards, Robert
|
|
|
On Mon, Dec 9, 2019 at 1:50 PM Robert Varga < nite@...> wrote:
On 09/12/2019 22:36, Eric Ball wrote:
> Ok, I've recreated the "ODL way" Java quality profile (59 of 60 rules;
> one was deprecated) in Sonarcloud, and set it as the default. Future
> runs should reflect only those rules that were chosen. I still think
> this should probably be updated, as it has not changed in 5 years, but
> for now the results should be closer to what you're getting in SonarQube.
Yeah, I was going to write that, but haven't gotten to it. We certainly
should take the default sonarcloud profile and re-evaluate it.
Regards,
Robert
|
|
|
Greetings Robert:
Trying to catch up on where we are with the sonarcloud migrations. I think another issue has been identified with 0% coverage, that is caused by an update on the Java analyzer. With sonarcloud it's no longer possible to import jacoco.exec reports, and the workaround suggested is to use XML format. This needs to be fixed in the pom files.
Thanks, Anil
On Fri, Dec 13, 2019 at 8:01 AM Eric Ball < eball@...> wrote:
On Mon, Dec 9, 2019 at 1:50 PM Robert Varga < nite@...> wrote: On 09/12/2019 22:36, Eric Ball wrote:
> Ok, I've recreated the "ODL way" Java quality profile (59 of 60 rules;
> one was deprecated) in Sonarcloud, and set it as the default. Future
> runs should reflect only those rules that were chosen. I still think
> this should probably be updated, as it has not changed in 5 years, but
> for now the results should be closer to what you're getting in SonarQube.
Yeah, I was going to write that, but haven't gotten to it. We certainly
should take the default sonarcloud profile and re-evaluate it.
Regards,
Robert
|
|
|
On 14/01/2020 23:09, Anil Belur wrote: Greetings Robert: Hey Anil, sorry for the late reply. Trying to catch up on where we are with the sonarcloud migrations. I
think another issue has been identified with 0% coverage, that is caused
by an update on the Java analyzer. Ah, good thing we did not do a straight-up migration then :) With sonarcloud it's no longer possible to import jacoco.exec reports,
and the workaround suggested is to use XML format. This needs to be
fixed in the pom files. Okay, so if I am getting this correctly, this is covered in https://community.sonarsource.com/t/jacoco-coverage-reporting-differently-in-sonarcloud/8256Example on how this is fixed on an external project:
https://github.com/synyx/urlaubsverwaltung/pull/930/files Right, and an example is here: https://github.com/SonarSource/sonar-scanning-examples/tree/master/sonarqube-scanner-maven/maven-multimodule, unfortunately it does cover the way we are doing things (i.e. top-level merged report *without* enumerating all artifacts as dependencies). I will need to look into this further. Regards, Robert
|
|
|
On 24/01/2020 08:16, Robert Varga wrote: On 14/01/2020 23:09, Anil Belur wrote:
Greetings Robert: Hey Anil,
sorry for the late reply.
Trying to catch up on where we are with the sonarcloud migrations. I
think another issue has been identified with 0% coverage, that is caused
by an update on the Java analyzer. Ah, good thing we did not do a straight-up migration then :)
With sonarcloud it's no longer possible to import jacoco.exec reports,
and the workaround suggested is to use XML format. This needs to be
fixed in the pom files. Okay, so if I am getting this correctly, this is covered in
https://community.sonarsource.com/t/jacoco-coverage-reporting-differently-in-sonarcloud/8256
Example on how this is fixed on an external project:
https://github.com/synyx/urlaubsverwaltung/pull/930/files Right, and an example is here:
https://github.com/SonarSource/sonar-scanning-examples/tree/master/sonarqube-scanner-maven/maven-multimodule,
unfortunately it does cover the way we are doing things (i.e. top-level
merged report *without* enumerating all artifacts as dependencies).
I will need to look into this further. Okay, I do have a prototype here: https://git.opendaylight.org/gerrit/c/odlparent/+/88440Can somebody test it, please? Thanks, Robert
|
|
|
On Mon, Mar 16, 2020 at 11:11 PM Robert Varga < nite@...> wrote: On 24/01/2020 08:16, Robert Varga wrote:
> On 14/01/2020 23:09, Anil Belur wrote:
>> Greetings Robert:
>
> Hey Anil,
>
> sorry for the late reply.
>
>> Trying to catch up on where we are with the sonarcloud migrations. I
>> think another issue has been identified with 0% coverage, that is caused
>> by an update on the Java analyzer.
>
> Ah, good thing we did not do a straight-up migration then :)
>
>> With sonarcloud it's no longer possible to import jacoco.exec reports,
>> and the workaround suggested is to use XML format. This needs to be
>> fixed in the pom files.
>
> Okay, so if I am getting this correctly, this is covered in
> https://community.sonarsource.com/t/jacoco-coverage-reporting-differently-in-sonarcloud/8256
>
>> Example on how this is fixed on an external project:
>> https://github.com/synyx/urlaubsverwaltung/pull/930/files
>
> Right, and an example is here:
> https://github.com/SonarSource/sonar-scanning-examples/tree/master/sonarqube-scanner-maven/maven-multimodule,
> unfortunately it does cover the way we are doing things (i.e. top-level
> merged report *without* enumerating all artifacts as dependencies).
>
> I will need to look into this further.
Okay, I do have a prototype here:
https://git.opendaylight.org/gerrit/c/odlparent/+/88440
Can somebody test it, please?
Hello Robert:
Sorry, for the delay on getting back on this. As mentioned on the IRC, I've tested the job with the CR 88440 on the sandbox.
https://sonarcloud.io/dashboard?id=opendaylight_odlparenthttps://logs.opendaylight.org/sandbox/vex-yul-odl-jenkins-2/odlparent-sonar/1
Thanks, Anil
|
|
|
On 29/04/2020 08:35, Anil Belur wrote:
Okay, I do have a prototype here:
https://git.opendaylight.org/gerrit/c/odlparent/+/88440
Can somebody test it, please?
Hello Robert:
Sorry, for the delay on getting back on this. As mentioned on the IRC,
I've tested the job with the CR 88440 on the sandbox.
https://sonarcloud.io/dashboard?id=opendaylight_odlparent
https://logs.opendaylight.org/sandbox/vex-yul-odl-jenkins-2/odlparent-sonar/1
Hello Anil, both your run: https://sonarcloud.io/project/activity?custom_metrics=coverage&graph=custom&id=opendaylight_odlparentand the parallel job we have for controller: https://sonarcloud.io/project/activity?custom_metrics=coverage&graph=custom&id=opendaylight_controller-sonarcloudlook good with Aluminium-MRI odlparent changes, hence we are good to roll this out for MRI projects (odlparent,yangtools,mdsal,controller) now. I am updating the patches even as I write this. For the rest of the projects we should be okay once Aluminium MRI integration is done (couple of weeks at most). Regards, Robert
|
|
|
On Wed, Apr 29, 2020 at 6:16 PM Robert Varga < nite@...> wrote: On 29/04/2020 08:35, Anil Belur wrote:
>
> Okay, I do have a prototype here:
> https://git.opendaylight.org/gerrit/c/odlparent/+/88440
>
> Can somebody test it, please?
>
>
> Hello Robert:
>
> Sorry, for the delay on getting back on this. As mentioned on the IRC,
> I've tested the job with the CR 88440 on the sandbox.
>
> https://sonarcloud.io/dashboard?id=opendaylight_odlparent
> https://logs.opendaylight.org/sandbox/vex-yul-odl-jenkins-2/odlparent-sonar/1
Hello Anil,
both your run:
https://sonarcloud.io/project/activity?custom_metrics=coverage&graph=custom&id=opendaylight_odlparent
and the parallel job we have for controller:
https://sonarcloud.io/project/activity?custom_metrics=coverage&graph=custom&id=opendaylight_controller-sonarcloud
look good with Aluminium-MRI odlparent changes, hence we are good to
roll this out for MRI projects (odlparent,yangtools,mdsal,controller)
now. I am updating the patches even as I write this.
For the rest of the projects we should be okay once Aluminium MRI
integration is done (couple of weeks at most).
Regards,
Robert
Thanks Robert, all the changes for odlparent, yangtools, mdsal and controller are merged.
|
|
|
