brettonw
commented
1 week ago Investigating SonarQube (community edition) - https://www.sonarsource.com/knowledge/languages/java/
Open brettonw opened 1 week ago
brettonw
commented
1 week ago Investigating SonarQube (community edition) - https://www.sonarsource.com/knowledge/languages/java/
brettonw
commented
1 week ago I downloaded the zip file, but expect the docker container will be a better solution. documentation
brettonw
commented
1 week ago I loaded the tool in a docker container and configured a project locally for evaluation. I ran the tool using the maven command line it gave me. (documentation)[https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarscanner-for-maven/]
I found no really useful issues reported by the scanner, and no severe issues within Bedrock that required a change. There a number of pedantic rules that fired off, even in the javascript, but I reviewed the highest priorities and only made one or two changes.
I will periodically review the codebase...
Static Code Analysis tools should be part of the CI workflow. Since this project isn't built in a CI workflow (due to sporadic enhancements), it should ideally be part of the mvn package step.