search

eclipse-pass / main

Catch all repository against which issues of general, cross cutting topics are logged.
Apache License 2.0
4 stars 8 forks source link

Investigate static code analysis tools #870

Open rpoet-jh opened 5 months ago

rpoet-jh commented 5 months ago

What? Investigate adding more static code analysis (SCA) tools to repos.

Why? SCA tool scans improve code quality and security, and it give confidence the code in the repo when the community sees such tools being used.

How? For Java, standard SCA tools are PMD and SpotBugs. We probably want to select a security SCA for Java as well, there are a few of them.

For Javascript, we should evaluate what we currently have and decide if it would be good add any.

SCA tools should be part of CI and status checks on PRs. These tools should be runnable by a dev on their local machine too.

Acceptance Criteria SCA tools are runnable locally, CI, and PR status checks.

Related Issues

rpoet-jh commented 2 months ago

Here is a list on OWASP for Static Code Analysis Tools: https://owasp.org/www-community/Source_Code_Analysis_Tools

It's a long list, but I think investigating semgrep and sync-code would be worthwhile for static security scanning.