Skip to content

Proposal sonarcloud.md

Jump to bottom Edit New page
bhoefling-c2c edited this page Feb 25, 2022 · 3 revisions
Date 2022-02-23 Contacts Björn Höfling
Status Proposed Release Independent
Resources Ticket #
Source code
Funding Free of Costs. Work offered by Camptocamp

Overview

SonarQube is a static code analysis tool that inspects code for code quality and (newly) code security.

The issues raised by SonarQube range from severe security issues like SQL injections or XSS and DOS attacks to minor code smells like writing constants in CAPITAL_LETTERS.

Introducing a code scanning tool can find severe security issues but also help making the code more maintainable. It can also support code reviews, as the critique is more objective and not person2person.

SonarCloud

SonarCloud is the cloud version of SonarQube and is offered without costs for Open Source projects.

The setup with a GitHub organization can be done fairly easy. Activation is via a GitHub Action script.

Camptocamp offers to set up the SonarCloud system.

Proposal Content

We propose to create a SonarCloud account for the geonetwork group and start analyzing at least the core-geonetwork project.

Purpose

Code quality will be automatically checked and good practices can be applied to pull requests.

Technical Details:

RuleSet and Quality Gates

It is possible to set custom quality gates and rule sets, for example when too many false-positive errors pop up.

For now, we keep the default settings. If we find out that the rules produce too many false errors, they can be adapted, example is here.

Java 8/11 Concerns

GeoNetwork is yet written in Java 8. There had been raised concerns that SonarQube would only work with Java11+.

Fact is, that the Sonar-Maven-Plugin is written in Java11 (ByteCode version 55), and thus needs to be executed with a JDK11-Compiler. There are cases where it is possible to compile the Java8-code with the JDK11-compiler. This is not the case for GeoNetwork, as with JDK11 the javax.servlet packages moved out to Jakarta. We thus have to first compile GeoNetwork with JDK8, then run the SonarQube-Plugin with JDK11. This is possible and tested.

Proposal Type:

  • Type:
  • Module:

Voting History

  • Vote Proposed: TBA

Participants

  • All

If you have some comments, start a discussion, raise an issue or use one of our other communication channels to talk to us.

Welcome to the GeoNetwork project!

Project Steering Committee

How to contribute

GeoNetwork cheat sheet

GeoNetwork website (external)

GN3 public implementations

Clone this wiki locally