Static code analysis for Java
Locked
 
|
Guys,
I remember we tried some static code analysis tools for Java (a bit awkward not having one yet), but we did not setup regular checks. I want to return to this. As result I would like to have code analysis tool running on TC on daily basis and also established process to review and fix code based on tool report same as we do with failed tests. So, I consider several options: 1. Findbugs - simple, free, runs locally, seems to have report parser in TC and maven plugin 2. https://www.sonarqube.org/ - free, runs locally and user uploads info to Sonarqube server for analysis, has very basic TC plugin that uploads bundle to server and links build results on TC to results at Sonarqube site. 3. https://scan.coverity.com/projects/apache-ignite - Coverity seems to be very powerful, free for opensource, runs locally and then user uploads results to server for analysis. Anton Vinogradov, can we try setting up Findbugs on TC and see how it works and integrates with TC? As it seems to be the most simple option to get results faster. Then we can compare it to Coverity and take decision what to do next. --Yakov |
Re: Static code analysis for Java
|
|
Yakov,
You might also wish to consider lgtm.com, which is already analysing Ignite builds ( https://lgtm.com/projects/g/apache/ignite/ ). It has found a number of issues, some of which have been fixed through https://issues.apache.org/jira/browse/IGNITE-5805 lgtm also supports the option of GitHub integration as discussed in https://lgtm.com/docs/lgtm/using-lgtm-analysis-continuous-integration Regards, Malcolm On 14 September 2017 at 16:02, Yakov Zhdanov <[hidden email]> wrote: > Guys, > > I remember we tried some static code analysis tools for Java (a bit awkward > not having one yet), but we did not setup regular checks. > > I want to return to this. As result I would like to have code analysis tool > running on TC on daily basis and also established process to review and fix > code based on tool report same as we do with failed tests. > > So, I consider several options: > > 1. Findbugs - simple, free, runs locally, seems to have report parser in TC > and maven plugin > 2. https://www.sonarqube.org/ - free, runs locally and user uploads info > to > Sonarqube server for analysis, has very basic TC plugin that uploads bundle > to server and links build results on TC to results at Sonarqube site. > 3. https://scan.coverity.com/projects/apache-ignite - Coverity seems to be > very powerful, free for opensource, runs locally and then user uploads > results to server for analysis. > > Anton Vinogradov, can we try setting up Findbugs on TC and see how it works > and integrates with TC? As it seems to be the most simple option to get > results faster. > > Then we can compare it to Coverity and take decision what to do next. > > --Yakov > |
Re: Static code analysis for Java
|
|
Wow,
Seems, that's what we were looking for! On Thu, Sep 14, 2017 at 6:26 PM, Malcolm Taylor <[hidden email]> wrote: > Yakov, > > You might also wish to consider lgtm.com, which is already analysing > Ignite > builds ( https://lgtm.com/projects/g/apache/ignite/ ). > It has found a number of issues, some of which have been fixed through > https://issues.apache.org/jira/browse/IGNITE-5805 > lgtm also supports the option of GitHub integration as discussed in > https://lgtm.com/docs/lgtm/using-lgtm-analysis-continuous-integration > > Regards, > > Malcolm > > On 14 September 2017 at 16:02, Yakov Zhdanov <[hidden email]> wrote: > > > Guys, > > > > I remember we tried some static code analysis tools for Java (a bit > awkward > > not having one yet), but we did not setup regular checks. > > > > I want to return to this. As result I would like to have code analysis > tool > > running on TC on daily basis and also established process to review and > fix > > code based on tool report same as we do with failed tests. > > > > So, I consider several options: > > > > 1. Findbugs - simple, free, runs locally, seems to have report parser in > TC > > and maven plugin > > 2. https://www.sonarqube.org/ - free, runs locally and user uploads info > > to > > Sonarqube server for analysis, has very basic TC plugin that uploads > bundle > > to server and links build results on TC to results at Sonarqube site. > > 3. https://scan.coverity.com/projects/apache-ignite - Coverity seems to > be > > very powerful, free for opensource, runs locally and then user uploads > > results to server for analysis. > > > > Anton Vinogradov, can we try setting up Findbugs on TC and see how it > works > > and integrates with TC? As it seems to be the most simple option to get > > results faster. > > > > Then we can compare it to Coverity and take decision what to do next. > > > > --Yakov > > > |
Re: Static code analysis for Java
|
|
AFIK, we can run on TC same code analyzer that built in IDEA.
See: CodeCoverageResults https://confluence.jetbrains.com/display/TCD10/Working+with+Build+Results#WorkingwithBuildResults-CodeCoverageResults Code Inspection https://confluence.jetbrains.com/display/TCD10/Working+with+Build+Results#WorkingwithBuildResults-CodeInspectionResults On Thu, Sep 14, 2017 at 10:28 PM, Anton Vinogradov <[hidden email] > wrote: > Wow, > Seems, that's what we were looking for! > > On Thu, Sep 14, 2017 at 6:26 PM, Malcolm Taylor <[hidden email]> > wrote: > > > Yakov, > > > > You might also wish to consider lgtm.com, which is already analysing > > Ignite > > builds ( https://lgtm.com/projects/g/apache/ignite/ ). > > It has found a number of issues, some of which have been fixed through > > https://issues.apache.org/jira/browse/IGNITE-5805 > > lgtm also supports the option of GitHub integration as discussed in > > https://lgtm.com/docs/lgtm/using-lgtm-analysis-continuous-integration > > > > Regards, > > > > Malcolm > > > > On 14 September 2017 at 16:02, Yakov Zhdanov <[hidden email]> > wrote: > > > > > Guys, > > > > > > I remember we tried some static code analysis tools for Java (a bit > > awkward > > > not having one yet), but we did not setup regular checks. > > > > > > I want to return to this. As result I would like to have code analysis > > tool > > > running on TC on daily basis and also established process to review and > > fix > > > code based on tool report same as we do with failed tests. > > > > > > So, I consider several options: > > > > > > 1. Findbugs - simple, free, runs locally, seems to have report parser > in > > TC > > > and maven plugin > > > 2. https://www.sonarqube.org/ - free, runs locally and user uploads > info > > > to > > > Sonarqube server for analysis, has very basic TC plugin that uploads > > bundle > > > to server and links build results on TC to results at Sonarqube site. > > > 3. https://scan.coverity.com/projects/apache-ignite - Coverity seems > to > > be > > > very powerful, free for opensource, runs locally and then user uploads > > > results to server for analysis. > > > > > > Anton Vinogradov, can we try setting up Findbugs on TC and see how it > > works > > > and integrates with TC? As it seems to be the most simple option to get > > > results faster. > > > > > > Then we can compare it to Coverity and take decision what to do next. > > > > > > --Yakov > > > > > > -- Alexey Kuznetsov |
Re: Static code analysis for Java
|
Yes, we can run IDEA inspections, and this is the simplest thing to do,
since TeamCity already has this step available. On Thu, Sep 14, 2017 at 7:05 PM, Alexey Kuznetsov <[hidden email]> wrote: > AFIK, we can run on TC same code analyzer that built in IDEA. > > See: > > CodeCoverageResults > > https://confluence.jetbrains.com/display/TCD10/Working+with+Build+Results# > WorkingwithBuildResults-CodeCoverageResults > > Code Inspection > > https://confluence.jetbrains.com/display/TCD10/Working+with+Build+Results# > WorkingwithBuildResults-CodeInspectionResults > > On Thu, Sep 14, 2017 at 10:28 PM, Anton Vinogradov < > [hidden email] > > wrote: > > > Wow, > > Seems, that's what we were looking for! > > > > On Thu, Sep 14, 2017 at 6:26 PM, Malcolm Taylor <[hidden email]> > > wrote: > > > > > Yakov, > > > > > > You might also wish to consider lgtm.com, which is already analysing > > > Ignite > > > builds ( https://lgtm.com/projects/g/apache/ignite/ ). > > > It has found a number of issues, some of which have been fixed through > > > https://issues.apache.org/jira/browse/IGNITE-5805 > > > lgtm also supports the option of GitHub integration as discussed in > > > https://lgtm.com/docs/lgtm/using-lgtm-analysis-continuous-integration > > > > > > Regards, > > > > > > Malcolm > > > > > > On 14 September 2017 at 16:02, Yakov Zhdanov <[hidden email]> > > wrote: > > > > > > > Guys, > > > > > > > > I remember we tried some static code analysis tools for Java (a bit > > > awkward > > > > not having one yet), but we did not setup regular checks. > > > > > > > > I want to return to this. As result I would like to have code > analysis > > > tool > > > > running on TC on daily basis and also established process to review > and > > > fix > > > > code based on tool report same as we do with failed tests. > > > > > > > > So, I consider several options: > > > > > > > > 1. Findbugs - simple, free, runs locally, seems to have report parser > > in > > > TC > > > > and maven plugin > > > > 2. https://www.sonarqube.org/ - free, runs locally and user uploads > > info > > > > to > > > > Sonarqube server for analysis, has very basic TC plugin that uploads > > > bundle > > > > to server and links build results on TC to results at Sonarqube site. > > > > 3. https://scan.coverity.com/projects/apache-ignite - Coverity seems > > to > > > be > > > > very powerful, free for opensource, runs locally and then user > uploads > > > > results to server for analysis. > > > > > > > > Anton Vinogradov, can we try setting up Findbugs on TC and see how it > > > works > > > > and integrates with TC? As it seems to be the most simple option to > get > > > > results faster. > > > > > > > > Then we can compare it to Coverity and take decision what to do next. > > > > > > > > --Yakov > > > > > > > > > > > > > -- > Alexey Kuznetsov > |
|
Hm... LGTM tool looks nice! Check out all the errors it already found in
Ignite :) https://lgtm.com/projects/g/apache/ignite/alerts/?mode=list&severity=error D. On Thu, Sep 14, 2017 at 9:21 AM, Pavel Tupitsyn <[hidden email]> wrote: > Yes, we can run IDEA inspections, and this is the simplest thing to do, > since TeamCity already has this step available. > > On Thu, Sep 14, 2017 at 7:05 PM, Alexey Kuznetsov <[hidden email]> > wrote: > > > AFIK, we can run on TC same code analyzer that built in IDEA. > > > > See: > > > > CodeCoverageResults > > > > https://confluence.jetbrains.com/display/TCD10/Working+ > with+Build+Results# > > WorkingwithBuildResults-CodeCoverageResults > > > > Code Inspection > > > > https://confluence.jetbrains.com/display/TCD10/Working+ > with+Build+Results# > > WorkingwithBuildResults-CodeInspectionResults > > > > On Thu, Sep 14, 2017 at 10:28 PM, Anton Vinogradov < > > [hidden email] > > > wrote: > > > > > Wow, > > > Seems, that's what we were looking for! > > > > > > On Thu, Sep 14, 2017 at 6:26 PM, Malcolm Taylor <[hidden email]> > > > wrote: > > > > > > > Yakov, > > > > > > > > You might also wish to consider lgtm.com, which is already analysing > > > > Ignite > > > > builds ( https://lgtm.com/projects/g/apache/ignite/ ). > > > > It has found a number of issues, some of which have been fixed > through > > > > https://issues.apache.org/jira/browse/IGNITE-5805 > > > > lgtm also supports the option of GitHub integration as discussed in > > > > https://lgtm.com/docs/lgtm/using-lgtm-analysis- > continuous-integration > > > > > > > > Regards, > > > > > > > > Malcolm > > > > > > > > On 14 September 2017 at 16:02, Yakov Zhdanov <[hidden email]> > > > wrote: > > > > > > > > > Guys, > > > > > > > > > > I remember we tried some static code analysis tools for Java (a bit > > > > awkward > > > > > not having one yet), but we did not setup regular checks. > > > > > > > > > > I want to return to this. As result I would like to have code > > analysis > > > > tool > > > > > running on TC on daily basis and also established process to review > > and > > > > fix > > > > > code based on tool report same as we do with failed tests. > > > > > > > > > > So, I consider several options: > > > > > > > > > > 1. Findbugs - simple, free, runs locally, seems to have report > parser > > > in > > > > TC > > > > > and maven plugin > > > > > 2. https://www.sonarqube.org/ - free, runs locally and user > uploads > > > info > > > > > to > > > > > Sonarqube server for analysis, has very basic TC plugin that > uploads > > > > bundle > > > > > to server and links build results on TC to results at Sonarqube > site. > > > > > 3. https://scan.coverity.com/projects/apache-ignite - Coverity > seems > > > to > > > > be > > > > > very powerful, free for opensource, runs locally and then user > > uploads > > > > > results to server for analysis. > > > > > > > > > > Anton Vinogradov, can we try setting up Findbugs on TC and see how > it > > > > works > > > > > and integrates with TC? As it seems to be the most simple option to > > get > > > > > results faster. > > > > > > > > > > Then we can compare it to Coverity and take decision what to do > next. > > > > > > > > > > --Yakov > > > > > > > > > > > > > > > > > > > > -- > > Alexey Kuznetsov > > > |
Re: Static code analysis for Java
|
|
In reply to this post by yzhdanov
Hi all,
My colleague Malcolm copied me in on this thread. Full disclosure: we're part of the team behind lgtm.com. Glad to hear that you guys like lgtm.com and the results we report for Ignite! We've only launched recently and are seeing a really quick growth in the number of users from the open-source community. We continuously analyse every revision of more than 50k open-source projects, including most ASF projects. You may recall the Apache Struts vulnerability that was announced last week — the lgtm.com security team found that result and worked with the project maintainers to fix it and disclose it responsibly. Here's a technical write-up by my colleague Mo who found the vulnerability: https://lgtm.com/blog/apache_struts_CVE-2017-9805 Because we've only just launched, we're really keen to hear feedback from early adopters from the open-source community. Please let us know what you like and what you don't like so we can improve lgtm.com! We're particularly keen to hear feedback on the automated code review for pull requests — you can set it up here: https://lgtm.com/projects/g/apache/ignite/ci/ To give you an idea of what it looks like: our friends at NASA are using it for a couple of their open-source projects on GitHub. Here's an example of a PR: https://github.com/Open-MBEE/mdk/pull/105. Anyway — I hope lgtm.com will be useful to you. Any questions/comments: let me know. Cheers, Bas |
Re: Static code analysis for Java
|
|
In reply to this post by Malcolm Taylor
Why do not use all of the tools (well at least several). They are easy to be integrateable. In this way one would be less exposed to promote one commercial vendor over the other.
This would also help in finding the right quality criteria instead of analyzing what is offered by only one solution. From the open source projects that I contribute to I made the experience that they have different strengths and weaknesses. For example one may not support scala at all, where another is very good in Java not so good in Scala. > On 14. Sep 2017, at 17:26, Malcolm Taylor <[hidden email]> wrote: > > Yakov, > > You might also wish to consider lgtm.com, which is already analysing Ignite > builds ( https://lgtm.com/projects/g/apache/ignite/ ). > It has found a number of issues, some of which have been fixed through > https://issues.apache.org/jira/browse/IGNITE-5805 > lgtm also supports the option of GitHub integration as discussed in > https://lgtm.com/docs/lgtm/using-lgtm-analysis-continuous-integration > > Regards, > > Malcolm > >> On 14 September 2017 at 16:02, Yakov Zhdanov <[hidden email]> wrote: >> >> Guys, >> >> I remember we tried some static code analysis tools for Java (a bit awkward >> not having one yet), but we did not setup regular checks. >> >> I want to return to this. As result I would like to have code analysis tool >> running on TC on daily basis and also established process to review and fix >> code based on tool report same as we do with failed tests. >> >> So, I consider several options: >> >> 1. Findbugs - simple, free, runs locally, seems to have report parser in TC >> and maven plugin >> 2. https://www.sonarqube.org/ - free, runs locally and user uploads info >> to >> Sonarqube server for analysis, has very basic TC plugin that uploads bundle >> to server and links build results on TC to results at Sonarqube site. >> 3. https://scan.coverity.com/projects/apache-ignite - Coverity seems to be >> very powerful, free for opensource, runs locally and then user uploads >> results to server for analysis. >> >> Anton Vinogradov, can we try setting up Findbugs on TC and see how it works >> and integrates with TC? As it seems to be the most simple option to get >> results faster. >> >> Then we can compare it to Coverity and take decision what to do next. >> >> --Yakov >> |
|
|
In reply to this post by Bas van Schaik
Bas, thanks for joining!
Can you please point me to the page listing all types of issue LGTM can find (like this one - https://scan.coverity.com/faq#what-types-of-issues-tool-find)? LGTM really helped to find some bugs like incorrect key type when working with hash map instance, unnecessary boxing, unused collections, possible resource leaks and some more. Do you users integrate with CI servers somehow? esp TeamCity? It would be cool to have project state (at least from code standpoint) in one place - i.e. at CI. --Yakov |
Re: Static code analysis for Java
|
According recent conversation 'Code Inspection' I would like to bump up
this thread too. Igniters, who can advice if coverity has integration/ability to be run on TeamCity? Who can help to proof, that it is possible to be executed using maven. вт, 19 сент. 2017 г. в 14:27, Yakov Zhdanov <[hidden email]>: > Bas, thanks for joining! > > Can you please point me to the page listing all types of issue LGTM can > find (like this one - > https://scan.coverity.com/faq#what-types-of-issues-tool-find)? > > LGTM really helped to find some bugs like incorrect key type when working > with hash map instance, unnecessary boxing, unused collections, possible > resource leaks and some more. > > Do you users integrate with CI servers somehow? esp TeamCity? It would be > cool to have project state (at least from code standpoint) in one place - > i.e. at CI. > > --Yakov > |
«
Return to Apache Ignite Developers - Legacy Mail Archive
|
1 view|%1 views
| Free forum by Nabble | Edit this page |