[
https://issues.apache.org/jira/browse/CASSANDRA-18390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17707439#comment-17707439
]
Maxim Muzafarov commented on CASSANDRA-18390:
---------------------------------------------
Ok, I seem to have configured the SonarLint plugin as follows (we can probably
update the documentation pages once we decide to move on):
- installed the SonarLint plugin;
- logged in with my ASF credentials through GitHub to https://sonarcloud.io/ ;
- generated a new token for myself on My Account -> Security tag (any ASF
member could also provide this token for a member who doesn't have the ASF
membership);
- configured a new cloud connection (supported for IntelliJ IDEA, Eclipse only)
for the Sonarlint plugin using the given token Settings -> Tools -> SonarLint;
- bind the project to the connection: Settings -> Tools -> SonarLint -> Bind to
Sonarcloud , and use the "apache_cassandra" as projectKey pulled from the
Sonarcloud;
I think the main concern here is "where can I get a sonar auth token", so it
shouldn't be a problem for an ASF member. For the others, a user can ask
someone on the @dev slack channel for it, I guess, as according to this note it
is quite legal to share tokens:
{code}
If you want to enforce security by not providing credentials of a real
SonarCloud user to run your code scan or to invoke web services, you can
provide a User Token as a replacement of the user login. This will increase the
security of your installation by not letting your analysis user's password
going through your network.
{code}
> Run Sonar analyzer over the Cassandra project
> ---------------------------------------------
>
> Key: CASSANDRA-18390
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18390
> Project: Cassandra
> Issue Type: Task
> Components: Build
> Reporter: Maxim Muzafarov
> Assignee: Maxim Muzafarov
> Priority: Normal
> Time Spent: 10m
> Remaining Estimate: 0h
>
> As we already have Cassandra's project configured for the sonarcloud.io
> INFRA-24196, I wonder if we will be able to release branches, trunk, and pull
> requests to get analyzed by the SonarAnalyzer tool.
> Sonar is a code quality and security tool that is free to open-source
> projects and recommended by the INFRA team:
> https://cwiki.apache.org/confluence/display/INFRA/SonarCloud+for+ASF+projects
> It can have the following benefits without introducing any drawbacks (except
> for a few lines of source code)
> - visualise the LFH problems to work on;
> - see the trends in the source code;
> - add an extra layer of static code analysis;
> Changes below I have tested it locally with my SonarQube deployed on
> http://localhost:9000 and run the `act` for the GA part of the PR. It seems
> to work and parse classes correctly, but there are a few steps that need to
> be done by Cassandra's Committer or PMC (I do not have sufficient privileges):
> - Get the {{sonar.projectKey}} from the INFRA team;
> - make sure that the {{SONARCLOUD_TOKEN}} is available for GA and enabled for
> the project;
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
