[ https://issues.apache.org/jira/browse/CASSANDRA-18390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17707439#comment-17707439 ]
Maxim Muzafarov commented on CASSANDRA-18390: --------------------------------------------- Ok, I seem to have configured the SonarLint plugin as follows (we can probably update the documentation pages once we decide to move on): - installed the SonarLint plugin; - logged in with my ASF credentials through GitHub to https://sonarcloud.io/ ; - generated a new token for myself on My Account -> Security tag (any ASF member could also provide this token for a member who doesn't have the ASF membership); - configured a new cloud connection (supported for IntelliJ IDEA, Eclipse only) for the Sonarlint plugin using the given token Settings -> Tools -> SonarLint; - bind the project to the connection: Settings -> Tools -> SonarLint -> Bind to Sonarcloud , and use the "apache_cassandra" as projectKey pulled from the Sonarcloud; I think the main concern here is "where can I get a sonar auth token", so it shouldn't be a problem for an ASF member. For the others, a user can ask someone on the @dev slack channel for it, I guess, as according to this note it is quite legal to share tokens: {code} If you want to enforce security by not providing credentials of a real SonarCloud user to run your code scan or to invoke web services, you can provide a User Token as a replacement of the user login. This will increase the security of your installation by not letting your analysis user's password going through your network. {code} > Run Sonar analyzer over the Cassandra project > --------------------------------------------- > > Key: CASSANDRA-18390 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18390 > Project: Cassandra > Issue Type: Task > Components: Build > Reporter: Maxim Muzafarov > Assignee: Maxim Muzafarov > Priority: Normal > Time Spent: 10m > Remaining Estimate: 0h > > As we already have Cassandra's project configured for the sonarcloud.io > INFRA-24196, I wonder if we will be able to release branches, trunk, and pull > requests to get analyzed by the SonarAnalyzer tool. > Sonar is a code quality and security tool that is free to open-source > projects and recommended by the INFRA team: > https://cwiki.apache.org/confluence/display/INFRA/SonarCloud+for+ASF+projects > It can have the following benefits without introducing any drawbacks (except > for a few lines of source code) > - visualise the LFH problems to work on; > - see the trends in the source code; > - add an extra layer of static code analysis; > Changes below I have tested it locally with my SonarQube deployed on > http://localhost:9000 and run the `act` for the GA part of the PR. It seems > to work and parse classes correctly, but there are a few steps that need to > be done by Cassandra's Committer or PMC (I do not have sufficient privileges): > - Get the {{sonar.projectKey}} from the INFRA team; > - make sure that the {{SONARCLOUD_TOKEN}} is available for GA and enabled for > the project; -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org