+1 ! Fantastic! It will be great to see our code improves as we are progressing with Pylint fixes + maybe it can motivate us to finally implement better strategy for keeping pip dependencies up-to-date.
I also think Javascript is also important. I wonder how our score might improve if we decide to implement https://github.com/apache/airflow/pull/5871 which results in fixing > 50 vulnerabilities in JS. Also I think just introducing it is not enough. Similarly as in case of the current pylint introduction strategy <https://github.com/apache/airflow/blob/master/CONTRIBUTING.md#pylint-checks> (and related JIRA issue <https://issues.apache.org/jira/browse/AIRFLOW-4364>) - once we get it in place we should define and follow a "project/strategy" how to fix those issues incrementally. Just seeing a big list of issues is not helping in fixing them until we decide what to do :) My proposal will be to integrate the tool, follow-up with the pylint introduction across the board - and possibly the eslint + npmaudit (and thanks to LGTM we will see the progress) and after we are done with Pylint, we create similar "LGTM introduction" project after we see what's left and split it into separate JIRAs. J. On Tue, Aug 20, 2019 at 7:18 AM Kaxil Naik <kaxiln...@gmail.com> wrote: > The tool looks good. It also shows when this error was introduced and more > debug information. > > [image: image.png] > > +1 from my side to integrate it > > On Tue, Aug 20, 2019 at 11:49 AM Ash Berlin-Taylor <a...@apache.org> wrote: > >> Interesting! >> >> One or two of the rules we'd probably want to ignore (`Module 'airflow' >> is imported with both 'import' and 'import from'`) and possibly the cycle >> one, but some of them certainly look like bugs/errors that should be fixed. >> >> > On 20 Aug 2019, at 10:00, Driesprong, Fokko <fo...@driesprong.frl> >> wrote: >> > >> > Hi all, >> > >> > I recently bumped into LGTM <https://github.com/marketplace/lgtm>, an >> > automated vulnerability checker. Besides that, it also analyzes general >> > code quality. I think it would be nice to enable this on Airflow as >> > well. LGTM automatically runs 1600+ standard analyses contributed by >> > researchers from the Semmle Security Research Team and our customer >> > community, including Microsoft, Google, Uber, and Mozilla. >> > >> > Right now it doesn't look so great: >> > https://lgtm.com/projects/g/apache/airflow/alerts/?mode=list >> > >> > Please note that this is both Javascript and Python, for Airflow I would >> > only look at the latter. >> > >> > I'm still experimenting with it on my personal repo, but would like to >> get >> > your opinion on it. >> > >> > Cheers, Fokko >> >> -- Jarek Potiuk Polidea <https://www.polidea.com/> | Principal Software Engineer M: +48 660 796 129 <+48660796129> [image: Polidea] <https://www.polidea.com/>
