I see, thanks Vino! "*Prevent bugs from ever making it to your project' - *That's an extremely bold statement for anyone to make :)
Like it mentions, although it tries to reduce the false positive rate, we probably still will get some noise. Can we try it with one of the PR's to see it's worth before adopting it ? -Nishith On Wed, Mar 3, 2021 at 6:23 PM vino yang <yanghua1...@gmail.com> wrote: > Hi, > > It did not provide much public information, but gave a description on the > official website: > > > > *“Prevent bugs from ever making it to your project by using automated > reviews that let you know when your code changes would introduce alerts > into your project. We support GitHub and Bitbucket.We put a large emphasis > on reducing the false positive rate of our standard queries, so you won’t > suffer from a torrent of uninteresting alerts every time someone submits > code.”* > > From the official website, you can see that it supports mainstream > programming languages: C/C++, C#, Go, Java, JavaScript, Python. > > I speculate that maybe it integrates some bug static scanning tools. > > Best, > Vino > > nishith agarwal <n3.nas...@gmail.com> 于2021年3月4日周四 上午4:43写道: > >> This is a good idea @vino yang <yanghua1...@gmail.com> >> >> Have you looked into what the "automated code review" actually does ? >> >> -Nishith >> >> On Wed, Mar 3, 2021 at 7:38 AM vino yang <vinoy...@apache.org> wrote: >> >>> Hi guys, >>> >>> I want to introduce a code analysis service called lgtm[1] in the >>> community. Recently, in the Kylin community, I found it in my colleague's >>> PR.[2] >>> >>> lgtm is a code analysis platform for finding zero-days and preventing >>> critical vulnerabilities. Some features listed here (copied from its >>> official website): [1] >>> >>> >>> - Unparalleled security analysis; >>> - Automated code review >>> - Free for open source >>> >>> >>> We can see that it can be integrated with Github[3] and exist in the form >>> of a robot triggered by a git hook.[2] >>> >>> With the development of the community, more and more people participate >>> in >>> the development of the community, and the workload of the code review has >>> become more onerous. Introducing it, we can use some of the existing >>> automated scanning and analysis capabilities to make up for the lack of >>> knowledge or experience of the reviewer. >>> >>> WDYT? >>> >>> Any thoughts and opinions are welcome and appreciated! >>> >>> [1]: https://lgtm.com/ >>> [2]: https://github.com/apache/kylin/pull/1596#issuecomment-788935493 >>> [3]: https://github.com/marketplace/lgtm >>> >>> Best, >>> Vino >>> >>
