On Wed, Mar 8, 2023 at 4:07 AM Simon Steiner <[email protected]> wrote:
> We are using checkstyle and findbugs currently which allow offline use and > use in commercial development without extra licensing. > Checkstyle is good for enforcing style rules, but our dependencies are seriously out of date, currently referring to Maven Checkstyle Plugin 2.14 or 2.15, which use Checkstyle 5.8 and 6.1.1, respectively, and where both are now ~8 years old (early 2015). The current version of the plugin is 3.2.1 which uses Checkstyle 9.3 by default (and can be configured to use more recent versions of Checkstyle, for which the most recent version is 10.8.0). Findbugs is an abandoned project, last released in 2015. Spotbugs is its successor, so we should reconfigure to use the latter. Neither are focused on vulnerability analysis or remediation. This situation demonstrates the disadvantage of using a statically configured analysis tool, when a cloud or server based tool is generally always using the latest version. > Do we want to switch to cloud based tools that currently allow our repo to > be scanned. > For a major new feature I may not want to send to the cloud for scanning > until I have permission to open source this change. > CodeQL is open sourced at [1], while SonarQube Community Edition is open sourced at [2]. [1] https://github.com/github/codeql [2] https://github.com/SonarSource/sonarqube Here [3] is an article on the use of SonarQube in an Apache project (Apache Struts). Also, according to [4], 418 Apache projects are configured to use SonarCloud. See [5] for more on SonarLint, SonarQube, and SonarCloud. [3] https://softwaremill.com/how-to-use-sonar-in-your-project/ [4] https://sonarcloud.io/organizations/apache/projects [5] https://www.sonarsource.com/open-source-editions/
