Hi all, Thank you everyone working on cleaning up issues reported by Sonar.
I would like to propose a few ideas/practices to make things smoother. Some of these are based on what I see most people already doing. 1. To avoid duplicate work: * Add a comment in Sonar with the link to Jira you filed (or found) for issues. I think this is the single best way to make sure others will not waste time on the same thing. * Mark Sonar issue as confirmed. * Assign Sonar issue if possible. I think Sonar pre-assigned lots of issues. Anu, Bharat, Hanisha and Vivek have the most - please confirm if those assignments can be ignored/cleared. 2. To get the most bang for our buck: * Prioritize by issue type and severity. Currently we have 28 vulnerabilities, 54 security hotspots, 130 bugs, and 2.3K code smells. 46 blocker, 263 critical, 1.1K major, 800 minor, 226 info level severities. I think starting at the top of both of these lists would make sense. * Try to address several issues in the same Jira, grouping issues by type, file, severity, anything that makes sense for you. Filing a Jira and a PR for a one-liner change is too much work for everyone involved: assignee, reviewers, CI. * Feel free to address all issues you notice in the code you are fixing, even if missed by Sonar. 3. To make progress visible: * Resolve issues in Sonar as "fixed" after the patch is committed. This can be easier if the Jira links back to the Sonar issues (one by one or using the right filter) * Resolve issues in Sonar as "won't fix" or "false positive" if you have reviewed them and judge that they does not need to be fixed (ever). One example of false positives: Sonar seems to miss assertions made in other methods called from test cases. 4. For ease of use: * Use the "Bulk Change" feature in Sonar (right above the issue list) if applicable. * Sonar has a plugin (sonarlint.org) to run the same checks locally on-the-fly in your IDE (except Vim/Emacs ;) ). Please let me know what you think, or if you have further suggestions. Again, thanks for the progress so far, and keep it up. :) -Attila --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
