Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop Sonar integration #978

Closed
jponge opened this issue Jul 5, 2022 · 4 comments · Fixed by #979
Closed

Drop Sonar integration #978

jponge opened this issue Jul 5, 2022 · 4 comments · Fixed by #979
Labels
ci/cd/build CI/CD pipeline and build
Milestone
2.0.0-milestone1

Comments

@jponge
Copy link
Member

jponge commented Jul 5, 2022

Sonar has gradually become useless in our workflows:

  • Codecov is providing us with clear insights on tests coverage, including deltas on pull-requests, and
  • RevAPI is enforcing checks and documentation of binary API incompatibilities, and
  • the current Sonar configuration gives us mostly false positives (e.g. when we use volatile) or pesky code smells (e.g. using public classes and methods with... JUnit5).

I hereby propose to pull the plug. Thoughts?

/cc @cescoffier @heubeck
@jponge jponge added the ci/cd/build CI/CD pipeline and build label Jul 5, 2022
@jponge jponge added this to the 2.0.0 milestone Jul 5, 2022
@heubeck
Copy link
Collaborator

heubeck commented Jul 5, 2022

didn't even recognize that it was there ;)

@cescoffier
Copy link
Contributor

No problem from my side. We are not using it anymore.

@jponge jponge linked a pull request Jul 6, 2022 that will close this issue
Drop Sonar #979
Merged
@m-g-sonar
Copy link

Hey @jponge, I'm Michael, a java dev' at Sonar, part of the small team working on our in-house static analyzers. In particular, my little (sub-)team and I are working on the Java Analyzer itself.

Out of curiosity, I looked at your SonarCloud project page, and from what I can see, it seems that mainly two rules caused you a lot of pain.

  • Rule S5786: JUnit5 test classes and methods should have default package visibility (2,797 issues marked as "won't fix" out of the 2,842 "won't fixed"... so ~98.5%)
  • Rule S3077: Non-primitive fields should not be "volatile" (seems to be the main troublemaker here)

I consequently have a few 2-3 questions for you, if you don't mind taking the time to answer!

  • The rule about unit test modifiers (S5786) is indeed extremely noisy for projects which just moved to junit5, or as still in mixed mode (and OK with it). It is probably a mistake to have it part of the default quality profile (we are going to discuss this internally). Did you try to disable the rule?

  • The rule about volatile fields (S3077) currently have 2 tickets open on our side (SONARJAVA-3992 and SONARJAVA-4256). Do you believe that fixing these 2 issues would have prevented some (if not all) of the False Positives (FP) you suffered from? If there is something else (the rule is just wrong, or some cases are really badly supported), could I ask you to report it in our community forum with some more details? The Java Analyzer is open source and free, and we try our best to adjust based on feedback we get! Could you help us improve it?

  • Of course, I'm not saying that you didn't face other FPs from other rules, and I'm very sorry for you. As of today, to improve the existing rules and the user experience, we highly rely on user feedback. We rarely have enough time to explore issues status on SonarCloud, for instance, on top of the fact that we don't have expertise on all projects out there. If some other rules than these 2 have been causing you problems, it would be HUGE if you could try to explain to us how and why, by again opening threads in our community. This would help a lot, and make other open source projects (including ours, at Sonar) benefit from your experience!

Thanks for your time! The java analyzer is being shipped with 600+ rules, I feel it's sad to see you leave because of a few painful and noisy rules.

Cheers,
Michael

@jponge
Copy link
Member Author

jponge commented Jul 7, 2022
edited
Loading

Hi @m-g-sonar, and thanks for reaching out.

First of all and as mentioned here and in other places our decision is mainly driven by the adoption of codecov and revapi.
Both tools provide the type of QA we need right now.

Sonar was certainly valuable before, but it gradually became useless in our workflows.
I shall also mention that it significantly increased our time in CI, so removing it makes sense from a cloud resource consumption perspective.

The rule about unit test modifiers (...)

JUnit 5 has a stylistic preference for avoiding public declarations, but raising flags is quite questionable, and as you said it shall probably not be part of the default profile.

The rule about volatile fields (...)

From what I recall it was always about not-so-obvious cases for a static analysis tool (e.g., drain-loop patterns, threading assumptions the checker cannot know about, etc).

But basically what was always super annoying is that it would raise a flag "volatile access is not thread safe" (I grossly simplified) every time we'd use a volatile.

Of course, I'm not saying that you didn't face other FPs from other rules (...)

I get that and thanks again for reaching out.

On the other hand I'm not sure this codebase is the sweet spot for Sonar unless heavily tuned, and we've come down to relying on more narrow tools.

All the best!

-- Julien

@jponge jponge modified the milestones: 2.0.0, 2.0.0-milestone1 Jul 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ci/cd/build CI/CD pipeline and build
Projects
None yet
Milestone
2.0.0-milestone1
Development

Successfully merging a pull request may close this issue.

Drop Sonar smallrye/smallrye-mutiny
4 participants
@jponge @cescoffier @m-g-sonar @heubeck