Note: Please treat these exercises also as
professional work. For example, instead of "asdfg" use more
meaningful commit messages like "Add acceleration feature" or
"Fix #5" (you can find detailed advice in the How to Write a Git
Commit Message and the Git Style Guide
posts).
Initialization
- You should continue with your GitHub repository from the
previous lab by creating a local clone. If you did not
participate in the previous lab, then you have to complete that lab
first.
- In the second part of the lab, you will have to work in pairs (e.g.,
with someone you know, or you can search in Lab 5 Teams
channel).
Static Analysis
The purpose of the first subtask is to perform static analysis with
the Sonar tool suite on your
repository.
- SonarLint is an IDE
extension, which runs the static analyzer during writing source code,
and gives immediate feedback about code quality.
- SonarCloud is a code quality
management platform, supporting more than 20 programming languages
(including Java, C, C++, C#). It can check coding conventions,
duplicated code, test coverage, code complexity, potential bugs and
vulnerabilities. It stores the results of previous analyses in the
cloud, making it possible to produce reports and evolution graphs. It is
free for public GitHub repositories.
- SonarQube is
an on-premise version of the code quality platform. We will not use it
during this lab.
SonarLint
SonarLint can be easily installed in major IDEs. During this lab, we
use it in Visual Studio
Code.
- Check in Visual Studio Code in the Extensions tab from the
left bar that the SonarLint is installed.
- If not, install the SonarLint extension into Visual Studio Code (see
here). Restart Code
IDE.
- Open your own local
ivt-lab
folder.
- Open one of the Java files to start the Java extension, which builds
your project in the background. If everything goes well, then you can
see the build results and warnings in the View /
Problems window.
- Select SonarLint in the Output window from the drop-down
list on the right to view its logs. You can check which files are
currently analyzed.
- Open the
TorpedoStore.java
file. SonarLint will find
three errors. Inspect them, but do not correct them yet.
- If you move the mouse pointer over the error in the code, then you
can read a short description of the identified problem. If you select
the source line with the problem and click on the light bulb at the
beginning of the line, then by clicking Open description of
SonarLint rule ... the details of the analysis rule is presented.
For every rule, there is a short description and valid and invalid
examples.
- Inspect every error and every corresponding rule. Has the static
analysis tool identified a valid problem (true positive)?
- Finally, you can browse all active rules in the Rules block
of SonarLint in the left bar. Check out a few rules to get an
idea about what can be checked with static analysis.
Connecting the
GitHub repository to SonarCloud
In this task, you connect your own public repository to the
SonarCloud cloud-based code quality platform.
- Open the SonarCloud page, click
on Log in. Select GitHub from the login options and sign in
with your GitHub account.
- Inspect what privileges are requested by SonarCloud, then authorize
SonarCloud.
- On the Welcome to SonarCloud page in the top right corner
there is a
+
sign next to your profile picture. Open it,
and the click on the Create new organization link. From the
list choose your own personal organization belonging to your account,
and install the SonarCloud integration.
- You will be taken back to SonarCloud to finish creating the
organization. Choose the Free plan option.
- Click on the Analyze new project link from the home screen,
and choose the
ivt-lab
repository.
- If the Set up project for Clean as You Code question pops
up, choose Previous version.
- On the next page choose Main Branch from the left menu bar
to see the result of an automatic analysis. This new feature of
SonarCloud gives limited result, so we will not use it during this
lab.
- Click on the Setup CI-based analysis button (if it is
missing: Administration from the left menu bar, then
Analysis Method), and from the possible analysis methods choose
the Analyze with a GitHub Action option. Choose Maven
from the next screen, and disable the automatic analysis.
- Follow the instructions on the page and add the 2
sonar.*
properties to the pom.xml
file, add
the SONAR_TOKEN
secret on the Secrets tab of your
own GitHub repository, and extend the Github Actions YAML file with the
SonarCloud specific steps (mind the indentation).
- Hint: to compare the suggested and our current YAML files, copy the
suggested YAML config to a New Text File, then View /
Command Palette / Compare Active File With... our own YAML
file.
- Commit your changes and check the new GitHub Actions build. If it is
successful, then you will see the results on the SonarCloud dashboard
shortly.
- You can access the analysis results of the main branch or pull
requests later on the left menu bar. Choose Main Branch for now.
- Open the result of the analysis, and get to know the SonarCloud
interface:
- Summary: overview of the results and the most important
metrics
- Issues: details about each issue with the corresponding
source lines and analysis rule.
- Measures: details about the metrics presented on the
summary page
- Code: you can browse the full codebase
- Activity: you can check each run of the tool and the
analysis trends
- More information can be found in the documentation.
- If everything is OK so far, then go to SonarCloud's
Activity page, and you should see the new execution.
With the above settings, static analysis will be run on every new
commit on the CI server, and it will provide feedback about code
quality.
Code Review
The purpose of the second task is to fix some of the issues found by
SonarQube and then to review the changes by forming pairs and using the
GitHub
Pull Request Review feature. The purpose of this feature is to
support efficient code review, e.g., by attaching comments to lines of
code.
Fixing Issues
- [local] Switch to a new branch
(
git checkout -b <name_of_new_branch>
).
- [local] Fix the 3 Bug issues found by SonarLint,
each in a separate commit. Make sure to work on the new branch.
- [local] Push the modifications to the remote GitHub
repository (
git push
).
- Note, that the new branch does not have a corresponding remote
branch. Therefore the push must be executed in the following form:
git push --set-upstream origin <name_of_new_branch>
.
Review
- [web] Form pairs. Give permissions to your
repository for the other person. This can be done on the web interface
of GitHub under the page Settings /
Collaborators.
- [web] If your partner also gave permissions for
you, you should receive an e-mail. Click on the View invitation
link to accept.
- [web] Create a pull request in
your own repository using the following steps.
- [web] Start creating the pull request (PR) on the
Pull requests tab with the New pull request
button.
- [web] The base branch should remain the
default master, and for the compare branch, pick your
new branch. You should see a label "Able to merge" and your
previous commits. Click on Create pull request to
continue.
- [web] On the next page you can give the details and
settings for the pull request. Add a meaningful name and a short
description. On the right side assign yourself
(Assignees) and request a review from your
partner (Reviewers).
- [web] Finalize the request with the Create pull
request button. Your partner should receive a notification about
the requested review.
- On the Checks page of the PR you can follow that the CI
build has started automatically. Once they finish, you can check the
analysis results on the Conversation page.
- [web] If your partner also followed the previous
steps, you should receive a notification about a pull request review. Go
to the repository of your partner and find
their pull request.
- [web] Perform the review with the following steps.
- [web] Go to the Files changed tab. You can
see the files modified by your partner. Review the files and attach
comments by clicking on lines. It is important to start adding comments
by clicking on Start a review, instead of using Add single
comment.
- [web] After finishing the review, click on
Review changes in the top right corner. Write a short summary
and request changes.
- [web] Finish the review process by clicking on
Submit review.
- [web/local] Wait until your partner finishes
reviewing your pull request. Then fix your code based
on the review. The changes should still go to the new branch in one or
more commits. After finishing, push the changes to the remote repository
(
git push
).
- [web] Wait until your partner finishes fixing their
code based on your review. Then goo to the pull request of your
partner to see the changes on the Files changed tab.
Accept the changes by clicking Review changes and
Approve.
Analyzing the Changes
- [web] Check on SonarCloud whether all issues were
indeed fixed.
- [web] If you check SonarCloud, you will see that
there is a pending Security issue with your code. The issue
relates to the use of
Random
. Read and
consider the What's the risk? and Assess the
risk descriptions.
- [web] Since this code does not have such security
aspect, declare the use of
Random
Safe, and rerun
the analysis from GitHub.
- [web] If your partner also accepted your changes,
and all the checks have passed (are green), merge
your pull request (at the bottom of
Conversation tab).