LAB5 Static Verification Techniques -- Exercises

Integration and Verification Techniques (VIMIAC04)

Note: Please treat these exercises also as professional work. For example, instead of "asdfg" use more meaningful commit messages like "Add acceleration feature" or "Fix #5" (you can find detailed advice in the How to Write a Git Commit Message and the Git Style Guide posts).

Initialization

Static Analysis

The purpose of the first subtask is to perform static analysis with the Sonar tool suite on your repository.

SonarLint

SonarLint can be easily installed in major IDEs. During this lab, we use it in Visual Studio Code.

Connecting the GitHub repository to SonarCloud

In this task, you connect your own public repository to the SonarCloud cloud-based code quality platform.

With the above settings, static analysis will be run on every new commit on the CI server, and it will provide feedback about code quality.

Code Review

The purpose of the second task is to fix some of the issues found by SonarQube and then to review the changes by forming pairs and using the GitHub Pull Request Review feature. The purpose of this feature is to support efficient code review, e.g., by attaching comments to lines of code.

Fixing Issues

  1. [local] Switch to a new branch (git checkout -b <name_of_new_branch>).
  2. [local] Fix the 3 Bug issues found by SonarLint, each in a separate commit. Make sure to work on the new branch.
  3. [local] Push the modifications to the remote GitHub repository (git push).

Review

  1. [web] Form pairs. Give permissions to your repository for the other person. This can be done on the web interface of GitHub under the page Settings / Collaborators.
  2. [web] If your partner also gave permissions for you, you should receive an e-mail. Click on the View invitation link to accept.
  3. [web] Create a pull request in your own repository using the following steps.
    1. [web] Start creating the pull request (PR) on the Pull requests tab with the New pull request button.
    2. [web] The base branch should remain the default master, and for the compare branch, pick your new branch. You should see a label "Able to merge" and your previous commits. Click on Create pull request to continue.
    3. [web] On the next page you can give the details and settings for the pull request. Add a meaningful name and a short description. On the right side assign yourself (Assignees) and request a review from your partner (Reviewers).
    4. [web] Finalize the request with the Create pull request button. Your partner should receive a notification about the requested review.
    5. On the Checks page of the PR you can follow that the CI build has started automatically. Once they finish, you can check the analysis results on the Conversation page.
  4. [web] If your partner also followed the previous steps, you should receive a notification about a pull request review. Go to the repository of your partner and find their pull request.
  5. [web] Perform the review with the following steps.
    1. [web] Go to the Files changed tab. You can see the files modified by your partner. Review the files and attach comments by clicking on lines. It is important to start adding comments by clicking on Start a review, instead of using Add single comment.
    2. [web] After finishing the review, click on Review changes in the top right corner. Write a short summary and request changes.
    3. [web] Finish the review process by clicking on Submit review.
  6. [web/local] Wait until your partner finishes reviewing your pull request. Then fix your code based on the review. The changes should still go to the new branch in one or more commits. After finishing, push the changes to the remote repository (git push).
  7. [web] Wait until your partner finishes fixing their code based on your review. Then goo to the pull request of your partner to see the changes on the Files changed tab. Accept the changes by clicking Review changes and Approve.

Analyzing the Changes

  1. [web] Check on SonarCloud whether all issues were indeed fixed.
  2. [web] If you check SonarCloud, you will see that there is a pending Security issue with your code. The issue relates to the use of Random. Read and consider the What's the risk? and Assess the risk descriptions.
  3. [web] Since this code does not have such security aspect, declare the use of Random Safe, and rerun the analysis from GitHub.
  4. [web] If your partner also accepted your changes, and all the checks have passed (are green), merge your pull request (at the bottom of Conversation tab).