DOCSLIB.ORG

Sonarqube in Action

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

IN ACTION G. Ann Campbell Patroklos P. Papapetrou FOREWORD BY Olivier Gaudin MANNING SonarQube in Action Download from Wow! eBook <www.wowebook.com> Download from Wow! eBook <www.wowebook.com> SonarQube in Action G. ANN CAMPBELL PATROKLOS P. PAPAPETROU MANNING SHELTER ISLAND Download from Wow! eBook <www.wowebook.com> For online information and ordering of this and other Manning books, please visit www.manning.com. The publisher offers discounts on this book when ordered in quantity. For more information, please contact Special Sales Department Manning Publications Co. 20 Baldwin Road PO Box 761 Shelter Island, NY 11964 Email: [email protected] ©2014 by Manning Publications Co. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by means electronic, mechanical, photocopying, or otherwise, without prior written permission of the publisher. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in the book, and Manning Publications was aware of a trademark claim, the designations have been printed in initial caps or all caps. Recognizing the importance of preserving what has been written, it is Manning’s policy to have the books we publish printed on acid-free paper, and we exert our best efforts to that end. Recognizing also our responsibility to conserve the resources of our planet, Manning books are printed on paper that is at least 15 percent recycled and processed without the use of elemental chlorine. Manning Publications Co. Development editor: Susanna Kline 20 Baldwin Road Copyeditor: Tiffany Taylor PO Box 261 Proofreader: Toma Mulligan Shelter Island, NY 11964 Typesetter: Dottie Marsico Cover designer: Marija Tudor ISBN 9781617290954 Printed in the United States of America 1 2 3 4 5 6 7 8 9 10 – EBM – 18 17 16 15 14 13 Download from Wow! eBook <www.wowebook.com> To the software architects, programmers, testers, project managers, executives, and end users of every piece of software ever written. We hope this book will make your lives easier. Download from Wow! eBook <www.wowebook.com> Download from Wow! eBook <www.wowebook.com> brief contents PART 1 WHAT THE NUMBERS ARE TELLING YOU .........................1 1 ■ An introduction to SonarQube 3 2 ■ Issues and coding standards 26 3 ■ Ensuring that your code is doing things right 42 4 ■ Working with duplicate code 64 5 ■ Optimizing source code documentation 82 6 ■ Keeping your source code files elegant 96 7 ■ Improving your application design 113 PART 2 SETTLING IN WITH SONARQUBE ................................135 8 ■ Planning a strategy and expanding your insight 137 9 ■ Continuous Inspection with SonarQube 156 10 ■ Letting SonarQube drive code reviews 178 11 ■ IDE integration 205 PART 3 ADMINISTERING AND EXTENDING...............................221 12 ■ Security: users, groups, and roles 223 13 ■ Rule profile administration 237 14 ■ Making SonarQube fit your needs 262 15 ■ Managing your projects 287 16 ■ Writing your own plugin 305 vii Download from Wow! eBook <www.wowebook.com> Download from Wow! eBook <www.wowebook.com> contents foreword xvii preface xix acknowledgments xxi about this book xxiii about the cover illustration xxviii PART 1 WHAT THE NUMBERS ARE TELLING YOU ................1 An introduction to SonarQube 3 1 1.1 Why SonarQube 4 Proven technologies 6 ■ Multilingual: SonarQube speaks your language 6 1.2 Running your first analysis 7 Installation considerations 7 ■ Analyzing with SonarQube Runner 8 ■ Analyzing multilanguage projects 9 ■ Seeing the output: SonarQube’s front page 9 ■ Drilling in: the dashboard 10 1.3 Seven Axes of Quality 13 Potential bugs and coding rules 14 ■ Tests 15 ■ Comments and duplications 15 ■ Architecture and design 16 Complexity 18 1.4 The languages SonarQube covers 18 ix Download from Wow! eBook <www.wowebook.com> x CONTENTS 1.5 Interface conventions 20 Hierarchy: packages and classes in a metric drilldown 20 ■ File details 21 Trend arrows 22 1.6 Related plugins 23 Technical debt 23 ■ Views 24 1.7 Summary 24 Issues and coding standards 26 2 2.1 Looking at your issues 27 2.2 What issues mean, and why they’re potential problems 30 Bugs 31 ■ Potential bugs 31 ■ Indications of (potential) programmer error 32 ■ Things that may lead to future programmer error 34 ■ Inefficiencies 35 ■ Style inconsistencies (future productivity obstacles) 36 2.3 Where do issues come from? 36 Picking a rule profile 37 ■ Viewing profiles and changing the default 38 2.4 Related plugins 40 SCM Activity 40 2.5 Summary 41 Ensuring that your code is doing things right 42 3 3.1 Knowing how much of your code is doing things right 43 Understanding unit-test metrics 44 ■ Getting reports on unit-test coverage metrics 47 3.2 Explaining metrics on a file level 50 Hunting source code lines with low coverage 50 ■ Finding problems in your unit tests 54 3.3 Configuring your favorite code-coverage tool 57 Changing the default selection 57 3.4 Integration testing 58 Displaying integration testing coverage on the dashboard 59 Getting IT information in the source code Coverage tab 60 3.5 Related plugins 61 3.6 Summary 63 Download from Wow! eBook <www.wowebook.com> CONTENTS xi Working with duplicate code 64 4 4.1 The hidden cost of duplicate code 65 4.2 Identifying duplications 66 Finding your first duplication 67 ■ Finding duplications on a larger scale 69 ■ SonarQube’s duplication metrics 69 Drilling in: from the duplications widget to the Duplications tab 70 4.3 Realizing the impact of code duplication 73 The DRY principle: minimizing and eliminating duplications 73 Duplications vs. size and complexity 74 4.4 Finding duplications across multiple projects 74 Turning on cross-project duplication detection 75 ■ Cross-project duplications in source code tab 75 4.5 Cleaning up your duplications 77 Introduction to refactoring patterns 77 ■ Applying patterns to remove code duplication 77 ■ Time for a new commons library? 79 4.6 Related plugins 80 4.7 Summary 81 Optimizing source code documentation 82 5 5.1 To document or not? 83 5.2 Even commenting has its own metrics 84 How SonarQube calculates metrics 84 ■ What the numbers are telling you 86 5.3 Identifying undocumented code 87 Finding files to improve documentation 88 ■ Viewing the generic tab in the source code viewer 89 5.4 Simplifying your documentation strategy 90 Picking a documentation tool 90 ■ Defining a straightforward process 91 5.5 Related plugins 92 Widget Lab 93 ■ Doxygen 93 5.6 Summary 94 Download from Wow! eBook <www.wowebook.com> xii CONTENTS Keeping your source code files elegant 96 6 6.1 Keeping complexity low 97 Hunting those huge files 97 ■ Complexity: what it looks like and how to fix it 99 6.2 Lack of Cohesion of Methods: files that do too much 101 Getting reports about the LCOM metric 102 ■ Counting responsibilities 103 ■ Refactoring for fewer responsibilities 106 6.3 RFC and couplings: classes with too many friends 108 Response for Class 108 ■ Couplings 110 6.4 Summary 112 Improving your application design 113 7 7.1 Layering your code 114 Looking at dashboard widgets 114 ■ Understanding cycles and unwanted dependencies 115 ■ Moving from project to package level 117 7.2 Discovering dependencies and eliminating cycles 118 Navigating the Dependency Structure Matrix 119 ■ How the DSM works 121 ■ Identifying cycles 124 ■ Library management for Mavenites 127 ■ Browsing the library-dependency tree 127 Who uses this library 131 7.3 Defining your architectural rule set 132 7.4 Summary 134 PART 2 SETTLING IN WITH SONARQUBE ...................... 135 Planning a strategy and expanding your insight 137 8 8.1 Planning your strategy 138 Picking a metric 139 ■ Holding your ground 141 ■ Moving the goal posts 141 ■ Boy Scout approach: leave the class better than you found it 142 ■ SonarQube time: worst first 143 Re-architect 143 ■ The end game 144 8.2 History and trending 145 Time Machine 145 ■ Events and database cleanup 149 8.3 Everything’s a component 150 Project component view 150 ■ No package history 152 Download from Wow! eBook <www.wowebook.com> CONTENTS xiii 8.4 Related plugins 153 Tab Metrics 153 ■ Widget Lab 154 8.5 Summary 154 Continuous Inspection with SonarQube 156 9 9.1 Introducing Continuous Inspection 157 What and how? 157 ■ Life before and after Continuous Inspection 158 ■ The big picture 159 9.2 Triggering your analysis with CI 160 Jenkins setup 162 ■ Other CI systems 167 ■ Best practices 168 9.3 Monitoring quality evolution 169 Exploring differential views in the project dashboard 169 Differential views in the issues drilldown 172 ■ Differential views in the source code viewer 173 ■ Choosing differential periods 173 ■ The Compare service 174 9.4 Related plugins 175 Cutoff 175 ■ Build Breaker 176 9.5 Summary 177 Letting SonarQube drive code reviews 178 10 10.1 Reviewing code in SonarQube 179 Issues: a starting point 179 ■ Confirm, comment, and assign: the simplest workflow options 181 ■ False positives: sometimes SonarQube gets it wrong 183 ■ Changing severity: not every issue is that bad 186 ■ Altering the code to make SonarQube turn a blind eye 186 ■ Viewing the audit trail 188 10.2 Creating manual issues: when the rules aren’t enough 188 Why you would want extra issues 188 ■ Making manual issues 189 10.3 Tracking issues 190 Life cycle of an issue 190 ■ Tracking squashed issues 194 Searching issues 195 10.4 Planning your work with SonarQube’s action plans 196 Why bother with action plans? 196 ■ Managing action plans 196 ■ Using action
Recommended publications
  • Networkx Tutorial

    Networkx Tutorial

    5.03.2020 tutorial NetworkX tutorial Source: https://github.com/networkx/notebooks (https://github.com/networkx/notebooks) Minor corrections: JS, 27.02.2019 Creating a graph Create an empty graph with no nodes and no edges. In [1]: import networkx as nx In [2]: G = nx.Graph() By definition, a Graph is a collection of nodes (vertices) along with identified pairs of nodes (called edges, links, etc). In NetworkX, nodes can be any hashable object e.g. a text string, an image, an XML object, another Graph, a customized node object, etc. (Note: Python's None object should not be used as a node as it determines whether optional function arguments have been assigned in many functions.) Nodes The graph G can be grown in several ways. NetworkX includes many graph generator functions and facilities to read and write graphs in many formats. To get started though we'll look at simple manipulations. You can add one node at a time, In [3]: G.add_node(1) add a list of nodes, In [4]: G.add_nodes_from([2, 3]) or add any nbunch of nodes. An nbunch is any iterable container of nodes that is not itself a node in the graph. (e.g. a list, set, graph, file, etc..) In [5]: H = nx.path_graph(10) file:///home/szwabin/Dropbox/Praca/Zajecia/Diffusion/Lectures/1_intro/networkx_tutorial/tutorial.html 1/18 5.03.2020 tutorial In [6]: G.add_nodes_from(H) Note that G now contains the nodes of H as nodes of G. In contrast, you could use the graph H as a node in G.
  • Glassfish™ Community Lighting Talks

    Glassfish™ Community Lighting Talks

    GlassFish™ Community Lighting Talks GlassFish Community Speakers Moderator: Alexis Moussine-Pouchkine, Sun Microsystems Session ID: S297769 Agenda GreenFire SailFin Underworld RTL use-case IzPack Hudson Terracotta Embedded GlassFish 2008 CommunityOne Conference | developers.sun.com/events/communityone | 2 GreenFire Adam Bien Who am I? Adam Bien (blog.adam-bien.com) • Expert Group Member (jcp.org) of Java EE 6, EJB 3.1, Time and Date and JPA 2.0 • Java Champion, speaker, consultant and author: Enterprise Java Frameworks, J2EE Patterns, J2EE HotSpots, Struts, SOA Expertenwissen, Enterprise Architekturen, Java EE 5 Architekturen and about 50 published articles • Trainer (since JDK 1.0) • Project owner/committer: http://underworld.dev.java.net http://greenfire.dev.java.net, http://p4j5.dev.java.net, http://o24j.dev.java.net, http://fishfarm.dev.java.net/ 2008 CommunityOne Conference | developers.sun.com/events/communityone | 4 GreenFire.dev.java.net Situation/context dependent prioritization of „bio“ resources (solar over pellets etc.) Highest possible energy and CO2 savings Intelligent control of circulation-pumps, heating and ventilation Monitoring, reports and remote control …and FUN (JavaFX, SunSPOTs, Groovy etc.) 2008 CommunityOne Conference | developers.sun.com/events/communityone | 5 Buffer – the heart of the heating system. Source: paradigma.de 2008 CommunityOne Conference | developers.sun.com/events/communityone | 6 Hacking Java EE 5 is good for the environment! 2008 CommunityOne Conference | developers.sun.com/events/communityone | 7 2008 CommunityOne Conference | developers.sun.com/events/communityone | 8 UnderWorld Adam Bien Context Wonderland.dev.java.net is a “Second Life”-like 3D virtual reality in pure Java. It’s opensource – and easy to build from source (try it!) Wonderland is not a game, rather than an extensible communication/collaboration platform with high demands on scalability and performance.
  • Networkx: Network Analysis with Python

    Networkx: Network Analysis with Python

    NetworkX: Network Analysis with Python Salvatore Scellato Full tutorial presented at the XXX SunBelt Conference “NetworkX introduction: Hacking social networks using the Python programming language” by Aric Hagberg & Drew Conway Outline 1. Introduction to NetworkX 2. Getting started with Python and NetworkX 3. Basic network analysis 4. Writing your own code 5. You are ready for your project! 1. Introduction to NetworkX. Introduction to NetworkX - network analysis Vast amounts of network data are being generated and collected • Sociology: web pages, mobile phones, social networks • Technology: Internet routers, vehicular flows, power grids How can we analyze this networks? Introduction to NetworkX - Python awesomeness Introduction to NetworkX “Python package for the creation, manipulation and study of the structure, dynamics and functions of complex networks.” • Data structures for representing many types of networks, or graphs • Nodes can be any (hashable) Python object, edges can contain arbitrary data • Flexibility ideal for representing networks found in many different fields • Easy to install on multiple platforms • Online up-to-date documentation • First public release in April 2005 Introduction to NetworkX - design requirements • Tool to study the structure and dynamics of social, biological, and infrastructure networks • Ease-of-use and rapid development in a collaborative, multidisciplinary environment • Easy to learn, easy to teach • Open-source tool base that can easily grow in a multidisciplinary environment with non-expert users
  • Command Line Interface

    Command Line Interface

    Command Line Interface Squore 21.0.2 Last updated 2021-08-19 Table of Contents Preface. 1 Foreword. 1 Licence. 1 Warranty . 1 Responsabilities . 2 Contacting Vector Informatik GmbH Product Support. 2 Getting the Latest Version of this Manual . 2 1. Introduction . 3 2. Installing Squore Agent . 4 Prerequisites . 4 Download . 4 Upgrade . 4 Uninstall . 5 3. Using Squore Agent . 6 Command Line Structure . 6 Command Line Reference . 6 Squore Agent Options. 6 Project Build Parameters . 7 Exit Codes. 13 4. Managing Credentials . 14 Saving Credentials . 14 Encrypting Credentials . 15 Migrating Old Credentials Format . 16 5. Advanced Configuration . 17 Defining Server Dependencies . 17 Adding config.xml File . 17 Using Java System Properties. 18 Setting up HTTPS . 18 Appendix A: Repository Connectors . 19 ClearCase . 19 CVS . 19 Folder Path . 20 Folder (use GNATHub). 21 Git. 21 Perforce . 23 PTC Integrity . 25 SVN . 26 Synergy. 28 TFS . 30 Zip Upload . 32 Using Multiple Nodes . 32 Appendix B: Data Providers . 34 AntiC . 34 Automotive Coverage Import . 34 Automotive Tag Import. 35 Axivion. 35 BullseyeCoverage Code Coverage Analyzer. 36 CANoe. 36 Cantata . 38 CheckStyle. ..
  • Graph Database Fundamental Services

    Graph Database Fundamental Services

    Bachelor Project Czech Technical University in Prague Faculty of Electrical Engineering F3 Department of Cybernetics Graph Database Fundamental Services Tomáš Roun Supervisor: RNDr. Marko Genyk-Berezovskyj Field of study: Open Informatics Subfield: Computer and Informatic Science May 2018 ii Acknowledgements Declaration I would like to thank my advisor RNDr. I declare that the presented work was de- Marko Genyk-Berezovskyj for his guid- veloped independently and that I have ance and advice. I would also like to thank listed all sources of information used Sergej Kurbanov and Herbert Ullrich for within it in accordance with the methodi- their help and contributions to the project. cal instructions for observing the ethical Special thanks go to my family for their principles in the preparation of university never-ending support. theses. Prague, date ............................ ........................................... signature iii Abstract Abstrakt The goal of this thesis is to provide an Cílem této práce je vyvinout webovou easy-to-use web service offering a database službu nabízející databázi neorientova- of undirected graphs that can be searched ných grafů, kterou bude možno efektivně based on the graph properties. In addi- prohledávat na základě vlastností grafů. tion, it should also allow to compute prop- Tato služba zároveň umožní vypočítávat erties of user-supplied graphs with the grafové vlastnosti pro grafy zadané uži- help graph libraries and generate graph vatelem s pomocí grafových knihoven a images. Last but not least, we implement zobrazovat obrázky grafů. V neposlední a system that allows bulk adding of new řadě je také cílem navrhnout systém na graphs to the database and computing hromadné přidávání grafů do databáze a their properties.
  • Avatud Lähtekoodiga Vahendite Kohandamine Microsoft Visual C++ Tarkvaralahenduste Kvaliteedi Analüüsiks Sonarqube Serveris

    Avatud Lähtekoodiga Vahendite Kohandamine Microsoft Visual C++ Tarkvaralahenduste Kvaliteedi Analüüsiks Sonarqube Serveris

    TALLINNA TEHNIKAÜLIKOOL Infotehnoloogia teaduskond Tarkvarateaduse instituut Anton Ašot Roolaid 980774IAPB AVATUD LÄHTEKOODIGA VAHENDITE KOHANDAMINE MICROSOFT VISUAL C++ TARKVARALAHENDUSTE KVALITEEDI ANALÜÜSIKS SONARQUBE SERVERIS Bakalaureusetöö Juhendaja: Juhan-Peep Ernits PhD Tallinn 2019 Autorideklaratsioon Kinnitan, et olen koostanud antud lõputöö iseseisvalt ning seda ei ole kellegi teise poolt varem kaitsmisele esitatud. Kõik töö koostamisel kasutatud teiste autorite tööd, olulised seisukohad, kirjandusallikatest ja mujalt pärinevad andmed on töös viidatud. Autor: Anton Ašot Roolaid 21.05.2019 2 Annotatsioon Käesolevas bakalaureusetöös uuritakse, kuidas on võimalik saavutada suure hulga C++ lähtekoodi kvaliteedi paranemist, kui ettevõttes kasutatakse arenduseks Microsoft Visual Studiot ning koodikaetuse ja staatilise analüüsi ülevaate saamiseks SonarQube serverit (Community Edition). Seejuures SonarSource'i poolt pakutava tasulise SonarCFamily for C/C++ analüsaatori (mille eelduseks on SonarQube serveri Developer Edition) asemel kasutatakse tasuta ja vaba alternatiivi: SonarQube C++ Community pluginat. Analüüsivahenditena eelistatakse avatud lähtekoodiga vabu tarkvaravahendeid. Valituks osutuvad koodi kaetuse analüüsi utiliit OpenCppCoverage ja staatilise analüüsi utiliit Cppcheck. Siiski selgub, et nende utiliitide töö korraldamiseks ja väljundi sobitamiseks SonarQube Scanneri vajadustega tuleb kirjutada paar skripti: üks PowerShellis ja teine Windowsi pakkfailina. Regulaarselt ajastatud analüüside käivitamist tagab QuickBuild,
  • Gephi Tools for Network Analysis and Visualization

    Gephi Tools for Network Analysis and Visualization

    Frontiers of Network Science Fall 2018 Class 8: Introduction to Gephi Tools for network analysis and visualization Boleslaw Szymanski CLASS PLAN Main Topics • Overview of tools for network analysis and visualization • Installing and using Gephi • Gephi hands-on labs Frontiers of Network Science: Introduction to Gephi 2018 2 TOOLS OVERVIEW (LISTED ALPHABETICALLY) Tools for network analysis and visualization • Computing model and interface – Desktop GUI applications – API/code libraries, Web services – Web GUI front-ends (cloud, distributed, HPC) • Extensibility model – Only by the original developers – By other users/developers (add-ins, modules, additional packages, etc.) • Source availability model – Open-source – Closed-source • Business model – Free of charge – Commercial Frontiers of Network Science: Introduction to Gephi 2018 3 TOOLS CINET CyberInfrastructure for NETwork science • Accessed via a Web-based portal (http://cinet.vbi.vt.edu/granite/granite.html) • Supported by grants, no charge for end users • Aims to provide researchers, analysts, and educators interested in Network Science with an easy-to-use cyber-environment that is accessible from their desktop and integrates into their daily work • Users can contribute new networks, data, algorithms, hardware, and research results • Primarily for research, teaching, and collaboration • No programming experience is required Frontiers of Network Science: Introduction to Gephi 2018 4 TOOLS Cytoscape Network Data Integration, Analysis, and Visualization • A standalone GUI application
  • IBM Rational Team Concert V4.0.3 Keeps Development Teams Focused

    IBM Rational Team Concert V4.0.3 Keeps Development Teams Focused

    IBM United States Software Announcement 213-236, dated June 3, 2013 IBM Rational Team Concert V4.0.3 keeps development teams focused and on track by enabling collaboration, coordination, and automation of project status for all stakeholders Table of contents 1 Overview 5 Publications 2 Key prerequisites 5 Technical information 2 Planned availability date 9 Ordering information 2 Description 22 Terms and conditions 4 Statement of direction 25 Prices 4 Program number 25 Order now At a glance IBM® Rational Team ConcertTM provides the developer role for the Rational® Solution for Collaborative LifeCycle Management. This release focuses on user productivity. Rational Team Concert V4.0.3: • Includes a design that is easy to use. • Provides faster performance. • Enables tighter Software Configuration Management (SCM) integration when using Jenkins-Hudson open source tools. For ordering, contact your IBM representative or an IBM Business Partner. For more information contact the Americas Call Centers at 800-IBM-CALL (426-2255). Reference: AE001 Overview Rational Quality Manager assists organizations of all sizes and levels of complexity to optimize organizational quality by introducing quality early in the application lifecycle and by coordinating quality processes and teams throughout the lifecycle. Rational Quality Manager V4.0.3 offers these main enhancements: • Integrating service virtualization with test management. By linking virtual components deployed in Rational Test Virtualization Server with test execution records in Rational Quality Manager, testers can plan and control virtual components availability for testing and accelerate testing cycles. • Increasing team productivity and agility. Enhanced keyword support for multi- channel testing helps QA teams reuse test scenarios across multiple end points such as web and mobile.
  • The Vision of Software Clone Management: Past, Present, and Future (Keynote Paper)

    The Vision of Software Clone Management: Past, Present, and Future (Keynote Paper)

    The Vision of Software Clone Management: Past, Present, and Future (Keynote Paper) Chanchal K. Roy Minhaz F. Zibran Rainer Koschkey University of Saskatchewan, Canada yUniversity of Bremen, Germany {chanchal.roy, minhaz.zibran}@usask.ca, [email protected] Abstract—Duplicated code or code clones are a kind of code inflate the code base and may increase resource requirements. smell that have both positive and negative impacts on the This may be crucial for embedded systems and systems such development and maintenance of software systems. Software as hand held devices, telecommunication switches, and small clone research in the past mostly focused on the detection and analysis of code clones, while research in recent years sensor systems. Moreover, cloning a code snippet that contains extends to the whole spectrum of clone management. In the last any unknown fault may result in propagation of that fault decade, three surveys appeared in the literature, which cover to all copies of the faulty fragment. From the maintenance the detection, analysis, and evolutionary characteristics of code perspective, a change in one code segment may necessitate clones. This paper presents a comprehensive survey on the state consistent changes in all clones of that fragment. Any incon- of the art in clone management, with in-depth investigation of clone management activities (e.g., tracing, refactoring, cost- sistency may introduce bugs or vulnerabilities in the system. benefit analysis) beyond the detection and analysis. This is Fowler et al. [35] recognize code clones as a serious kind of the first survey on clone management, where we point to the code smell.
  • Write Your Own Rules and Enforce Them Continuously

    Write Your Own Rules and Enforce Them Continuously

    Ultimate Architecture Enforcement Write Your Own Rules and Enforce Them Continuously SATURN May 2017 Paulo Merson Brazilian Federal Court of Accounts Agenda Architecture conformance Custom checks lab Sonarqube Custom checks at TCU Lessons learned 2 Exercise 0 – setup Open www.dontpad.com/saturn17 Follow the steps for “Exercise 0” Pre-requisites for all exercises: • JDK 1.7+ • Java IDE of your choice • maven 3 Consequences of lack of conformance Lower maintainability, mainly because of undesired dependencies • Code becomes brittle, hard to understand and change Possible negative effect • on reliability, portability, performance, interoperability, security, and other qualities • caused by deviation from design decisions that addressed these quality requirements 4 Factors that influence architecture conformance How effective the architecture documentation is Turnover among developers Haste to fix bugs or implement features Size of the system Distributed teams (outsourcing, offshoring) Accountability for violating design constraints 5 How to avoid code and architecture disparity? 1) Communicate the architecture to developers • Create multiple views • Structural diagrams + behavior diagrams • Capture rationale Not the focus of this tutorial 6 How to avoid code and architecture disparity? 2) Automate architecture conformance analysis • Often done with static analysis tools 7 Built-in checks and custom checks Static analysis tools come with many built-in checks • They are useful to spot bugs and improve your overall code quality • But they’re
  • Empirical Study of Vulnerability Scanning Tools for Javascript Work in Progress

    Empirical Study of Vulnerability Scanning Tools for Javascript Work in Progress

    Empirical Study of Vulnerability Scanning Tools for JavaScript Work In Progress Tiago Brito, Nuno Santos, José Fragoso INESC-ID Lisbon 2020 Tiago Brito, GSD Meeting - 30/07/2020 Purpose of this WIP presentation ● Current work is to be submitted this year ● Goal: gather feedback on work so far ● Focus on presenting the approach and preliminary results Tiago Brito, GSD Meeting - 30/07/2020 2 Motivation ● JavaScript is hugely popular for web development ○ For both client and server-side (NodeJS) development ● There are many critical vulnerabilities reported for software developed using NodeJS ○ Remote Code Executions (Staicu NDSS’18) ○ Denial of Service (Staicu Sec’18) ○ Small number of packages, big impact (Zimmermann Sec’19) ● Developers need tools to help them detect problems ○ They are pressured to focus on delivering features Tiago Brito, GSD Meeting - 30/07/2020 3 Problem Previous work focused on: ● Tools for vulnerability analysis in Java or PHP code (e.g. Alhuzali Sec’18) ● Studying very specific vulnerabilities in Server-side JavaScript ○ ReDos, Command Injections (Staicu NDSS’18 and Staicu Sec’18) ● Studying vulnerability reports on the NodeJS ecosystem (Zimmermann Sec’19) So, it is still unknown which, and how many, of these tools can effectively detect vulnerabilities in modern JavaScript. Tiago Brito, GSD Meeting - 30/07/2020 4 Goal Our goal is to assess the effectiveness of state-of-the-art vulnerability detection tools for JavaScript code by performing a comprehensive empirical study. Tiago Brito, GSD Meeting - 30/07/2020 5 Research Questions 1. [Tools] Which tools exist for JavaScript vulnerability detection? 2. [Approach] What’s the approach these tools use and their main challenges for detecting vulnerabilities? 3.
  • Enabling Devops on Premise Or Cloud with Jenkins

    Enabling Devops on Premise Or Cloud with Jenkins

    Enabling DevOps on Premise or Cloud with Jenkins Sam Rostam [email protected] Cloud & Enterprise Integration Consultant/Trainer Certified SOA & Cloud Architect Certified Big Data Professional MSc @SFU & PhD Studies – Partial @UBC Topics The Context - Digital Transformation An Agile IT Framework What DevOps bring to Teams? - Disrupting Software Development - Improved Quality, shorten cycles - highly responsive for the business needs What is CI /CD ? Simple Scenario with Jenkins Advanced Jenkins : Plug-ins , APIs & Pipelines Toolchain concept Q/A Digital Transformation – Modernization As stated by a As established enterprises in all industries begin to evolve themselves into the successful Digital Organizations of the future they need to begin with the realization that the road to becoming a Digital Business goes through their IT functions. However, many of these incumbents are saddled with IT that has organizational structures, management models, operational processes, workforces and systems that were built to solve “turn of the century” problems of the past. Many analysts and industry experts have recognized the need for a new model to manage IT in their Businesses and have proposed approaches to understand and manage a hybrid IT environment that includes slower legacy applications and infrastructure in combination with today’s rapidly evolving Digital-first, mobile- first and analytics-enabled applications. http://www.ntti3.com/wp-content/uploads/Agile-IT-v1.3.pdf Digital Transformation requires building an ecosystem • Digital transformation is a strategic approach to IT that treats IT infrastructure and data as a potential product for customers. • Digital transformation requires shifting perspectives and by looking at new ways to use data and data sources and looking at new ways to engage with customers.