It seems like the Gradle plugin does know about ${config_loc}, which however contradicts the official documentation of the plugin. Further investigation has to be done.

Error message is (using --stacktrace):

Execution failed for task ':checkstyleMain'.
> Unable to create Root Module: config{.../checkstyle.xml}, classpath {...}
...
* Exception is:
...
Caused by: org.xml.sax.SAXException: Property ${config_loc} has not been set

After qa-eclipse-plugin's PMD version was updated, check if the PMD ruleset actually works.

Gradle enables users to use a "inheritance-alike" feature for the build.gradle file of a project. Essentially, this allows developers to provide seperated NAME.gradle files (so-called script plugins) that contain dependencies and tasks for a single topic, e.g., quality assurance.

To apply this feature, one has to use the apply from notation.

In addition with the new (Gradle 4.8) "TextResources can now be fetched from a URI" feature, we should be able to provide a so-called script plugin file for our quality assurance.

I tested this and with a small change to the SpotBugs plugin declaration and an updated version of the Gradle Wrapper (4.8), I was able to include a script plugin file based on our build.gradle.

Unfortunately, Gradle 4.8 is not yet supported by default in the Eclipse Buildship Plugin. We might be able to update the Buildship Plugin ourselves via http://download.eclipse.org/buildship/updates/e48/releases/ and use this overall awesome feature for quality assurance.

P.S. Checkstyle suppression are not possible to be outsourced via URL due to the Checkstyle implementation. Therefore, the checkstyle-suppression.xml is still required per project. This is not bad, since the suppression should be project dependent.

PMD however uses an embedded exclude/include approach in the pmd.xml file. This is a problem, since we cannot allow project dependent excludes. Is there a workaorund, such as using a further file for PMD exclude/includes?

The controversial PMD rule DataflowAnomalyAnalysis contains a check for undefined references.

This check is unnecessary, since Eclipse itself will report the error and the Java compiler will eventually fail. Additionally, it has a high false positive rate. The following example would violate the rule:

for (final String role : rolesAllowed) {
  if (requestContext.getSecurityContext().isUserInRole(role)) {
     return;
    }
}

I propose to disable the UR section of the rule as shown in this SO-post.

The Google checkstyle configuration uses allowedAbbreviationLength = 1 for the AbbreviationAsWordInName rule. I have a class CORSResponseFilter that violates this rule, since the abbreviation CORS is too long.

The rule contains a allowedAbbreviations property that can handle exceptions to this rule.

Unfortunately, Checkstyle does not does not support overriding of previously defined rules at the moment (see Checkstyle issue 2873). How should be proceed with this?

I think we should modify the Google checkstyle rules, if all contributors (at the moment only @SoerenHenning) accept the modification.

Therefore I propose to add the allowedAbbreviations property with the default values XML,URL to the Google checkstyle section.