Turn on Sonar report for PR quality control check about legend-pure HOT 13 CLOSED

@maoo hm, actually the discussion about whether or not we should expose information about security issues of the whole project should be with @pierredebelen and @gs-bracej as well, I thought we turned off Whitesource's auto-creating the Github issues for the same reason 😭

Though that being said, I notice projects like dropwizard having no qualms about this, so yeah ...

You're right, but SonarCloud is what we use to check quality, not security; I know these 2 aspects are quite connected, but I think we could easily work around this by hiding (if possible) the CVE reporting on SonarCloud), and rely on WhiteSource for security-related issues/reporting.

But, looks like I bump into another roadblock - see this pipeline

Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.7.0.1746:sonar (default) on project legend-studio: You're not authorized to run analysis. Please contact the project administrator. -> [Help 1]

Mh, could be related with the renaming? I'll do some tests and let you know.

from legend-pure.

@maoo @gs-bracej @pierredebelen regarding hiding CVE, I think it's a reasonable move, just that when I think about all of this: if someone really wants to take advantage of the security issues, they can peruse the PRs and it's not hard for them to figure out that, oh, the change in this PR has nothing to do with the CVE report generated, that implies the project master branch is already susceptible to an attack. I mean of course we have to be responsible for fixing up whitesource security alerts, but the mere fact that we expose Whitesource status on a PR could potentially be taken advantage of.

Or even simpler, a bad actor could just checkout the code, run WhiteSource, Snyk, Fossa, SonarCloud or any other other 1000 free solutions that resolve CVEs for each project dependency and try exploiting them, so I agree with your statement. I also think we should treasure the lessons learned from Equifax attack in 2017, to understand what can happen if security issues are not being acted upon.

I'll let you and the rest of the Legend team to discuss if you'd like to try disabling CVE scanning on SonarCloud or not. TY.

from legend-pure.

@maoo I thought it's better to create a separate thread to the conversation about sonar. I can set quality gate now, for all projects except for legend-pure, which is actually the one I need right now 😄 If you could add me to that one, it would be great!

It's fixed now, sorry.

That aside, I think the current quality gate profile Sonar default is good enough. My concern is how should we set the new code definition, do you have any experience or advice for us about this? As of now I thought the most sensible option is previous version (see screenshot), what do you think?

Yes, agreed; this is the configuration we used in the past.

I've checked sonarcloud and seems that all configurations are in place, although I haven't seen it in action on any PR.
Feel free to tweak the legend repo configurations on SonarCloud, and let me know if I can help.

from legend-pure.

@maoo I have enabled Github integration for all Legend projects, but looking at their doc, it seems to require to authorize sonarcloud to for FINOS Github organization, so we might need your help there. At the bottom of the doc is the onboarding link, I am not authorized to see this page.

btw, hate to bother you so much with the details, but could we update the name of legend-studio project in sonarcloud to Legend Studio instead of legend-studio? Thank you so much!

from legend-pure.

@maoo I have enabled Github integration for all Legend projects, but looking at their doc, it seems to require to authorize sonarcloud to for FINOS Github organization, so we might need your help there. At the bottom of the doc is the onboarding link, I am not authorized to see this page.

This was setup a while ago, below the screenshot with the config...

btw, hate to bother you so much with the details, but could we update the name of legend-studio project in sonarcloud to Legend Studio instead of legend-studio? Thank you so much!

You don't bother at all, in fact, well spotted!

I believe that the issue is in the pom.xml, as I see it's missing the <name> tag, see https://github.com/finos/legend-studio/blob/master/pom.xml#L29

Could you try to add it and see if Sonar picks it up?

FYI - I just switched all Sonar projects to public, let's see it this makes the PR integration happier!

from legend-pure.

@maoo hm, actually the discussion about whether or not we should expose information about security issues of the whole project should be with @pierredebelen and @gs-bracej as well, I thought we turned off Whitesource's auto-creating the Github issues for the same reason 😭

Though that being said, I notice projects like dropwizard having no qualms about this, so yeah ...

But, looks like I bump into another roadblock - see this pipeline

Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.7.0.1746:sonar (default) on project legend-studio: You're not authorized to run analysis. Please contact the project administrator. -> [Help 1]

from legend-pure.

yep, actually, all I need is there when you set the SONAR_TOKEN @maoo, looks like I made some progress in https://github.com/finos/legend-studio/runs/1339521705?check_suite_focus=true, anyhow I'll battle with it for a bit more and let you know. Thanks!!

from legend-pure.

TY @akphi ! One thing re. the legend-studio name; I believe it's coming from https://github.com/finos/legend-studio/blob/master/package.json#L2 .

from legend-pure.

@maoo ooh, I did not see that coming ... thought the maven one is enough 😭 will give it shot

By the way, looking at this, do we use SonarCloud or SonarQube, the error I got seems to be that I specified the wrong host.url - mvn -Dsonar.projectKey=legend-studio -Dsonar.organization=finos -Dsonar.host.url=https://sonarcloud.io org.sonarsource.scanner.maven:sonar-maven-plugin:sonar

Error: SonarQube server [http://localhost:9000] can not be reached

from legend-pure.

@maoo ok! I think I got it finos/legend-studio#29 🚀
Turns out I have to allow anyone to be able to execute analysis (see my screenshot from the SonarCloud project permission config below), do you think that makes sense?

from legend-pure.

@maoo @gs-bracej @pierredebelen regarding hiding CVE, I think it's a reasonable move, just that when I think about all of this: if someone really wants to take advantage of the security issues, they can peruse the PRs and it's not hard for them to figure out that, oh, the change in this PR has nothing to do with the CVE report generated, that implies the project master branch is already susceptible to an attack. I mean of course we have to be responsible for fixing up whitesource security alerts, but the mere fact that we expose Whitesource status on a PR could potentially be taken advantage of.

from legend-pure.

Thanks @maoo, that's a fair point

from legend-pure.

I have lost some context on this one and the conversation goes to CVE scanning on SonarCloud. I think we will keep using Whitesource for CVE.

We still haven't been able to turn on Github integration for SonarCloud. But I think we lost the motivation somewhat, given the long time and no one was talking about this. Should we come around to this discussion one day, followings are some good links

https://sonarcloud.io/github
https://community.sonarsource.com/t/checks-tab-remains-empty-in-github-pull-request/40319
https://community.sonarsource.com/t/pr-analysis-results-are-now-displayed-in-the-checks-tab-of-pull-requests-in-github/5870

from legend-pure.