{"id":5466,"date":"2022-02-09T22:05:10","date_gmt":"2022-02-10T06:05:10","guid":{"rendered":"https:\/\/blackcap.name\/blog\/new\/?p=5466"},"modified":"2022-02-18T10:27:13","modified_gmt":"2022-02-18T18:27:13","slug":"the-joys-not-of-sonarqube","status":"publish","type":"post","link":"https:\/\/blackcap.name\/blog\/new\/?p=5466","title":{"rendered":"The Joys (Not!) of SonarQube"},"content":{"rendered":"\n<p>Or maybe I should say, &#8220;The Joys (Not!) of SonarQube <em>As Implemented by My Employer<\/em>.&#8221;<\/p>\n\n\n\n<p>SonarQube is a code-analysis system. It analyzes computer code and enforces coding standards. If it doesn&#8217;t pass the sanity checks, builds don&#8217;t properly complete.<\/p>\n\n\n\n<p>I have nothing in general against coding standards, and I fully admit that the code I write is not 100% perfect. I also have nothing in general against tools to help uncover questionable coding practices.<\/p>\n\n\n\n<p>The problem is the automatic mandatory implementation, with it being like pulling wisdom teeth from an elephant to get any exemptions from.<\/p>\n\n\n\n<p>Consider my recent use of a random number generator. It was in a bit of performance-sensitive code, and the random numbers were not being used for any cryptological or other security-sensitive purpose. The default (crap quality radomizer) Java <code>ThreadLocalRandom<\/code> class was good enough, plus it had lots of convenience methods for doing things like generating a floating point number within an arbitrary range. So of course I used it.<\/p>\n\n\n\n<p>Nuh-uh, no can do! SonarQube says that&#8217;s a security violation. I start inquiring about what can be done to get an exemption, and learn that it&#8217;s such a pain I&#8217;m better off recoding. So I do that, blowing a half day in the process (I have to implement a bunch of convenience routines missing from the <code>SecureRandom<\/code> class).<\/p>\n\n\n\n<p>It&#8217;s made worse by SonarQube itself being of generally shoddy quality. Its metric for there being enough test coverage so unreliable that a commit can pass muster on a branch, yet get failed when merged to master, <em>even when the result of the latter merge is exactly the same as what was on the branch<\/em>. That&#8217;s right: you have no idea if a merge to master will succeed or fail. Every merge might well prompt last-minute frenetic test-writing.<\/p>\n\n\n\n<p>So I decide to write a boatload more tests, just to err on the side of high test coverage and avoid triggering the wrath of SonarQube. Everything works just fine on the branch, so I merge.<\/p>\n\n\n\n<p>The build then promptly fails, because get this, the new code has insufficient test coverage.<\/p>\n\n\n\n<p>That&#8217;s right, SonarQube is refusing to accept my test classes\u2026 because they themselves don&#8217;t have tests! Can you say &#8220;Catch-22&#8221; boys and girls?<\/p>\n\n\n\n<p>Again, this wouldn&#8217;t be so bad (it would be more humorous than anything), if SonarQube were implemented in an advisory capacity instead of a mandatory one.<\/p>\n\n\n\n<p>Actually, it&#8217;s still humorous. If they want to piss away their money on stupid policies that waste productivity, fine. I just make note of all the unnecessary busywork their policies cause and report as necessary when queried about why something takes so long. Their loss.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Or maybe I should say, &#8220;The Joys (Not!) of SonarQube As Implemented by My Employer.&#8221; SonarQube is a code-analysis system. It analyzes computer code and enforces coding standards. If it doesn&#8217;t pass the sanity checks, builds don&#8217;t properly complete. I have nothing in general against coding standards, and I fully admit that the code I [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19],"tags":[],"class_list":["post-5466","post","type-post","status-publish","format-standard","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/blackcap.name\/blog\/new\/index.php?rest_route=\/wp\/v2\/posts\/5466","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blackcap.name\/blog\/new\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blackcap.name\/blog\/new\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blackcap.name\/blog\/new\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blackcap.name\/blog\/new\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5466"}],"version-history":[{"count":5,"href":"https:\/\/blackcap.name\/blog\/new\/index.php?rest_route=\/wp\/v2\/posts\/5466\/revisions"}],"predecessor-version":[{"id":5495,"href":"https:\/\/blackcap.name\/blog\/new\/index.php?rest_route=\/wp\/v2\/posts\/5466\/revisions\/5495"}],"wp:attachment":[{"href":"https:\/\/blackcap.name\/blog\/new\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5466"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blackcap.name\/blog\/new\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5466"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blackcap.name\/blog\/new\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5466"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}