As part of the development process of SonarLint for Visual Studio we regularly check a couple of open source projects, such as Roslyn, to filter out false positives and to validate our rule implementations. In this post we’ll highlight a couple of issues found recently in Roslyn project.Short-circuit logic should be used to prevent null pointer dereferences in conditionals (S1697)
This rule recognizes a few very specific patterns in your code. We don’t expect any false positives from it, so whenever it reports an issue, we know that it found a bug. Check it out for yourself; here is the link to the problem line.
When body is null, the second part of the condition will be evaluated and throw a NullReferenceException. You might think that the body of a method can’t be null, but even in syntactically correct code it is possible. For example method declarations in interfaces, abstract or partial methods, and expression bodied methods or properties all have null bodies. So why hasn’t this bug shown up yet? This code is only called in one place, on a method declaration with a body.The ternary operator should not return the same value regardless of the condition (S2758)
We’re not sure if this issue is a bug or just the result of some refactoring, but it is certainly confusing. Why would you check isStartToken if you don’t care about its content?S2930)
Lately we’ve spent some effort on removing false positives from this rule. For example, we’re not reporting on MemoryStream uses anymore, even though it is an IDisposable. SonarLint only reports on resources that should really be closed, which gives us high confidence in this rule. Three issues (, , ) are found on the Roslyn project, where a FileStream, a TcpClient, and a TcpListener are not being disposed.S3427)
Mixing method overloads and default parameter values can result in cases when the default parameter value can’t be used at all, or can only be used in conjunction with named arguments. These three cases (, , ) fall into the former category, the default parameter values can’t be used at all, so it is perfectly safe to remove them. In each case, whenever only the first two arguments are supplied, another constructor will be called. Additionally, in this special case, if you call the method like IsEquivalentTo(node: myNode), then the default parameter value is used, but if you use IsEquivalentTo(myNode), then another overload is being called. Confusing, isn’t it?S2345)
It is good practice to explicitly set a value for your [Flags] enums. It’s not strictly necessary, and your code might function correctly without it, but still, it’s better safe than sorry. If the enum has only three members, then the automatic 0, 1, 2 field initialization works correctly, but when you have more members, you most probably don’t want to use the default values. For example here FromReferencedAssembly == FromSourceModule | FromAddedModule. Is this the desired setup? If so, why not add it explicitly to avoid confusion?S3168)
As you probably know, async void methods should only be used in a very limited number of scenarios. The reason for this is that you can’t await on async void method calls. Basically, these are fire and forget methods, such as event handlers. So what happens when a test method is marked async void? Well, it depends. It depends on your test execution framework. For example NUnit 2.6.3 handles them correctly, but the newer NUnit 3.0 dropped support. Roslyn uses xUnit 2.1.0 at the moment, which does support running async void test methods, so there is no real issue with them right now. But changing the return value to Task would probably be advisable. To sum up, double check your async void methods; they might or might not work as you expect. Here are two occurrences from Roslyn (, ).
Additionally, here are some other confusing pieces of code that are marked by SonarLint. Rule S2275 (Format strings should be passed the correct number of arguments) triggers on this call, where the formatting arguments 10 and 100 are not used, because there are no placeholders for them in the format string. Finally, here are three cases (, , ) where values are bitwise OR-ed (|) with 0 (Rule S2437).
We sincerely hope you already use SonarLint daily to catch issues early. If not, you can download SonarLint from the Visual Studio Extension Gallery or install it directly from Visual Studio (Tools/Extensions and Updates). SonarLint is free and already trusted by thousands of developers, so start using it today!
Selenium Conf India is happening this June 24-26 in Bangalore, India.
Tickets, call for speakers, and sponsorship slots are now available!
The team is proud to announce the release of 5.3, another paradigm-shifting version, with the addition of significant new features, and the return of popular functionality that didn’t make it in to 5.2:
- New Project Space which puts the focus on the Quality Gate and the Leak Period
- User tokens for authenticated analysis without passwords
- New web services to facilitate a build breaker strategy
- Cross-project duplication is back!
The most striking change in this version is the replacement of the default project dashboard with a new, fixed Project space highlighting the top four data domains: technical debt, coverage, duplications, and structure (which includes both size and complexity):
Because managing technical debt introduced during the Leak Period is so crucial, this streamlined, new project home page keeps the leak period (first differential period, which is now overridable at the project level), in the forefront. Both current and differential values are shown both textually and graphically:
Each of the four domains offers a detailed sub-page, available either through the “more” links on the Project Space or the relevant project menu items:Technical Debt:
Each domain page offers the same combination of current values (in blue, with clickthroughs) and leak period changes (yellow background) found on the main page, along with detailed numeric and graphical presentations designed to help you quickly zero-in on the worst offenders in your projects.
SonarSource feels so strongly about the value of the new Project Space and the domain pages that none of them are configurable. But your old dashboards are still available under the “Dashboards” menu item.User tokens for authenticated analysis without passwords
In version 5.2, we cut the last ties between analysis and the database. Now an analysis report is submitted to the server and all database updates take place server-side. In 5.3 we take the next step down the road of enhanced analysis security with the introduction of authentication tokens.
Now an administrator can create authentication tokens for any user.
Tokens may be used in for analysis and with web services. Simply pass the token as the login, and leave the password blank.
The list of user token names (but not values!) is easily visible, and existing tokens can be revoked at any time:
Users can’t generate their own tokens yet, but that’s coming soon.New web services to facilitate a build breaker strategy
In the implementation of a Continuous Inspection strategy, many people use Continuous Integration servers, such as Jenkins, to execute their SonarQube scans, and want to show as broken a run that includes new code that breaks fails the Quality Gate. Because of time constraints, the old hooks for that were removed in 5.2 and not replaced. In 5.3. we made it a priority to close this gap, so the functionality is now available to allow you to implement a build breaker strategy.
When the client-side scanner is done, it writes out a data file with the URL to call for the server-side processing status
Once the processing is successful,
you can use the analysis id to get the quality gate status
Also under the heading of returning favorites is cross-project duplication. The changes in 5.2 required serious API updates. In turn a rewrite of cross-project duplication detection was required – another priority in 5.3
Notably, 5.3 only provides cross-project duplication detection, not the detection of duplications across modules within a project, which is planned for 5.4.That’s All, Folks!
On December 15, the Toulouse JAM was co-hosted with the Toulouse JUG and Toulouse DevOps. Indeed it made sense since Jenkins is written in Java, makes use of Groovy code in many places (system groovy script, job dsl, workflow...), and it also made sense to co-organize with the local DevOps community since Jenkins is also a great tool to enable Continuous Integration, Continuous Delivery and automation in general. There were 103 RSVPs, with 80 to 90 people in attendance.
There were 3 talks planned for the evening:
- Job DSL Intro [fr], by Ghislain Mahieux
- Workflow plugin [fr], by Michaël Pailloncy (co-maintainer of the Build Trigger Badge plugin)
- Feedback on almost 10 years of CI and what's upcoming [fr], demo with Jenkins build scaling with Docker Swarm, by Baptiste Mathus
Note: presentations have been recorded (in french). They are still being processed, and once they are posted we will update this blog.
In our last update we mentioned there will be 2 Selenium Confs in 2016 — one in India, another somewhere else (TBD).
Well, we are pleased to announce the official dates and location for Selenium Conf India!
When: June 24th & 25th, 2016
Where: Bangalore, India (at The Chancery Pavilion Hotel)
Mark you calendars! We’ll have more details as they become available (e.g., call for speakers, ticket sales, etc.). To get the latest updates, be sure to sign up for the Selenium Conf mailing list.
Thank you to Netflix for sponsoring the yummy burrito bar and offered up their brand new auditorium to host Jenkins Developers and Users Meetup group on Dec 16. We had 96 RSVPs which was impressive. Our speaker for the evening was Akshay Dayal, Software Engineer at Google. Akshay's session was about Scaling Jenkins - how and why Google decided to scale their existing Jenkins cluster (OSS) to meet their security/availability and failover requirements and how heavy automation played an important role in this effort.
The second talk was about how Google worked with Jenkins to read config data externally. Slides are listed below. The video will be posted HERE once it becomes available.
Scaling Jenkins slides can be found HERE
External Project slides can be found HERE.
Although December is a short month due to the holidays, there has been a good amount of local Jenkins activities that took place regardless of holiday obligations. Today and tomorrow I will be doing a series of posts to summarize December JAM World Tour. Special thanks to the JAM organizers and co-organizers who made it all happen in these cities:
On December 9 Lima JAM hosted their first Jenkins meetup in Lima, Peru. There were attendance from various roles of DevOps: Dev, QA, and Ops. There was also a good mixture of different levels of Jenkins users, some were new and just starting to use Jenkins while others had extensive Jenkins experience.
The group has been invited by Docker and Ansible meetup organizers for a joint event in January to showcase technologies from Jenkins, Docker, and Ansible. Congrats to Lima JAM group.
In total there were about 80 attendees at the meetup. In addition to meetup.com the event has been promoted by Yandex so we quickly reached capacity limit.
There were 3 talks conducted, speakers from Yandex, ZeroTurnaround and CloudBees. We discussed the current open-source project state, ongoing activities in the community, Jenkins-powered CD case studies from ZeroTurnaround and Jenkins plugin development approaches.
"Who is Mr. Jenkins? Current State, common usage issues and trends in the community"
"Jenkins beyond CI. ZeroTurnaround's experience"
"When to write your own plugin and when not to"
Jenkins QA Session:
As I mentioned in yesterday's post, we're planning a "Contributor Summit" on February 1st, after FOSDEM 2016 (January 30th/31st), to focus on Jenkins 2.0. Since many of us are already planning, the Monday following the event turned out to be the ideal time to discuss 2.0.
Note: If you're not already familiar with some of the key proposals that were put forth, you can review them in the Jenkins 2.0 proposals summery page.
We've hosted one or two Contributor Summits in the past, and they're usually a day-long event where we try to gather a number of Jenkins core/plugin developers and active/power users to have detailed discussions around the theme of the summit. For this "Jenkins 2.0 Contributor Summit" we do not have a complete agenda yet, but we will post that to the Meetup event once it is fully prepared in the next couple weeks.
Suffice it to say, we'll be discussing a lot!Venue and RSVP
The Contributor Summit will be hosted in a CloudBees office at: Rue des Colonies, 11, Brussels, Belgium. If you're already planning on attending FOSDEM, the office is near Grand Place and Cafe Delerium (where the Friday beer event is hosted).
The venue is of limited size, so if you're planning to join us, please RSVP to the Meetup event as soon as you're certain you will be able to attend. If you find yourself unable to attend, please remove yourself from the list to ensure that we can fit as many active contributors into the office as possible!