Patroklos Papapetrou

Hi Simon

How this book is compared to books that discuss J2EE architecture or .NET architecture?
Is it more technical, practical or theoretical?
I consider myself an architect but after reading book's page I have to re-evaluate it

Regards
Patroklos

It's great to see a book dedicated to java security guidelines. I recently took a course about java security and I was wondering how this book categorizes the security flaws. Is it based on the OWASP top 10 categories as described here : https://www.owasp.org/index.php/Top_10_2013-Top_10 ? Do you follow another categorization?
And another question. Do you provide some working examples in the book?
Thanks a lot

Hi

With which databases is Mondrian compatible? Can it be used with NoSql databases as well? And if yes, which ones?

Thanks

Hi Mani

Rather I'd like to know of a methodology to use when using SonarQube so to use all the signals and make sensible decisions on the code base. Do you have an existing configure I can refer to or an online project like Nemo that I can look at to learn from it?

I'd suggest that you read the post about Continuous Inspection

I took a quick look at the online docs and it looks like there's a lot of Extension points that a plugin could use. Are they all explained in "SonaQube in Action"?

No unfortunately we had time and space (pages) only for some of them. But I'm pretty sure that you'll get the general idea of how SonarQube's plugin system works and of course it will get you started faster.

It was my third plugin
The main challenge was to parse thucydides results and show them as SonarQube widget. In general SonarQube's API is very comprehensive and since your write your first plugin then you'll see that the next will come much easier

Yes, the plugin acts just any other SonarQube client.
As soon as you run the first analysis on a project it will be created in SonarQube

Yes Burk

You can configure for each quality profile its thresholds and you can see these alerts in project dashboard. You can also install the build breaker plugin that breaks your CI build ( let's say Jenkins ) if a threshold is hit, which means you can send CI notifications when a build is broken.
Finally, developers can also subscribe to a list of notification events such as new alerts, new issues etc.

So with all the above you've got a fully automated notification mechanism when quality falls below your defined standards.
And to bless our beard, all these are covered in details in SonarQube in Action

Indeed there's a configuration page for the Technical Debt plugin where you can modify the weight of each quality category and I totally agree that this makes the plugin interesting and valuable

There is a whole chapter in SonarQube in action that guides developers step-by-step on how to create a SonarQube plugin from the scratch.
Another good reference is SonarSource's online documentation : http://docs.codehaus.org/display/SONAR/Extension+Guide

And finally what I prefer to do ( after reading SonarQube in Action last chapter ) fork some existing plugins and see how they do it

Actually there is a plugin (created by me some time ago) that supports Thucycides ( a BDD acceptance testing framework )
It's not very popular ( to be honest nor BDD practice is popular like others ) so I haven't evolve it but it's in my plans to add some more features


And I'm really glad that I found one more supporter!!!

Exactly Burk

You can specify all analysis properties in SonarQube Jenkins plugin as you do in sonar-runner, pom.xml or ant script.

You can even find bugs ( all blocker issues are considered as bugs ) and of course broken tests since SonarQube reports not only coverage but also success, failures and errors in tests

Hi Keith
As I wrote in the book, I'd prefer to use the term Continual instead of Continuous to point out that this inspection is done constantly and is part of the development process.

To achieve this you should at least once a day run SonarQube analysis and examine its results on a daily basis. The idea is simple. Initially you define some quality thresholds. For instance you don't want critical or blocker issues introduced in newly committed code or you don't want the complexity / class to increase over 8. Then you compare (again daily) today's results with yesterday's and if something is over or under (it depends) the threshold you defined then you immediately do something to get back to the right track.

Finally as Ann said, Eclipse plugin and Issue plugin might be helpful especially for issues.

Hi Burk

Ann covered me already. What I meant is to write a book for developers that want to extend SonarQube, write plugins, use its web services etc.
SonarQube in action, actually targets all kind of development team members : Developers, Testers, Team Leaders, Technical and non-technical managers, architects, Quality assurance guys or whoever interacts with one or another way with the project's quality.