ci: SARIF inline static analysis with early-fail lint + isolated spotbugs#1395
Closed
joaodinissf wants to merge 4 commits into
Closed
ci: SARIF inline static analysis with early-fail lint + isolated spotbugs#1395joaodinissf wants to merge 4 commits into
joaodinissf wants to merge 4 commits into
Conversation
Restructure verify.yml static analysis around early-fail + inline display:
- lint job: compile + pmd:pmd + checkstyle:checkstyle (SARIF renderers) +
pmd:cpd-check, -T 2C, --fail-never. Gates by counting the merged SARIF
(PMD/Checkstyle) + grepping cpd.xml. Goes red in minutes on a violation,
independent of the build.
- spotbugs job: compile + spotbugs:spotbugs (SARIF), -Xmx4g, own parallel
lane (the slow analysis). Same count-gate.
- maven-verify: drop the redundant checkstyle:check/pmd:*/spotbugs:check
goals (now owned by lint/spotbugs); build + tests only.
- SARIF (2.1.0) merged per tool and uploaded to Code Scanning
(permissions: security-events: write) for inline annotations on all three.
compile runs in-invocation (PMD type-resolving rules need the aux-classpath)
and full-reactor (a -pl subset false-positives). Count-gate, not :check: the
:check goals @Execute-fork a second analysis and can't emit SARIF; see
docs/ci-static-analysis-design.md. Drops the custom Python annotator.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ate) Code-verified rationale for verify.yml's shape: report-vs-check goal table (@execute fork behavior per plugin version), Maven reactor failure-flag table, why report+--fail-never+jq-count is the chosen gate, count-gate==:check fidelity + config-drift caveats, and the compile-must-be-full-reactor rule. Referenced from the PR description. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Trustworthy-measurement methodology (N=15-20 dispatch runs in a tight window, median+IQR, the observed noise floor + signal threshold, failure-latency metric, pre-flight mirror-health check). Records why the 2026-05 experiment numbers are void and why the local p2 mirror / tycho.mode=maven are not timing levers. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
1 similar comment
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
…GE, revert) Trips Checkstyle EmptyStatement, PMD SystemPrintln, SpotBugs null-deref to confirm each renders inline in Code Scanning and each gate goes red. Reverted immediately after observation. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| /** Trips Checkstyle (EmptyStatement), PMD (SystemPrintln), SpotBugs (null deref). */ | ||
| public void trigger() { | ||
| ; // Checkstyle: EmptyStatement |
| public void trigger() { | ||
| ; // Checkstyle: EmptyStatement | ||
| final String s = null; | ||
| System.out.println(s.length()); // PMD: SystemPrintln ; SpotBugs: NP_ALWAYS_NULL |
|
|
||
| /** Trips Checkstyle (EmptyStatement), PMD (SystemPrintln), SpotBugs (null deref). */ | ||
| public void trigger() { | ||
| ; // Checkstyle: EmptyStatement |
Collaborator
Author
|
Closing in favor of #1396 — the same shape as a clean single commit (no planted-violation probe, polished description). Validation history lives here. Left by Claude at João's request. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Draft — for measurement. Reshapes static-analysis CI for fast, early PMD/Checkstyle feedback with inline SARIF display on all three tools, dropping the custom Python annotator. Pushed to read real full-reactor job times + confirm inline rendering before finalizing.
Shape (
verify.yml, 4 parallel jobs)lint—compile+pmd:pmd+checkstyle:checkstyle(SARIF) +pmd:cpd-check,-T 2C,--fail-never; gates by counting the merged SARIF (+ CPD grep). Goes red in minutes on a violation, on its own check.spotbugs—compile+spotbugs:spotbugs(SARIF),-Xmx4g, own parallel lane (the slow analysis).maven-verify— build + tests only; the redundantpmd/checkstyle/spotbugsgoals are dropped (now owned by lint/spotbugs).line-endings— unchanged.All three emit SARIF 2.1.0, merged per tool and uploaded to Code Scanning (
security-events: write) for inline annotations + the Security tab.Why count-gate, not
:checkThe
pmd:check/spotbugs:checkgoals@Execute-fork a second analysis and can't emit SARIF; run cheaply they lose the classpath and false-positive. We run each report goal once (full-reactorcompile→ correct + SARIF) and gate by counting. Full rationale, tables, and fidelity caveats:docs/ci-static-analysis-design.md.Honest framing
Optimizes feedback latency (lint red in ~minutes vs ~14), not total wall-clock (the build/spotbugs floor is ~unchanged), and increases total compute (compile runs per parallel job). Measurement protocol:
docs/ci-measurement-protocol.md— real medians TBD.Note for merge
Required checks change:
pmd+checkstyle→lint+spotbugs(keepline-endings,maven-verify). Commits are intentionally granular; will squash before merge.🤖 Generated with Claude Code