image

In this article we'll look at the main features of SonarQube - a platform for continuous analysis and measurement of code quality, and we'll also discuss advantages of the methods for code quality evaluation based on the SonarQube metrics.

SonarQube is an open source platform, designed for continuous analysis and measurement of code quality. SonarQube provides the following capabilities:

- The support of Java, C, C++, C#, Objective-C, Swift, PHP, JavaScript, Python and other languages.
- It provides reports of code duplication, compliance with the coding standards, unit tests coverage, possible errors in the code, density of comments in the code, technical debt and much more.
- It saves the history of metrics and builds charts of the changes in the metrics over the time.
- It provides a fully automated analysis: integrates with Maven, Ant, Gradle and common continuous integration systems.
- Allows integration with such IDEs as Visual Studio, IntelliJ IDEA and Eclipse using the SonarLint plugin.
- It provides integration with external tool: JIRA, Mantis, LDAP, Fortify and so on.
- You can extend the existing functionality using third-party plugins.
- It implements the SQALE methodology to evaluate the technical debt.

A SonarQube quality model implements the SQALE methodology (Software Quality Assessment based on Lifecycle Expectations) with certain improvements. As it is well known, the SQALE methodology focuses mainly on the complexity of the code maintainability and does not take the project risks into account.

For example, if there is a critical security problem detected in a project, the strict following SQALE methodology requires you to address all the existing reliability issues, changeability, testability and so on and only then go back to the new critical problem. In fact, it's much more important to focus on fixing new bugs, if potential problems have been living in the code for quite a long time and there were no user bug reports.

Taking that into account, SonarQube developers have modified the quality model, based on SQALE to focus on the following important points:

- The quality model should be as simple as possible
- Bugs and vulnerabilities should not get lost among the maintainability issues
- Serious bugs and security vulnerabilities in the project should lead to the fact that the Quality Gate requirements aren't met
- Maintainability issues of the code are important too and cannot be ignored
- The estimation of the remediation cost (using the SQALE analysis model) is important and should be carried out

The standard SonarQube Quality Gate uses the following metric values to assess if the code has passed the checks successfully:

- 0 new bugs
- 0 new vulnerabilities
- technical debt ratio on the new code <= 5%
- the new code coverage is not less than 80%

Sonar team has defined 7 deadly sins of developers that increase the technical debt:

- Bugs and potential bugs
- Violation of coding standards
- Code duplication
- Insufficient unit tests coverage
- Poor distribution of complexity
- Spaghetti design
- Too few or too many comments

The SonarQube platform is designed to help fight these sins.

Let's have a look at the main features of SonarQube in more detail.
Kate Milovidova 16 november 2016, 12:13

image

One of the main problems with C++ is having a huge number of constructions whose behavior is undefined, or is just unexpected for a programmer. We often come across them when using our static analyzer on various projects. But, as we all know, the best thing is to detect errors at the compilation stage. Let's see which techniques in modern C++ help writing not only simple and clear code, but make it safer and more reliable.
What is Modern C++?

The term Modern C++ became very popular after the release of C++11. What does it mean? First of all, Modern C++ is a set of patterns and idioms that are designed to eliminate the downsides of good old "C with classes", that so many C++ programmers are used to, especially if they started programming in C. C++11 looks way more concise and understandable, which is very important.
Kate Milovidova 15 september 2016, 11:44

The PVS-Studio team have written an interesting article about the ways in which you might shoot yourself in the foot working with serialization, code examples, where the main pitfalls are, and also about the way static code analyzer can help you avoid getting into trouble.

This article will be especially useful to those who are only starting to familiarize themselves with the serialization mechanism. More experienced programmers may also learn something interesting, or just be reassured that even professionals make mistakes.

However, it is assumed that the reader is already somewhat familiar with the serialization mechanism.

We should understand that the statements described in the article are relevant for some serializers, for example — BinaryFormatter and SoapFormatter; for others, which are manually written serializers, the behavior can be different. For example, the absence of the attribute [Serializable] for the class may not prevent serialization and deserialize it with a custom serializer.

Briefly summarizing all the information, we can formulate several tips and rules:

- Annotate the types, implementing the ISerializable interface with the [Serializable] attribute.
- Make sure that all members annotated by the [Serializable] attribute get correctly serialized;
- Implementing the ISerializable interface, don't forget to implement the serialization constructor (Ctor(SerializationInfo, StreamingContext));
- In the sealed types, set the access modifier private for a serialization constructor, in the unsealed — protected;
- In the unsealed types implementing the ISerializable interface, make the GetObjectData method virtual;
- Check that in the GetObjectData all the necessary members get serialized, including members of the base class if there are such.

We hope you will learn something new from this article, and will become a expert in the sphere of serialization. Sticking to the rules and following the tips that we have given above, you will save time debugging the program, and make life easier for yourself, and other developers working with your classes. PVS-Studio analyzer will also be of great help, allowing you to detect such errors right after they appear in your code.

Read more article you can find the link: http://www.viva64.com/en/b/0409/
Kate Milovidova 5 july 2016, 7:57

Roslyn is a platform which provides the developer with powerful tools to parse and analyze code. It's not enough just to have these tools, you should also understand what they are needed for.

The article can be divided into 2 logical parts:

General information about Roslyn. An overview of tools provided by Roslyn for parsing and analyzing the code. We provide a description of entities and interfaces, as well as the point of view of a static analyzer developer.

Peculiarities that should be taken into account during the development of static analyzers. Description of how to use Roslyn to develop products of this class; what should be considered when developing diagnostic rules; how to write them; an example of a diagnostic.

This article is intended to answer these questions. Besides this, you will find details about the static analyzer development which uses Roslyn API.

More: Introduction to Roslyn and its use in program development
Kate Milovidova 19 may 2016, 12:59

Now everyone can post their articles!, just register and push "add"
Your welcome ;)
Tags: articles
kleop 4 april 2016, 15:52

There are 3 types of lies: Lies, damned lies, and statistics
Statistics, infographics, data analysis and data science – who isn’t doing it right now. Everyone knows how to do it right, just left for someone to write how you SHOULDN’T do it. In the article we’ll try to fix it.

image
(Hazen Robert "Curve fitting". 1978, Science.)

Article structure:
  1. Lead
  2. Sampling Bias
  3. Well-chosen average
  4. 10 more failed experiments of which we haven’t written yet
  5. Playing with scale
  6. Selecting 100%
  7. Hiding main numbers
  8. Visual metaphor
  9. Example of qualitative visualization
  10. Conclusion and what to read next
KlauS 30 june 2014, 14:35

You are so lucky to be a programmer. I would like to be the programmer.
- Why do not you learn?
- I already tried. I checked out codeacademy and other websites, but it is not mine.
- Yep, the programming is not really for everyone.
- You are well paid, and you can create different things. Almost every day you get some crazy offers at least for 100 thousand dollars.
- Yep, honestly it's very flattering and a little mind-blowing.
- You get your share in the company and you know that the software engineers are always respected. You can implement any idea in the app and get rich. Moreover, you do not need to hire anyone for this.
- Actually, the programming makes me miserable.
- Wow. What do you mean by that?
- In order to be a good programmer, I need to develop a special mindset and that makes me sad. I noticed this in other programmers, of course, not all, but in many.
- What is this mindset?
- This is concentration on the strengths, and not on the weaknesses.
- Why do you need this to become a good coder?
- I work like this:
KlauS 28 may 2014, 15:11

image

Do you remember this movie? What is it doing here? Why the hell such post on Kukuruku at all?
I guess, because I think that the main piece of IT is human, or rather our brain. I’ll tell you about another possibility of using your brain a bit more effectively. Everything described here has been tried out on me. It’s important to note that I’ll highlight if I haven’t tried something out. I didn’t use any drugs or devices. Popular methods have only been used. And yes, it’s devastatingly realistic. Having tried it once, you'll never resist telling about it.
KlauS 27 may 2014, 9:48

GPGPU technology has stimulated the appearance of several renderings on the GPU in the market, including iRay, V-ray RT, Octane, and Arion. But open-source community made available at least two free renders on the GPU: SmallLuxGPU and Cycles Render. I want to share my impressions about the second one.

Cycles Render is unbiased render with the ability to render on the GPU (CUDA and OpenCL for ATI). It lies in a box with the Blender that runs on Windows, Linux, and OSX.
image
Cycles Render, this is a car with the procedural texture, FullHD was prepared in 2 minutes using GTX580.
Pirat 22 may 2014, 15:38

Since the days of a Gold Rush a little has changed in the rating of high-risk enterprises by the man. A half century later, still in the same California is the Silicon Rush epicenter.
image
Here are in the photo San Francisco in XIX century and today.
Pirat 18 february 2014, 21:37
1 2 3 4 5 ...