Hi. Le mer. 7 déc. 2022 à 14:11, Alex Herbert <alex.d.herb...@gmail.com> a écrit : > > The [rng] project was signed up to LGTM.com analysis (I presume at > their website).
I don't recall that anything had been done on our part for the analyses of Commons repositories to appear on their web site. > This is now being decommissioned. The underlying > analysis engine is CodeQL and this is migrating to direct support as a > Github action. > > Do we want to continue with this for [rng]? There is a PR open by > their bot to enable it [1]. They were able provide a (nice) graphical interface without interfering with the repository. IMHO, this offer is thus a regression. Gilles > > AFAICR the analysis has never noticed any issues. We get far more > feedback from using the sonarcloud analysis that is run by the Jenkins > CI build [2]. > > I compared their recommended GH workflow to the one configured to > [lang]. It appears mostly the same. I note that both ask for write > permission to the security events. I do not know how this fits with > the security policy to not publicly disclose events until reviewed and > patched, i.e. I do not know if the security tab for the GH page is > restricted, and where event notifications will be sent. So I do not > want to enable this without further investigation, unless someone can > confirm what exactly the CodeQL build analysis will do if it finds > something. > > Alex > > [1] https://github.com/apache/commons-rng/pull/119 > [2] https://sonarcloud.io/project/overview?id=commons-rng > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
