| Info | ||
|---|---|---|
| ||
WP9 T2 |
...
offers a set of software review services for GÉANT development teams to make their code more robust against all kinds of threats, to increase the quality of the code or to help them be compliant with the GÉANT Software IPR policy. |
...
The prerequisite for an assessment is that the application or service is listed in the GÉANT Software Catalogue. |
| Table of Contents |
|---|
Introduction
WP9 T2 Task 2 offers four types of code software review services:
SonarQube setup assistance
Extended source code review review
Software Composition Analysis
Software Licence AnalysisAnalysis
These vary in the review, scope and granularity of the report, and usually compromise between automated analysis and manual review activities. The main differences between automated analysis and manual review are as follows:
- Automated code analysis concerns, among others, maintainability, security, and reliability as the core quality metrics as well as the analysis of software dependencies and their licences. SonarQube (SQ) tool scans the source code of the development project, identifying flaws and vulnerabilities in the source code based on internally computed software metrics and comparing the subject source code with known anti-patterns. The tool defines Quality Gates that can verify if the code meets specific requirements (such as requirements defined by Product Lifecycle Management (PLM)) and provide recommendations for the decision-makers. Mend tool performs software composition analysis identifying among other license licences and vulnerabilities of external components used by a software project.
Automated code analysis is a great feature when new code needs to be constantly and quickly scanned for many common reliability and security issues. However, it is not able to detect complex or complicated situations or side effects that could happen during runtime. - Manual expert review has the same quality objectives as automated code analysis, but it is conducted by domain experts. These Subject Matter Experts (SMEs) conduct the review in an exploratory manner, or by using pre-defined checklists. Experts review and validate the results reported by the automated code analysis and independently check the parts of code or software components that require particular attention, e.g., classes or components that are complex and play important roles in the system.
The expert code review requires significantly more effort than automated analysis, so it is performed according to the priorities defined by the requestor. A manual review takes much longer than automated analysis but gives more precision with complex code and execution structures.
| Info | ||
|---|---|---|
| ||
Task 2 SMEs are highly skilled in the following software languages: Java, C#, SQL, PHP, JavaScript and Python. |
SonarQube Setup Assistance
The service testing team helps the software development team to configure the SonarQube agent that collects and publishes relevant quality data. It allows the development teams to perform SonarQube analysis by themselves, and it is also used during the reviews the Testing Team performs to find critical sections or hotspots in the codebase.
The services This service typically consists of the following actions:
- The service testing team adds a project to the SonarQube instance provided for GÉANT and provides a basic introduction to the SDT
- The tool analyses the code in response to changes in the repository and provides the results of the analysis.
And your team gains the following benefits:
- The service testing team guides the SDT on how to interpret the results.
- The supplementary guidelines describe how to perform the review and interpret the results, which helps the development teams quickly get started and correctly interpret the results.
SonarQube setup can be implemented as a one-off activity that is based on the physical copy of software code placed in the SonarQube environment. However, we recommend and can configure the automated analysis with an additional software link (runner solution) between the code repository and SonarQube. There are descriptions of all possible options and how to set them up in Typical SonarQube Use Cases.
...
The extended source code review is a comprehensive, manual assessment review made by selected Subject Matter Experts on specific assessment requirements. An extended review can be requested for critical services, software, or software components. Usually, it aims at addressing the requirements of the PLM process, but it could also be performed on a per-request basis.
The services This service typically consists of the following actions:
- Development team requests for Source Code Review
- The development team provides access to the code repository
- The code is being analysed for programming languages language use/distribution
- Based on the gathered information, Testing Team verifies the ability to provide Subject Matter Experts and confirms if it is possible to perform code analysis
- For large/complex projects it's advised to conduct a preliminary meeting to specify code audit requirements and capabilities
...
Software Composition Analysis
The service testing team helps software development teams by setting up a project in the Software Composition Analysis (SCA) tool (the currently used tool is Mend, previously known as WhiteSource) and getting an insight into third-party libraries imported into the software project. This tool identifies third-party components used in a project and provides information about their licences and security vulnerabilities.
The services This service typically consists of the following actions:
- The service testing team adds a project to the tool instance provided for GÉANT.
- The tool produces reports describing software composition and potentially pinpointing non-conformance with established IPR and security policies.
And your team gains the following benefits:
- The risk reports , which are delivered directly to the requestor or appropriate Subject Matter Experts for further analysis, depending on the origin of the request.
- Guidelines on how to interpret the results unless the request is accompanied by a separate request for a more detailed Software Licence Analysis.
- The set-up analysis can be incorporated into continuous integration platforms such as Bamboo and GitLab.
...
- The SCA tool's licence settings are adjusted to align with the intended or actual GÉANT licensing policy, perform the software licences analysis, and help the client interpret the obtained results.
- Imprecise SCA tool-reported licences are reviewed and refined.
- The relationship between the actual (or potential) project licence and licences of dependencies is analysed.
- With a software licence in place, a check is made if its requirements, those of dependencies ' and GÉANT IPR Policy rules and recommendations are met.
...
| Tool setup | Summary report | Detailed report | |
|---|---|---|---|
SonarQube Setup Assistance | SonarQube | ||
| Extended source code review | SonarQube Custom | x | x (or issues submitted to the bug tracking system) |
Software Composition Analysis | Mend | x | |
Software Licence Analysis | Mend | xx |
Learn more
Webinars:
- Software Tests and Analysis, Licence Analysis with WhiteSource, 2022
- Software Reviews, Taking control of the code quality - Improving reviews using SonarQube, 2019
Articles:
- Software Reviews, Providing high quality services to the GÉANT community, 2020
Contact us
Contact Task 2 team to request any of the before-mentioned services.