Code Quality reports

A nice feature that verifies code quality is a quality scan with CI/CD in GitLab. It makes use of the open source and free Code Climate engines (https://codeclimate.com/). It is embedded in a special Docker container that you can run within your GitLab runner. The following code is an example of a .gitlab-ci.yml file that runs such a scan:

code_quality:
 image: docker:stable
 variables:
 DOCKER_DRIVER: overlay2
 allow_failure: true
 services:
 - docker:stable-dind
 script:
 - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^([0-9]*).([0-9]*).*/1-2-stable/')
 - docker run
 --env SOURCE_CODE="$PWD"
 --volume "$PWD":/code
 --volume /var/run/docker.sock:/var/run/docker.sock
 "registry.gitlab.com/gitlab-org/security-products/codequality:$SP_VERSION" /code
 artifacts:
 paths: [gl-code-quality-report.json]

When the jobs runs, the following logging is produced:

Running with gitlab-runner 11.7.0 (8bb608ff)
   on test-runner 97YoGmXL
...

After downloading the Docker container, it will start scanning the code. When the scanning is complete a report is generated, as follows:

Uploading artifacts...
 gl-code-quality-report.json: found 1 matching files 
 Uploading artifacts to coordinator... ok            id=403 responseStatus=201 Created token=ngLDxFmF
 Job succeeded

To view the report, download the artifact from the right, where there are links to it. The following example shows the screenshot of the Job artifacts tab:

If you open the report with an editor to properly format it, it will show warnings or high or critical findings. In the case of the eventmanager project, it found an unused variable, as follows:

         "type": "Issue",
         "check_name": "Rubocop/Lint/UnusedBlockArgument",
         "description": "Unused block argument - `letter`. If it's necessary, use `_` or `_letter` as an argument name to indicate that it won't be used.",
         "categories": [
             "Style"
         ],
         "remediation_points": 50000,
         "location": {
             "path": "addUID.rb",
...

Please notice the "remediation_points": 50000, entry, which scores the finding. This is different depending on the category finding, and can be used to compare total scores of several scans, showing you the progress (or decline) of total quality.

There follows the block of code that was mentioned in the report:

    yaml_hash['attendees'].each do |letter, hash|
     p hash['name']
     p hash['email']
     p hash['attending']
     p hash['guid'] = SecureRandom.uuid if p hash['guid'] == nil
    end

You can see that in the first line there is a letter variable that is unused in the loop. If we change letter to _letter the test should not report it as a warning anymore. Unused variables are reported as a warning, you can suppress the warning with an underscore.

After the next run of the CI pipeline, the code quality scan will show that nothing was found, the report will be empty.

You can use Code Quality reports as well in merge requests. It can run before merge and you can compare remediation points. If there are likely to be critical findings, the job would show as failed and in red. Now that we have verified that the application is of minimum quality, we also want to verify if the app or website is OK for users. We can build review versions on which to perform manual tests. This is our next section.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.111.183