You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In many cases, the analyzers for package managers rely on best practices being applied to the build system and dependency management in order to get proper results. But sometimes work-arounds are in place to not completely fail on commonly made mistakes, like e.g. the omission of the scm: prefix for Maven <connection> tags.
So in a way the analyzer implicitly checks for "build system best practices" as it would otherwise fail or log warnings / errors. However, this is implemented inconsistently currently. To harmonize this and to make this check explicit, goals would be to
always get as much information as possible from a build, without cancelling analysis on the first occurrence of an error (like invalid data in a definition file).
Consequently create analyzer issues about all findings instead of silently ignoring them or just logging to the console.
Doing so would add more value to the analyzer for users that are also interested in code quality (at least in their own projects) in addition to license and security compliance.
The text was updated successfully, but these errors were encountered:
sschuberth
changed the title
Develop the analyzer more consequently into a "build system best practices advisor"
Develop the analyzer more consequently into a "build system best practices checker"
Dec 6, 2024
In many cases, the analyzers for package managers rely on best practices being applied to the build system and dependency management in order to get proper results. But sometimes work-arounds are in place to not completely fail on commonly made mistakes, like e.g. the omission of the
scm:
prefix for Maven<connection>
tags.So in a way the analyzer implicitly checks for "build system best practices" as it would otherwise fail or log warnings / errors. However, this is implemented inconsistently currently. To harmonize this and to make this check explicit, goals would be to
Doing so would add more value to the analyzer for users that are also interested in code quality (at least in their own projects) in addition to license and security compliance.
The text was updated successfully, but these errors were encountered: