Introducing the codehealth pipeline beta
A new tool to help with code review and software engineering

After many months of discussion, work and consultation across teams and departments[0], and with much gratitude and appreciation to the hard work and patience of @thcipriani and @hashar, the Code-Health-Metrics group is pleased to announce the introduction of the code health pipeline. The pipeline is currently in beta and enabled for GrowthExperiments, soon to be followed by Notifications, PageCuration, and StructuredDiscussions. (If you'd like to enable the pipeline for an extension you maintain or contribute to, please reach out to us via the comments on this post.)

What are we trying to do?

The Code-Health-Metrics group has been working to define a set of common code health metrics. Our current understanding of code health factors are: simplicity, readability, testability, buildability. Beyond analyzing a given patch set for these factors, we also want to have a historical view of code as it evolves over time. We want to be able to see which areas of code lack test coverage, where refactoring a class due to excessive complexity might be called for, and where possible bugs exist.

After talking through some options, we settled on a proof-of-concept to integrate Wikimedia's gerrit patch sets with SonarQube as the hub for analyzing and displaying metrics on our code[1]. SonarQube is a Java project that analyzes code according to a set of a rules. SonarQube has a concept of a "Quality Gate", which can be defined organization wide or overridden on a per-project basis. The default Quality Gate says that of code added in a patch set, over 80% of it must be covered by tests, less than 3% of it may contain duplicated lines of code, and the maintainability, reliability and security ratings should be graded as an A. If code passes these criteria then we say it has passed the quality gate, otherwise it has failed.

Here's an example of a patch that failed the quality gate:

screenshot of sonarqube quality gate

If you click through to the report, you can see that it failed because the patch introduced an unused local variable (code smell), so the maintainability score for that patch was graded as a C.

How does it integrate with gerrit?

For projects that have been opted in to the code health pipeline, submitting a new patch or commenting with "check codehealth" will result in the following actions:

  1. The mwext-codehealth-patch job checks out the patchset and installs MediaWiki
  2. PHPUnit is run and a code coverage report is generated
  3. npm test:unit is run which may generate a code coverage report if the package.json file is configured to do so
  4. sonar-scanner binary runs which sends 1) the code, 2) PHP code coverage, and 3) the JavaScript code coverage to Sonar
  5. After Sonar is done analyzing the code and coverage reports, the pipeline reports if the quality gate passed or failed. The outcome does not prevent merge in case of failure.

pipeline screenshot

If you click the link, you'll be able to view the analysis in SonarQube. From there you can also view the code of a project and see which lines are covered by tests, which lines have issues, etc.

Also, when a patch merges, the mwext-codehealth-master-non-voting job executes which will update the default view of a project in SonarQube with the latest code coverage and code metrics.[3]

What's next?

We would like to enable the code health pipeline for more projects, and eventually we would like to use it for core. One challenge with core is that it currently takes ~2 hours to generate the PHPUnit coverage report. We also want to gather feedback from the developer community on false positives and unhelpful rules. We have tried to start with a minimal set of rules that we think everyone could agree with but are happy to adjust based on developer feedback[2]. Our current list of rules can be seen in this quality profile.

If you'll be at the Hackathon, we will be presenting on the code health pipeline and SonarQube at the Code health and quality metrics in Wikimedia continuous integration session on Friday at 3 PM. We look forward to your feedback!

Kosta, for the Code-Health-Metrics group

[0] More about the Code Health Metrics group: https://www.mediawiki.org/wiki/Code_Health_Group/projects/Code_Health_Metrics, currently comprised of Guillaume Lederrey (R), Jean-Rene Branaa (A), Kosta Harlan (R), Kunal Mehta (C), Piotr Miazga (C), Željko Filipin (R). Thank you also to @daniel for feedback and review of rules in SonarQube.
[1] While SonarQube is an open source project, we currently use the hosted version at sonarcloud.io. We plan to eventually migrate to our own self-hosted SonarQube instance, so we have full ownership of tools and data.
[2] You can add a topic here https://www.mediawiki.org/wiki/Talk:Code_Health_Group/projects/Code_Health_Metrics
[3] You might have also noticed a post-merge job over the last few months, wmf-sonar-scanner-change. This job did not incorporate code coverage, but it did analyze most of our extensions and MediaWiki core, and as a result there is a set of project data and issues that might be of interest to you. The Issues view in SonarQube might be interesting, for example, as a starting point for new developers who want to contribute to a project and want to make some small fixes.

Written by kostajh on May 14 2019, 8:29 PM.
Staff Software Engineer, Growth Team
daniel, mmodell, abi_ and 4 others
"Orange Medal" token, awarded by mmodell."Hungry Hippo" token, awarded by zeljkofilipin."Love" token, awarded by abi_."100" token, awarded by xSavitar."Yellow Medal" token, awarded by Tgr."Orange Medal" token, awarded by Krinkle."Like" token, awarded by Mholloway."Pterodactyl" token, awarded by kaldari."Like" token, awarded by Jdforrester-WMF."100" token, awarded by hashar.

Event Timeline

How hard would it be to incorporate python projects into the codehealth pipeline? I'm interested in seeing SonarQube reports on rMSCA Scap

@mmodell not that hard. We could talk through what needs to happen in IRC or a meeting, or I could submit a patch sketching out the idea, just let me know.

(If you'd like to enable the pipeline for an extension you maintain or contribute to, please reach out to us via the comments on this post.)

We would like to enable the pipeline for the Translate extension.

We would like to enable the pipeline for the Translate extension.

@abi_ I created a patch to do this but we have some CI resource issues to sort out before enabling the pipeline for more extensions. I'll let you know if/when it's merged. Note that you'll probably also want to create a sonar-project.properties file in the repo that specifies the source locations. I can work with you on that, but let's get the extension added to the pipeline first.

@kostajh - Thank you.

I'm assuming that this is documented here and some example configurations are here.

I've also created a task for this setup - T225581: Enable codehealth pipeline for the Translate extension.