I liked the package design (later renamed to file design) feature in SonarQube to detect cycles inside my application. See this old blog post:
http://www.sonarqube.org/fight-back-design-erosion-by-breaking-cycles-with-sonar/
In the recent 6.0 version of SonarQube I can't find this anymore, there is a design plugin but that only seems to be supported until version 4.5.6. Am I overlooking something or is the file design feature just gone?
Design-related services were dropped in version 5.2.
Related
I am working with JFrog XRay, which has scanned our Artifactory and identified a vulnerability in a third party library which is a depdendency of my application.
From the component scan, I click on the CVE number and get this information
**Details**
Summary [CVE-XXX-YYY] Improper Input Validation
Type Security
Severity Critical
....
Infected Component __internal component__
Source Version 1.2.3
However there is no suggested "resolution". For example, "upgrade to 1.2.4" or "upgrade to 2.0.1".
Ideally I dont want to have to install all versions of this component and scan them individually.
And in this case the "References" links are not so helpful.
Any advice on the proper workflow to find a safe upgrade to a vulnerable component identified in JFrog Xray would be most helpful here.
The fix version is not always available when a new vulnerability is reported in the NVD, that's why Jfrog Xray does not always show it, in case that the fix version is not available, options are :
if the vulnerable software versions have a range (1.2,1.5] then fixed version can any version before 1.2 include or any version after 1.5
if the vulnerable software versions have an open range above, example (1.2,) then fixed version can any version before 1.2 and include
if the vulnerable software versions have an open range below, example:(,1.2) then fixed version can any version after 1.2 and include
Note: The best will be to look for the 'fix version' field where it specifies exactly the version that fixes the problem
if it's not specified, the above can give guides to some level.
Jfrog Xray will report 'fix version' only if the information is available on the source (where the vulnerability was reported)
In the old version, there was a dashboard for the whole project from different views, but in the latest version there isn't. Why was this dashboard removed?
The short answer is that rather than making you figure out which measures are most important, and making you figure out how to display them, recent versions of SonarQube handle the hard work for you with a standard, non-customizable project homepage, and the new Projects space.
After a while I installed sonarqube 5.6 today and wondered where the dependency matrix feature is.
I found this SO question, but it is about sonarqube 4.5.
I also searched the update center to see if I must install a additional plugin now, but I had no success.
Does anyone know how to get the package design widget back?
I just found the answer. Sadly the package design widget is not available anymore.
Since sonarqube 5.2...
All design-related features were dropped
See http://www.sonarqube.org/sonarqube-5-2-in-screenshots/ section Also worth noting
All design-related features were dropped in this version (see SONAR-6553 for details), including Package Tangle Index and related metrics.
Noticed that there is a 2.0 version of the Spring IO Platform available as a snapshot. I am looking to understand what might be driving the major version number change. Can someone with better insight into the changes share the themes here (or point to somewhere where this is better documented)?
Look at the "Upgrading" section of the documentation: http://docs.spring.io/platform/docs/2.0.0.BUILD-SNAPSHOT/reference/htmlsingle/#upgrading-removal
Some dependencies were removed, which leads to a major version, since it's a breaking change.
Does anyone have any information on Spring Web Flow 3 status?
Here are a few relevant links that support my sense that springsource has essentially abandoned the project:
1)Official roadmap indicates they are missing milestones by over a year now with no update to the roadmap.
2)Forum thread filled with these questions ignored by Keith Donald and Spring team.
3)Official Download page says the latest release is 2.2.1 but is actually 2.3 so that is not even being kept up-to-date anymore.
While Web Flow version 2 I'm sure is a great product, the issues above are all obvious red flags when it comes to evaluating an open source product -- as well as evaluating the company behind that project. Am I simply missing some communication channel where all this has been discussed in detail before? I find it hard to believe that springsource, a company that seemingly had their act together, would be this negligent with one of their flagship products.
They just added a graphical web flow editor into STS. See this InfoQ post. Also, I just checked JIRA and Fisheye and it looks like there's bug fixes going into a 2.3.1 coming that corresponds with Spring 3.1. So I don't think it's abandoned, it's just not getting new features.
Just wanted to mention that the latest version (2.3.1) of Spring Web Flow was released on Mar 27, 2012. See the changelog file: http://static.springsource.org/spring-webflow/docs/2.3.x/changelog.txt