Qodana 2022.1 Is Available

Anastasia — Thu, 12 May 2022 13:06:40 +0000

We are continuously adding new functionality and improving Qodana, our code quality platform. To keep you updated about what’s new, we’re starting a series of regular release blog posts with the major release of Qodana 2022.1.

License audit has been an extra linter that had to be configured separately from the main linters. It now comes with Qodana out of the box. We also added a bunch of new and useful inspections for PHP and JVM linters. Read on to learn more!

GET STARTED WITH QODANA

License audit

Legal and compliance penalties for invalid or inappropriately used licenses in your code can be extremely costly. With Qodana, you can scan dependencies in your code repository to find their licenses and see whether there are any potential issues.

With this release, we’ve made it easy to bring license auditing into your project and make it a part of your CI/CD pipeline. The new License audit feature is available for all linters, including Python, Java, Kotlin, PHP, and JavaScript.

To enable License audit, add the following lines to the qodana.yaml file in your project root:

include:
  - name: CheckDependencyLicenses

If you need to ignore a specific dependency in your project, add the following lines:

dependencyIgnores:
- name: "dependency/name"

Read our documentation for more information about custom configurations for License audit and check out this blog post to see how it can streamline working routines for developers, managers, and legal teams.

PHP inspections

This version of Qodana brings all of the new inspections from PhpStorm 2022.1 and adds them to your pipeline with our PHP linters. PhpStorm comes bundled with Qodana, so when Qodana notifies you about an issue in your code, you can open it right in your IDE for further investigation.

Duplicate array key

The behavior of array_merge() and merging with the + operator are different from each other in PHP. The latter will not override the value if the key is duplicated. This can lead to confusion and bugs, so Qodana for PHP now highlights such cases.

Usage of count($array) as array index

When appending an item to an array, there is no need to explicitly specify the index. Qodana for PHP can warn you about the redundant count() call.

Replace pow() call with **

PHP has had an ** exponentiation operator available since version 5.6. Qodana for PHP will suggest a quick-fix right in PhpStorm (Alt+Enter) to replace the old pow() calls with the ** operator.

Read-only properties

Private properties with read-only access inside a class can be declared with the readonly flag. Qodana for PHP will suggest updating the property declaration.

Final class constants

Starting with PHP 8.1, it is possible to declare constants as final. This is why Qodana for PHP will warn you about constants that are not inherited and suggest adding a final modifier to them. With the PhpStorm integration, you can quickly jump to the IDE to fix the issue.

rand function arguments in reverse order

This inspection highlights function calls from the rand family where the max argument can be less than the min. For example, calling rand(10, 1) is the same as calling rand(1, 10), but mt_rand() is strict about the order of its arguments.

Invalid mock target with PHPUnit

Qodana for PHP will warn you when you try to access a private or final method on a mock object.

Redundant modifier

This new inspection will report modifiers that are used in regular expression patterns but do not affect the match:

/i(case insensitivity) in patterns that contain no letters.
/D (PCRE_DOLLAR_ENDONLY) in patterns that do not contain a dollar sign or that contain the \m (PCRE_MULTILINE) modifier.
/s(dot matches line breaks) in patterns that contain no dots.

Unsupported modifier

This inspection will report usages of the /e modifier, which is deprecated in PHP versions 7.0 and later.

Java and Kotlin inspections

This release also adds new inspections from IntelliJ IDEA 2022.1 to Qodana for JVM. With our IntelliJ IDEA integration, if any issues are found, the erroneous code can be opened right in the IDE for a quick fix.

Let’s take a look at the most notable inspections.

Suspicious back reference

Qodana for JVM will find references that will not be resolvable at runtime.This means that the back reference can never match anything. A back reference will not be resolvable when the group is defined after the back reference, or if the group is defined in a different branch of an alternation.

‘InputStream’ and ‘OutputStream’ can be constructed using ‘Files’ methods

This inspection reports FileInputStream and FileOutputStream constructors when they can be replaced with Files.newInputStream() and Files.newOutputStream(), respectively. Streams created using Files methods are usually more efficient than those created by stream constructors.

Redundant @ScheduledForRemoval annotation

Qodana for JVM will warn you about the usage of @ApiStatus.ScheduledForRemoval annotations without the inVersion attribute, which targets Java 9 or a newer version of Java. It will suggest replacing such usages with the forRemoval attribute in the @Deprecated annotation to simplify your code.

Bulk ‘Files.readAttributes’ calls can be used instead of multiple file attribute calls

This inspection finds places where multiple java.io.File attribute checks, such as isDirectory, isFile, lastModified, or length, are used in a row. These calls can be replaced with a bulk Files.readAttributes call. The bulk method is usually more performant than multiple attribute checks.

Loop can be replaced with ‘List.replaceAll()’

This inspection reports loops that can be collapsed into a single List.replaceAll() call.

Number of placeholders does not match the number of arguments in logging call

Qodana for JVM will report SLF4J or Log4j 2 logging calls, such as logger.info(\"{}: {}\", key), where the number of {} placeholders in the logger message doesn’t match the number of other arguments in the logging call.

Regular expressions can be simplified

This inspection detects regular expressions that can be simplified.

To exclude certain inspections from your analysis, you can customize your default inspection profile or create a brand new one. You may also want to enforce inspections that are important to your coding guidelines or best practices. Check out our Qodana documentation for more information.

That’s all that is new in Qodana 2022.1! We hope you’ll find our release blog posts useful. If you have any suggestions for future blog topics or if you want to learn more about how Qodana can help you and your business, post a comment here, tag us on Twitter, or contact us at qodana-support@jetbrains.com.

Your Qodana team

Introducing Qodana for Azure Pipelines

Anastasia — Thu, 07 Apr 2022 11:26:11 +0000

With Qodana, you can detect, analyze, and resolve code issues right in the CI/CD system you rely on. Since Qodana was released, we’ve supported GitHub Actions, GitHub App, GitLab CI/CD, TeamCity, and Jenkins. We continue to expand our integrated environments to make sure we bring code quality into your favorite CI/CD. This time around, we’re introducing a new extension for Azure Pipelines.

Try for free

Qodana linters are now integrated into your Azure DevOps repositories to allow you to make code analysis a part of your build pipeline and ensure the maintainability and reliability of your projects. You can integrate Qodana with Azure Pipelines in just 2 steps:

Install Qodana for Azure Pipelines
Configure Qodana to analyze your code

Now let’s dive into the details.

Install Qodana for Azure Pipelines

From Visual Studio Marketplace, install the Qodana for Azure Pipelines extension by clicking the Get it free button, and Proceed to organization once the installation has finished.

If you do not have the required permissions to install an extension from the marketplace, a request will be sent to the account administrator to ask them to approve the installation.

Configure Qodana to analyze your code

Set up a pipeline that integrates with Qodana

Before analyzing your code, you will first need to set up a new build pipeline that integrates with Qodana. On the Azure DevOps panel, go to Pipelines and click Create Pipeline. If any pipelines have already been created, select New pipeline.

You can configure the pipeline with either the YAML editor or the classic editor. When using the classic editor, you can take advantage of the predefined templates. The YAML editor requires you to use a YAML file. Let’s choose the latter for this example.

The YAML editor will open with the template YAML file. In order to configure it correctly you will need to configure the Qodana Scan task by editing your azure-pipelines.yml file:

# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml

trigger:
  - main

pool:
  vmImage: ubuntu-latest

steps:
  - task: Cache@2 # Not required, but Qodana will open projects with cache faster.
    inputs:
      key: '"$(Build.Repository.Name)" | "$(Build.SourceBranchName)" | "$(Build.SourceVersion)"'
      path: '$(Agent.TempDirectory)/qodana/cache'
      restoreKeys: |
        "$(Build.Repository.Name)" | "$(Build.SourceBranchName)"
        "$(Build.Repository.Name)"
  - task: QodanaScan@1

You can also find the Qodana Scan task in the list of tasks on the Show assistant panel.

Run your pipeline

When you are done making the changes to the file, click Save and Run.

See the results

To display the Qodana report summary in Azure DevOps, install Microsoft DevLabs’ SARIF SAST Scans Tab extension. Once installation is done, go to the Pipelines tab, select the pipeline being run and analyzed, and look at the Scans tab for more information about the quality of your code.

With the Qodana for Azure Pipelines extension, you will be able to easily integrate Qodana into your Azure DevOps pipeline and start seeing the analytics the first time your code is checked.

If you have any questions or suggestions about Qodana, post a comment here, tag us on Twitter or contact us at qodana-support@jetbrains.com.