Getting crushed by SonarQube

I have been upgrading our Sonar server from 4.5 to 4.5.2 and restructuring our project. I initially was planning on upgrading to SonarQube 5.0, but the upgrade process can’t seem to handle our database. After I upgraded to 4.5.2, I was restructuring. Initially we had each of our libraries setup as a separate project at work and there was a separate sonar project for each one. At one point we decided it was much better to consolidate them all under 1 git repository and make 1 maven master pom with each other project as a module in maven. When we did that we never got around to consolidating our Sonar project to 1 project with sub projects. After we upgraded to intelliJ we found that we couldn’t sue the sonar plugins to integrate with our environment as our project didn’t match our sonar project.

Hence I started working on restructuring it to reflect our current project structure. Of course me being me the first thing I want to do is update to the latest. After the Database Schema Upgrade to version 5.0 failed I restored from a previous backup and then did the upgrade to 4.5.2. After upgrading I also had to upgrade many of our plugins. Upon completion of that I ran the analysis and started working on fixing the new errors. I was getting pretty close to having all the issues fixed when I discovered many of the rules we were using were deprecated. We had 99 deprecated rules plugins so I disabled them and enabled the suggested replacements. Oh what a mistake, after being down to about 60 issues to fix that put me up to 1000. Ay!!! At the end we will have much better rules in place for our code, but after working on it all day today and not quite resolving all the issues I am sort of kicking myself for upgrading too much at once. Oh well I guess in the end it will be worth the pain.

Code Coverage

In my current position one of the metrics we track is code coverage for our unit tests. When I started at the company we were using JUnit with Mockito and JaCoCo. This was a pretty good setup we got good coverage reports and Mockito makes the testing writing much easier.

One of the limitations of Mockito is that you can’t mock private methods or static methods. This presented an issue for us in reaching our desired level of coverage. We initially worked around some of the private method issues using reflection, but it wasn’t always ideal. The decision was made to use PowerMock. PowerMock solved all of our Mockito issues immediately. It was compatible with Mockito but gave us some new powerful features to allow us to get much better unit test coverage. Then we ran our Jacoco reports and found that the reporting no longer worked. Due to the way PowerMock uses byte code manipulation in order to mock static methods it is not compatible with JaCoCo and there is no plan for them to support measuring that.

So we figured no big deal and switched to Cobertura. The first problem with this change is that Cobertura 2.0.3 has a regression in it so it won’t report coverage with Powermock. We figured no big deal we will run the 1.9.4.1 release of it until they release a bug fix so we can update. Unfortunately the update has never come. You go to the roadmap for the site and you see it hasn’t been updated since November 7, 2013. There appears to be very little activity on the project, and we haven’t seen an update in 2 years. I see work going on in the github repository but there seems to be no attempt and doing any maintenance or fixing the issues for the existing users, and I can’t get a feel for when the 2.1 release is ever going to come out. A second issue is that the current version doesn’t support Java 8 and I would like to update to Java 8 in the very near future. At what point when dealing with open source software do you say the project is either dead or too inactive for us to rely on for business needs?

Cut to last week I was updating some libraries in the project and I wanted to upgrade from PowerMock 1.5.5 to PowerMock 1.6.1 and my coverage reports went to 0. So it seems our old version of Cobertura can’t handle the latest PowerMock. I did a test with Atlassian Clover and our coverage reports worked perfect and looked better than anything I have ever seen for a report. At that point I decided I had reached my breaking point with Cobertura and put in a request that we move to clover and buy some server licenses and work and in the meantime while waiting for approval I had to settle for PowerMock 1.5.6 until we can get approval to buy Clover licenses.

Going forward when someone suggests a new tool to fix an issue that we are having, I have to say that I am going to be looking into other things that tool drags along with it as I don’t want to be in the situation again where we are trading one problem for another.

Themes for 2015

As my Christmas vacation draws to a close I am starting to think of themes for 2015. Why themes and not goals or resolutions? Well I think resolutions are sort of setting yourself up for failure and goals are very rigid so I am going with more general themes.

  • Obviously the first theme I am working towards will be updating this site at least once a week ideally with something technical that I have learned during the week or thoughts on a problem I am solving.
  • Next on the agenda I would like to try to read more. I haven’t been reading as many books as I like to during 2014. But at the end of the year I have been picking up the pace a bit so I hope to read at least 2 books a month. My system I have been using is to try to get through 10% of a book a day on my kindle.
  • I would like to spend more time doing stuff in Spring Boot this year. I have been reading Greg Turnquist’s Learning Spring Boot and it is a great book which I strongly recommend. He seems to lay out the information right when I want it in the book and has saved me tons of time that I would have spent digging in the docs for answers otherwise.
  • Anyone who knows me know that I am not a big front end person, but as a full stack developer I need to know all the layers of the stack, so I think 2015 is the year that I need to learn Angular JS. I learned Knockout JS in 2014 and appreciated how much more productive it was for things than just jQuery and it seems to me that the market is all going Angular and people say it is more productive than knockout so it is time to give it a try.
  • I am hoping to do some architectural updates at work. I am ready to get our stack upgraded (I want to be on Spring 4.1 and Java 8 at a minimum and ideally JPA 2.1 as well instead of 2.0). I always prefer to run the latest stuff so I will be working hard to make sure that I can do so. On that note I submitted a Jira for the issue holding me back on Spring 4.1 related to the aspectj-maven-plugin. With any luck I will be on Spring 4.1 at work within the next 2-3 weeks. Java 8 may take a bit longer as it is going to mean a container upgrade.

Anyway that is what I have come up with so far I am sure more things will apply as time goes on, but this is a good start to my year plan. Now to enjoy my final 2 days of vacation before I return to work.

Bulletproof Coffee

I have been hearing a lot of talk about Bulletproof Coffee lately. I decided to take the plunge and give it a shot this morning as who doesn’t like a good body hack. I made mine with 1 Tbsp of Kerrygold butter which is the normal butter I eat anyway and 1 TBSP of virgin coconut oil. I ran it through the magic bullet to blend it and gave it a go.

I have to say the butter seemed way to rich for me in a cup of coffee, I found myself continually adding more black coffee to the mix to tone down the flavor. I used coconut oil instead of MCT (medium chain triglycerides) Oil as that is what I normally eat anyway and I am not convinced about MCT yet vs something more natural. Here is an article talking about MCT vs coconut oil. In theory I like the concept as someone who sometimes eats a Primal Diet I have seen the benefits of a higher fat diet, for both appetite control and weight loss so this seems to fit right into that.

The question is did it do anything for me? So far I am not noticing any difference as far as mental clarity goes on day one of it, I will see how it works for appetite control. I suspect it will work for that based on previous experiments with a high fat diet. Will I make it again? I think I will try it again to get a better sample than just one day, but I don’t think I am going to blend it anymore. I don’t like the consistency of it blended, I would rather drink coffee with oil on top of it instead. I will post again if I see any different results from future experiments with it, but for me right now, the jury is still out on it.

Speaking of security…

Today I came across the following news.┬áThe Chrome security team is considering marking all non-HTTPS sites as insecure (since they are.)┬áCheck out the story here. What this means is that if you don’t setup SSL on your site you are likely to lose users who are going to fear if your site is safe to use. Google has already announced that they are going to score pages higher in their search index if they use encryption and this is just more incentive for people to take the time to secure their sites. In 2014 it no longer makes sense to run a non-encrypted website. Techdirt also covered the story here.

Update
I forgot to mention you can get free SSL certificates at Start SSL so price isn’t an excuse for not upgrading your site.

Security is about tradeoffs

When I was working on this site on of the first things I did after setting up SSL was to run the Qualys SSL Labs Test on my site. This tool will analyze your site security and point out any weaknesses and assign a grade to your site. I initially scored a C and used the test results to get this site up to an A. When I got to an A I thought I was doing well as I had robust forward secrecy and my scores 100, 95, 80, 90. Then I saw this blog post over here and noticed his site while also had an A score he had a key exchange score of 100. This sent me down the rabbit hole of tweaking SSL configs to figure out how to really get a high score on this test.

After hours of testing I determined the difference was disabling the kEDH Ciphers which are “cipher suites using ephemeral DH key agreement, including anonymous cipher suites.” Once those are disabled my key exchange score went up to 100, however I lost my robust forward secrecy rating. There is the tradeoff if you drop those ciphers there are a bunch of devices out there that can’t do forward secrecy anymore, but if you keep them you are using what are considered to be weaker ciphers. In the end I decided to drop them, and then since I was in there I continued tweaking to one up Christopher Burg and got my site all the way up to an A+ before his. Who says a little friendly competition isn’t good motivation.

For anyone who is curious I looked into what it would take to get all 100s on the test and it is a price I am unwilling to pay at this time. Basically you have to run only TLS1.2 and have things really locked down. The other thing I would like to figure out is are the Camellia ciphers good and considered secure? I saw some sites recommending them, but I haven’t really heard much about them. I would love to know what the security community thinks of them, whether they are considered secure or efficient. I considered testing with them, against the Qualys SSL report card but it was midnight when I finally got to my A+ so I just left things where they were. If you want to check out my score on the test go here. Also check out this lovely image of my report card:

ssl-reportcard

Google Apps for Business

So when I finally resurrected my domain after it being idle for probably about 10 years I was thinking oh I should just roll out google apps to host my email. Back in the day I ran haskovec.com off of a Sparc Server I had running I think Solaris 10 maybe, but I am not 100% sure on the version of Solaris anymore. I just ran it off of my DSL and I used dyndns to map the dynamic dns to my home DSL as I was too cheap to pay for a static IP. At that time I was running a postfix smtp server for email.

Fast forward to now, I had been considering getting a Raspberry Pi and bringing this stuff back and then I remembered seeing the offer from Amazon about free EC2 on micro-instances. I realized free hosting for a year, a real static IP and not having to fool with hardware at my house and EC2 it is. This time around I was thinking hosting my own email is too much work and the spam filtering never seems as good as going with gmail, so I figured I would sign up for googles free for 10 email addresses account. Only it doesn’t exist anymore. I needed an email to get my SSL Cert setup so I signed up for the 30 day gmail just to get that setup. As I got to thinking about it, I was like no way I am keeping this around as I am not planning on using this email so why pay for it? After some google searches and messing around I am running postfix again just to forward messages to my main email account. Problem solved and it was a free solution!

Spring 4.1 / AspectJ Progress

My coworker discovered that the new version of AspectJ already has the flags built in to turn off the annotation processing. If we can do that we can continue using the Maven Processor Plugin to generate the Hibernate Metamodel data and not have to abandon this. The problem at this point is the AspectJ Maven plugin doesn’t support passing those flags along to AspectJ. So the next step is to get a patch in to that plugin and hopefully we can make the jump to Spring 4.1 at the start of the new year. After that I am going to focus on updating our container so we can finally make the move to Java 8 at work.

SpringOne2GX 2014 Java8 Language Capabilities

I was fortunate enough to attend SpringOne this year and I attended a talk by Venkat Subramaniam on Java 8. I have to say before attending this talk I have always been sort of meh on the functional features brought into the language, but this really got me excited about them. This is the first talk on functional programming that I have ever heard that wasn’t boring, but really engaged the listeners. I strongly recommend people check it out: