Take SonarQube down or not?

Continuing the discussion from Sonar failures on bamboo!:

Sonar checks FindBugs rules and Codacy only checks PMD and Checkstyle rules as discussed here.

If we take Sonar down we do not have any tool in place that uses FindBugs and I think we should use one since it can prevent bugs from getting in production. Of course the way Sonar is configured now has not prevented any of these hundreds of critical issues from ending up in the code. So something should change!

We can use a maven findbugs plugin and simply start by doing a bug hunt pre-releases and at a more sane state include it in the build as a barrier; configured it to fail the build or release if critical issues are introduced.

Sonar is back working, that was me who accidentally broke it.

If we are to keep it, I’ll need to do something around security and isolation of sonar, but I’m OK keeping it.