switching the coderanch build to gitlab

Posted on by
Reply

After having some “trouble” upgrading Jenkins on the CodeRanch server, we concluded it would be easier to switch to GitLab for the build than fix it. After all, we are already using GitLab SaaS (software as a service) for source control. While I’ve done GitLab pipelines before, this was my first time using Ant in one so it was interesting. Which means a blog post.

Why we use Ant and our custom deployment model

We have a few CodeRanch moderators who work on the forum software. (Less than 5 which is convenient as that’s how many people can be in a GitLab org for free. One of those moderators lives in a country with less than reliable internet. This means using Maven (or even Ant with Ivy) is a problem because it expects more internet than he may have available at a given moment.

Additionally, uploading large files is sometimes a problem so we don’t deploy a .war file. We instead deploy a loosefiles.zip file which contains the code but not all the dependencies. The dependencies are uploaded only on change.

I don’t recommend any company operate like this but it meets our needs. And since it is a hobby, also gives us fun technical challenges.

Fun fact: when I started working on the forum software (17 years ago) I had dialup internet. It was reliable, but I also benefited from the no uploading a war file sized artifact personally.

The main build part of the pipeline

Ant isn’t supported for Auto DevOps so didn’t consider that approach. The main part of the build was fairly straightforward:

image: eclipse-temurin:17

variables:
  FF_TIMESTAMPS: 1

ant-dist:
  stage: build
  before_script:
    - apt-get update && apt-get install -y ant
  script:
    - ant dist
  artifacts:
    paths:
      - qa/
      - dist/
    reports:
      junit: qa/reports/*.xml
    expire_in: 1 week
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
    - if: '$CI_COMMIT_BRANCH == "master"'

It uses a Java 17 image (no, we haven’t upgraded to 21 yet). I added FF_TIMESTAMPS so the log output tells me how long everything takes. (The free plan gives you a certain number of build minutes per month so this is important. Using this information we decided not to have the build create the deployment artifact (which minifies files and zips them up) as that took a bunch of time and the people who deploy always run that locally anyway.

The apt-get takes about 15 seconds to install Ant (I checked this because I would have included Ant in the repo if it was slow). Next comes actually running the dist target of the build which compiles, runs the JUnit tests and PMD for static analysis.

Next the pipeline makes the qa (build reports) and dist (binaries) available for browsing/downloading. It also publishes the JUnit output which allows the merge request and pipeline to conveniently show test data.

Finally, the triggers are merge requests and master..

Setting up semgrep

Since SAST is free on GitLab I set that up as well. The remainder of the pipeline is

# based on https://semgrep.dev/docs/semgrep-ci/sample-ci-configs#sample-gitlab-cicd-configuration-snippet
semgrep:
  # A Docker image with Semgrep installed.
  image: semgrep/semgrep
  # Run the "semgrep scan" command on the command line of the docker image.
  script: semgrep ci --config auto --include src --gitlab-sast --output=gl-sast-report.json --text-output=semgrep.txt --json-output=semgrep.json --sarif-output=semgrep.sarif || true
 
  variables:
    # Upload findings to GitLab SAST Dashboard:
    SEMGREP_GITLAB_JSON: "1"
 
  artifacts:
    paths:
        - semgrep.txt
        - semgrep.json
        - semgrep.sarif
    reports:
      sast: gl-sast-report.json
    expire_in: 1 week

  rules:
  # Scan changed files in MRs, (diff-aware scanning):
  - if: $CI_MERGE_REQUEST_IID

  # Scan mainline (default) branches and report all findings.
  - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

While most of this code came from the sample, semgrep was far more interesting. You can publish to semgrep.dev and see the results in a nice UI. It says that is free for up to 10 committers. Cool we have less than that. However, when the project comes from GitLab, it requires a GitLab group token with admin access. I was less enthusiastic about that. But even then, I still couldn’t use it because GitLab free product doesn’t allow you to set up group access tokens.

You might be wondering why there are so many output formats. Free GitLab basically tells you if there are new findings, but not a visual display of the full report. And I’m not sure what the other developers will want to use so I provided everything. I plan to use SARIF. There are two free visualizers:

“you only have to be brave for 15 seconds at a time”

Posted on by
Reply

There are situations at work where speaking up can be scary. Maybe it is a senior manager or a big group or you aren’t sure how the comment will be received. Or maybe it is giving a presentation. Or pushing publish on a blog post :).

I’ve developed a simple three step procedure for these types of situations:

Step 1: Decide you want to do it.

Sometimes it is good to bring up an awkward topic. Sometimes it isn’t. Making this decision rationally is important. There’s a difference between bringing up the elephant in the room than something there are good reasons not to discuss.

Step 2: Get ready

I think about how I want to start. For a question, this is preparing the whole question. For a presentation, it is the first sentence. (Yes I prepare more than one sentence, but that first sentence is memorized). Or in the case of a blog post/email, writing all the content.

Step 3: Be brave for 15 seconds

Remind myself that I only need to be brave for 15 seconds at a time. That’s enough time to be done if it is a short thing (like a question or pressing send) or be committed if it is a longer one (like a presentation)

One time, when i was very scared, I wrote “you only have to be brave for 15 seconds at a time” on a piece of paper and put it in my pocked. I felt the paper right before I needed to be brave and it gave me strength.

PASSED! Jeanne’s Experience Taking the Oracle AI Vector Search Certified Professional Certification

Posted on by
Reply

Today I took the Oracle AI Vector Search Professional certification and passed with a score of 80%. Passing is 68%.

Why I took this certification

When I took the Java 21 certification, Oracle was essentially using Zoom to proctor the exam. You checked in with a group, there was no whiteboard, etc. I even remarked at the time “seems like an odd security choice to have people on video without virtual background to strangers.”

I knew that Oracle had switched to a proper exam engine since that. But I wasn’t going to pay to take another exam to see it. Conveniently Oracle is running a promotion where you could take a free certification until May 15th. I looked through the list of choices to see what I found most interesting. I’ve also liked databases and vectors feature in AI so this one seemed good.

My goal was not to pass the exam. That was a happy side effect. My goal was to learn a little and then see the new engine. And the vector database learning path was only 8 hours long. Spoiler: I didn’t spend 8 hours.

What I did:

  • Saturday – watched videos and did skills checks from the vector search fundamentals course. This was interesting. The skills check questions cover a good amount of the exam materials. I watched it on 2x speed. I also skipped most of the lab videos. I watched enough (by checking random time points) to see they were repeating the same concepts from the videos. (The labs aren’t free anyway)
  • Sunday – watched the deep dive and autonomous database videos on 2x. These were less interesting because the concepts were high level. The lab videos covered more information but I didn’t watch them in the interest of time. Plus I wasn’t doing the labs. (If you are trying to pass the exam, I recommend spending more time with these videos.) Also, there were no skills check questions in these videos so less interactive.
  • Monday – watched the video about preparing for the exam. It came with 12 practice questions which were useful for getting a feel for what to expect.
  • Tuesday – did practice exam. This was 30 questions in 60 minutes. Which is less than the real exam, but about the same amount of time per question. The practice exam uses the format of the skills checks, not the format of the exam. It is an excellent representation of what you should expect on the exam. In fact, some of the questions were the same. You can see what you put and the right answer with a short explanation after submitting. I got a 70% on the practice exam. I recommend not taking this practice exam until you feel ready so it serves as a proxy of how prepared you are. You can take it as many times as you want, but the questions and answers are the same (just in a random order)
  • Thursday – re-read my notes and took the practice exam again to re-load the info in my head. Had AI generate key points on the Oracle products along with some practice questions to at least try to get some of those questions right.
  • 7:30am Friday morning – took real exam. I signed up for it before starting the videos. Most of the choices were early morning or late night so I assume the proctors are still in Asia. And mostly weekdays. (or super late Sunday night which is Monday in Asia). You can join up to 30 minutes early. Checkin was fast so I was done by 7:30am with the exam. Which is nice because today was a work day.

The exam

All the questions were single answer multiple choice. Many were short word problems. Some were multiple choices with each answer being one line of code or in rare cases up to 6 lines of code. A handful were a longer code snippet where you had to identify the purpose of a particular part of the code. Nothing tricky.

A good number of the questions were on the Oracle products that I glossed over in my preparation. But as evidenced by pass, a majority of the questions were on vector databases. I also got a couple about RAG (retrieval augmented generation) in general, but that I was aware of before preparing.

I wrote a separate blog post about the exam engine.

After the exam

You get a score report on the screen right after submitting and an email right away with the same score. It took a few hours to get the second email saying my certview was updated.

Timing

As I mentioned in my experience with the Java 21 exam blog, I typically finish exams with lots of time to spare. This exam was no exception. I finished in 20 minutes. I didn’t bother to do a second pass to check for accuracy since I didn’t care if I passed. So it’s not *all* Oracle exam that are long. Doesn’t help that this one is short if you are trying to take the Java cert though.

How to Study

The learning path is sufficient to take the exam if you go through it more carefully.