Check for dead code in merge requests
Problem to solve
It's not always obvious when a merge request introduces code that isn't actually called anywhere. Similarly, it's not obvious when an MR that removes a lot of code (like https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/30226
Tools exist for various languages that attempt to detect and flag code that is never called. We should:
- Turn on one of these tools for GitLab's codebase
- Try to build this functionality into the product in a cohesive way so everyone can benefit
When someone submits a merge request, the tool (typically a form of static analyzer) can run and flag any dead code.
For gitlab-rails, we might be able to use https://github.com/seattlerb/debride . Similarly, we might be able to integrate it for all ruby applications.
This is a somewhat hybrid proposal - I think if we try it out on GitLab's codebase first, we'll be able to gather data on whether it's worthwhile trying to package it into a feature. Rails is one of the more difficult cases available for this kind of scanning - it's much easier with, say, Go or C.
Somewhat inspired by the great work @qzhaogitlab did on showing memory use metrics for various gems.
Links / references
(Putting this under ~Memory as it may help us a bit with that in the short term and, while it's a form of static analysis, it's probably not SAST, and so ~Secure, per se).