[Task]: Implement Static Code Analysis Support for Ballerina

[Xenowa]

Description

Static code analysis examines code without execution, identifying potential issues like bugs, security vulnerabilities, and style violations. It improves software quality by early issue detection, creating better maintainability, and providing enhanced security.

Each programming language has its own unique syntax and semantics. Therefore, effective static code analysis requires tools specifically designed for the language being analyzed. These tools leverage the language's specific characteristics to perform more in-depth and accurate analysis.

Existing static code analysis tools like SonarQube rely on these language-specific code analyzers to extract information and report issues.

This effort focuses on developing a Ballerina tool to perform static code analysis based on sets of rules and report analysis issues to various static code analysis platforms.

Contains steps to Implement #42256

Describe your task(s)

Implementing a Ballerina static-code-analysis-tool

[Phase 1] Creating the core analyzer:

• [x] Implement core analyzer with analysis report generation. Tracked in https://github.com/ballerina-platform/static-code-analysis-tool/pull/4

  • Implement a analyzer to identify Ballerina files and obtain its syntax tree and other relevant properties
  • Implement feature to generate a JSON report in a target directory at the end of the analysis
  • Implement feature to specify target directory to generate the report at the end of the analysis

• [x] Implement HTML report generation. Tracked in https://github.com/ballerina-platform/static-code-analysis-tool/pull/9

  • Implement user-friendly report to visualize analysis issues

• [x] Implement core rule: identify usage of checkpanic keyword. Tracked in https://github.com/ballerina-platform/static-code-analysis-tool/pull/10

  • Develop a syntax tree traversal mechanism to identify ‘checkpanic’ keyword usage in Ballerina files

• [x] Implement Scan.toml based scan tool behavior configuration. Tracked in https://github.com/ballerina-platform/static-code-analysis-tool/pull/11

  • Identify configurations provided to modify scan tool behavior
  • Develop a mechanism to identify and load configurations from a local or remote Scan.toml file

[Phase 2] Introduce extension points for the core analyzer

• [x] Implement extension for supporting additional analysis capabilities of scan tool via compiler plugins. Tracked in https://github.com/ballerina-platform/static-code-analysis-tool/pull/15

• Implement:

  • [x] Extension for platform-specific issue reporting
  • [x] Mechanism for including and excluding rules to generate customized analysis results
  • Tracked in https://github.com/ballerina-platform/static-code-analysis-tool/pull/16

[Phase 3] Implement additional Ballerina rules

• [ ] Progressively Implement additional Ballerina rules as they get reviewed

Implementing Ballerina analysis issues reporting support for SonarQube via creating the sonar-ballerina plugin:

• Implement:
  • [x] Feature to report core analysis issues generated via Ballerina scan tool when a scan is triggered via the sonar-scanner CLI
  • [x] Feature to report core analysis issues generated via Ballerina scan tool when a scan is triggered from the Ballerina scan tool
  • [x] Feature to report custom analysis issues generated via Ballerina scan tool
  • Tracked in https://github.com/ballerina-platform/sonar-ballerina/pull/2

Related area

-> Other Area

Related issue(s) (optional)

No response

Suggested label(s) (optional)

No response

Suggested assignee(s) (optional)

No response

[Xenowa]

24/04/2024 Update

• Implementations for static code analysis support for Ballerina have already been created in ballerina-scan-tool repository and changes are steadily being ported to static-code-analysis-tool
• Several class-loader-related issues that prevent casting objects passed from Ballerina tools to compiler plugins have been addressed:
  • https://github.com/ballerina-platform/ballerina-lang/issues/41957
  • https://github.com/ballerina-platform/ballerina-lang/issues/42312
• Identified and sent a PR to fix a workflow and test misconfigurations in the setup-ballerina action which prevents installation of the latest Ballerina version for Windows builds:
  • https://github.com/ballerina-platform/setup-ballerina/issues/6
  • https://github.com/ballerina-platform/setup-ballerina/pull/7

[Xenowa]

29/06/2024

• Demonstrations for creating a static analysis compiler plugin and a static code analysis platform plugin to extend the scan tools capabilities has been made.
• The ruleKind attribute expected in the compiler plugins rules.json file has been changed to kind.