Open rock3r opened 3 weeks ago
Thank you for the report. I don't believe we have a direct dependency on sarif, but get it through com.pinterest.ktlint:ktlint-cli-reporter-sarif:1.2.1
. Seems like we should add automated test coverage however.
What's your gradle configuration? Sarif reports work for me using the latest version of kotlinter (4.3.0). Have you bumped the ktlint dependency? I still need to put out a new release supporting 1.3.0.
Hi Jeremy! I had this crash when working on https://github.com/JetBrains/jewel/pull/398, where I initially updated Sarif4k to 0.6.0. I am not declaring the ktlint version explicitly, just getting whatever comes through your plugin
I see. It sounds like maybe the jetbrains compose build plugin for that one requires a later version of the sarif dependency. If you remove the other build plugin, do sarif reports work?
It's an unfortunate challenge that the dependencies are not isolated when it comes to gradle plugins, which you can see from the compatibility matrix described by this plugin which isn't comprehensive. There might be other plugins out there with conflicting dependencies.
I have only tried a simple "roll back the Sarif4k version to 0.5.0" and stopped there, since that fixed the issue. I have a direct dependency on it because I need to merge Sarif reports before uploading to GH Actions; I don't think any 3p plugin in my build uses it — apart maybe from Detekt, but that is not problematic, since it's my direct dependency that causes issues.
https://github.com/JetBrains/jewel/blob/main/buildSrc/src/main/kotlin/MergeSarifTask.kt is the code that uses Sarif4k, for the record
When running
check
, the plugin crashes:Downgrading Sarif4K to 0.5.0 works fine. You probably just need to upgrade your dependency.