search

jose-elias-alvarez / null-ls.nvim

Use Neovim as a language server to inject LSP diagnostics, code actions, and more via Lua.
Other
3.62k stars 790 forks source link

Support for flawfinder #1480

Open krishnakumarg1984 opened 1 year ago

krishnakumarg1984 commented 1 year ago

Issues

Feature description

flawfinder is a static analysis tool for finding vulnerabilities in C/C++ source code. It would be helpful to have support for this in null-ls.nvim

Help

Yes, but I don't know how to start. I would need guidance

Implementation help

No response

ghost commented 1 year ago

I tried to add the settings that nvim-lint is using for flawfinder (found here: https://raw.githubusercontent.com/mfussenegger/nvim-lint/master/lua/lint/linters/flawfinder.lua) together with how I configured gcc.

Here's what I came up with:

local flawfinder = {
    method = methods.internal.DIAGNOSTICS_ON_SAVE,
    filetypes = { "c", "cpp" },
    name = "flawfinder",
    async = true,
    generator = h.generator_factory {
        command = "flawfinder",
        args = {
            "-S",
            "-Q",
            "-D",
            "-C",
            "$FILENAME",
        },
        to_stdin = false,
        from_stderr = false,
        format = "line",
        on_output = h.diagnostics.from_pattern(
            [[^(.*):(%d+):(%d+): *%[([0-5])%] (.*)$]],
            { "file", "row", "col", "severity", "message" },
            {
                severities = {
                    ['5'] = vim.diagnostic.severity.WARN,
                    ['4'] = vim.diagnostic.severity.WARN,
                    ['3'] = vim.diagnostic.severity.WARN,
                    ['2'] = vim.diagnostic.severity.WARN,
                    ['1'] = vim.diagnostic.severity.WARN, 
                },
            }
        ),
    },
}

It seems to work? (But to be honest, I don't know what everything does.) After that, I'm just adding "flawfinder" to "sources".

jose-elias-alvarez commented 1 year ago

@CroPhYPtic This looks good - the only changes I would make before putting in a PR would be to use the style of existing built-in sources (which is slightly different from custom sources) and also consider using the to_temp_file option, which could work around the tool's lack of support for stdin.

ghost commented 1 year ago

@jose-elias-alvarez Okay, i've tried to do a pull request. Don't know if I've done it right and so on since I've never really done it before. However, it seems to work here.

@krishnakumarg1984 I've done a pull request and there's some code above that you can try out if you want to.