search

mitchspano / sfdx-scan-pull-request

Runs sfdx-scanner on a pull request and generates in-line comments with the findings.
Apache License 2.0
73 stars 25 forks source link

PDM results not populating #73

Closed raghu-madireddy closed 10 months ago

raghu-madireddy commented 10 months ago

for some reason not able to see pmd results and always scanning coming as success. I can see errors on my local. 

     - name: Run SF scanner
          id: sf_code_scanner
          uses: mitchspano/sfdx-scan-pull-request@v0.1.14
          with:
            pmdconfig: 'pmd/deployRules.xml'
            target: 'packge/package.xml'
            severity-threshold: 1
            engine: 'pmd'  

Beginning sfdx-scan-pull-request run...
Validating that this action was invoked from an acceptable context...
Getting difference within the pull request ... { baseRef: 'develop', headRef: 'feature/release-test' }
From https://github.com/raghu-madireddy/salesforce-metadata-test
 * [new branch]        develop              -> destination/develop
 * [new branch]        feature/release-test -> destination/feature/release-test
 * [new branch]        main                 -> destination/main
(node:2683) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
Performing static code analysis on all of the files in the difference...
npx sfdx scanner:run --engine pmd --pmdconfig pmd/deployRules.xml --target ".github/workflows/ci.yml,.github/workflows/initial-checks.yml,.github/workflows/validate-develop.yml,.gitignore,force-app/main/default/classes/TestingReleasePMDTest.cls" --json
Filtering the findings to just the lines which are part of the pull request...
Creating Check Runs using GitHub REST API...
mitchspano commented 10 months ago

There are a few issues here:

1) The latest version of the action is 0.1.15 - please upgrade to that 2) The scan only produces a finding if the entire scope of the PMD finding is present in the git diff, so not all findings will be reported on 3) Your target is limited to packge/package.xml, so it should only scan that XML file unless ran from a pull request - in which case it will scan the files in the PR. 4) Your report mode is check runs instead of comments, so those might render in a different spot than you are looking - here is an example of how they are rendered. 5) your severity-threshold is set to 1, so all 2s, 3s, 4s, and 5s will be treated as warnings, not errors and will not result in the job being halted.

raghu-madireddy commented 10 months ago

Thanks @mitchspano ! Appreciate the quick help! I tested with the latest version, varying severity and different targets, but #2 was the issue in my case. I managed to see the results with the new class in the PR. Can we scan the entire class in case of class modifications?

mitchspano commented 10 months ago

Unfortunately, the Github REST API prevents us from creating a comment on lines which are outside the scope of the git diff, hence the check for total inclusion.

raghu-madireddy commented 10 months ago

ok, that make sense. Thanks for building this.