search

mitchspano / sfdx-scan-pull-request

Runs sfdx-scanner on a pull request and generates in-line comments with the findings.
Apache License 2.0
71 stars 24 forks source link

PDM results not populating #73

Closed raghu-madireddy closed 8 months ago

raghu-madireddy commented 8 months ago

for some reason not able to see pmd results and always scanning coming as success. I can see errors on my local. 

     - name: Run SF scanner
          id: sf_code_scanner
          uses: mitchspano/sfdx-scan-pull-request@v0.1.14
          with:
            pmdconfig: 'pmd/deployRules.xml'
            target: 'packge/package.xml'
            severity-threshold: 1
            engine: 'pmd'  

Beginning sfdx-scan-pull-request run...
Validating that this action was invoked from an acceptable context...
Getting difference within the pull request ... { baseRef: 'develop', headRef: 'feature/release-test' }
From https://github.com/raghu-madireddy/salesforce-metadata-test
 * [new branch]        develop              -> destination/develop
 * [new branch]        feature/release-test -> destination/feature/release-test
 * [new branch]        main                 -> destination/main
(node:2683) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
Performing static code analysis on all of the files in the difference...
npx sfdx scanner:run --engine pmd --pmdconfig pmd/deployRules.xml --target ".github/workflows/ci.yml,.github/workflows/initial-checks.yml,.github/workflows/validate-develop.yml,.gitignore,force-app/main/default/classes/TestingReleasePMDTest.cls" --json
Filtering the findings to just the lines which are part of the pull request...
Creating Check Runs using GitHub REST API...
mitchspano commented 8 months ago

There are a few issues here:

1) The latest version of the action is 0.1.15 - please upgrade to that 2) The scan only produces a finding if the entire scope of the PMD finding is present in the git diff, so not all findings will be reported on 3) Your target is limited to packge/package.xml, so it should only scan that XML file unless ran from a pull request - in which case it will scan the files in the PR. 4) Your report mode is check runs instead of comments, so those might render in a different spot than you are looking - here is an example of how they are rendered. 5) your severity-threshold is set to 1, so all 2s, 3s, 4s, and 5s will be treated as warnings, not errors and will not result in the job being halted.

raghu-madireddy commented 8 months ago

Thanks @mitchspano ! Appreciate the quick help! I tested with the latest version, varying severity and different targets, but #2 was the issue in my case. I managed to see the results with the new class in the PR. Can we scan the entire class in case of class modifications?

mitchspano commented 8 months ago

Unfortunately, the Github REST API prevents us from creating a comment on lines which are outside the scope of the git diff, hence the check for total inclusion.

raghu-madireddy commented 8 months ago

ok, that make sense. Thanks for building this.