Export scalafix report to a file or expose errors via an API

[mwz]

Would it be possible for scalafix to generate a file report with all the reported errors in e.g. json or xml format or allow scalafix to be run and expose the errors via an API so other tools could make use of that? My specific use case would be to import scalafix errors into SonarQube (a tool for static code analysis) using the sonar-scala plugin, but I'm sure others might also find this feature useful.

I suppose this would only apply to the DisableSyntax rules as the other rules rewrite the source code.

I'd be happy to work on this if we could agree on details about how this should work.

[olafurpg]

Thanks for reporting! I think is a nice idea. Is there a standard format we can output? Scalafix exposes a library API to record published diagnostics in ScalafixMainCallback, see

https://github.com/scalacenter/scalafix/blob/f29dbddb970913d4708b1f3c372612bcc1698033/scalafix-interfaces/src/main/java/scalafix/interfaces/ScalafixMainCallback.java#L12

It depends on the integration what we do in that callback, the cli prints to the console and sbt-scalafix uses the sbt logger.

[mwz]

Both Scalastyle and Scapegoat support generating reports in a Checkstyle compatible xml format, so it would make sense to me if scalafix could also stick to this convention - I'll add an example later of how a generated report could look like. @BalmungSan, do you have any thoughts on that?

[BalmungSan]

I agree it would make sense to keep a similar format. On sonar we would need:

• Filename (Including the package or the folder hierarchy).
• Issue identifier.
• Line number (or line range) of the issue.
• Any message related with the issue.
• Severity of the issue (if applicable).

I believe these are standard enough to be useful for other tools. Also, I think xml would be the best format for the report, since that is the standard we have been using for other tools like Scapegoat, Scalastyle & Scoverage.

But, more importantly, we would need a way to extract all issues that could be reported, in order to create the RulesRepository - However, I had not used Scalafix before, so I do not know if this is already supported, or if we are going to create only one rule for all Scalafix issues?

---

BTW, it would be really useful if the report could be generated on a project level instead of a module level.
However, this may be outside of this and probably should be handled by SBT, Maven & other build tools instead (or even sonar-scala itself).

[bjaglin]

Related to https://github.com/scalacenter/scalafix/issues/1154

[atennapel]

Is there any progress on this? We are currently using the checkstyle xml report that Scalastyle outputs and we are working on switching to Scalafix.

[Fristi]

Like discussed here https://contributors.scala-lang.org/t/lack-of-security-tooling/5918, it would be nice to add reporting capabilities to scalafix. Is there a standard format for this in the industry for tools like SonarQube and such? Otherwise maybe just integrating with SonarQube would be a start.

Also adding SAST scalafix rules would be a nice addition

[bjaglin]

Is there any progress on this?

No progress, but contributions are welcome! Either as a special mode in sbt-scalafix using the guidance above, or as a built-in flag in scalafix-cli itself. I'll be happy to provide help on Discord if someone wants to take a look at it.

Is there a standard format for this in the industry for tools like SonarQube and such?

As mentioned above, the checkstyle XML report might be good fit for Scalafix linters rules.

[bjaglin]

Thanks to @xuwei-k, we have a sbt-centric tool to generate CI-actionnable reports for compiler & scalafix lints. It's currently custom and limited to syntactic rules, but https://github.com/scalacenter/sbt-scalafix/pull/384 should enable a better integration and support for semantic rules.