search

spotbugs / spotbugs-maven-plugin

Maven Mojo Plug-In to generate reports based on the SpotBugs Analyzer
https://spotbugs.github.io/spotbugs-maven-plugin/
Apache License 2.0
69 stars 51 forks source link

Add support for SARIF format #339

Closed h3xstream closed 2 years ago

h3xstream commented 2 years ago

This change allow the Maven plugin to export the SARIF format - already supported by SpotBugs- to the build directory. It reuse the same directory configured to export the XML file. Add the moment, it can only export XML or SARIF (JSON) not both.

By default the report will be placed in target/spotbugsSarif.json.

Configuration

It can be configure inline with: -Dspotbugs.sarifOutput=true

or with XML configuration.

Objective

The key goal is to easily allow the configuration of Github workflow with SARIF upload. https://docs.github.com/en/code-security/secure-coding/integrating-with-code-scanning/uploading-a-sarif-file-to-github

hazendaz commented 2 years ago

@h3xstream Can you add an integration test for this?

h3xstream commented 2 years ago

Integration test added

The integration verify that the file is created at the expected location and that the file is a valid JSON file (not just an empty file).

println '**********************************'
println "Checking SARIF file"
println '**********************************'

def path = new JsonSlurper().parse(spotbugSarifFile)

def results = path.runs.results[0]
println "BugInstance size is ${results.size()}"

assert results.size() > 0

Output when running mvn -Prun-its

[INFO] Building: sarif-1\pom.xml
[INFO] run post-build script verify.groovy
[INFO]           sarif-1\pom.xml .................................. SUCCESS (8.7 s)

The build.log when the verify script is runned:

Running post-build script: C:\Code\spotbugs-maven-plugin\target\it\sarif-1\verify.groovy
**********************************
Checking SARIF file
**********************************
BugInstance size is 2
Finished post-build script: C:\Code\spotbugs-maven-plugin\target\it\sarif-1\verify.groovy
hazendaz commented 2 years ago

@h3xstream Thanks, I have merged this now. Generally I only release this out once spotbugs updates again. Not sure exactly when that will occur but it is frequent enough.

h3xstream commented 2 years ago

@hazendaz I'm not in an hurry.

FYI: I still have one small feature I would like to add to make smoother integration with Github security events. It involve converting path to relative path to the root.

hazendaz commented 2 years ago

@h3xstream ok thanks. spotbugs did release new version but if you have something you are working on I think we can wait here.