tomasbjerre / violations-maven-plugin

Maven plugin that will find report files from static code analysis, present and optionally fail the build.
Other
4 stars 1 forks source link
checkstyle csslint detekt findbugs golint jshint lint pmd static-analysis

Violations Maven Plugin

Maven Central

Version Java Version
version < 2.2.0 8
2.2.0 <= version 11

This is a Maven plugin for Violations Lib. There is also a Gradle plugin and a command line tool.

It can parse results from static code analysis and:

A snippet of the output may look like this:

se/bjurr/violations/lib/example/OtherClass.java
╔══════════╤════════════╤══════════╤══════╤════════════════════════════════════════════════════╗
║ Reporter │ Rule       │ Severity │ Line │ Message                                            ║
╠══════════╪════════════╪══════════╪══════╪════════════════════════════════════════════════════╣
║ Findbugs │ MS_SHOULD_ │ INFO     │ 7    │ Field isn't final but should be                    ║
║          │ BE_FINAL   │          │      │                                                    ║
║          │            │          │      │                                                    ║
║          │            │          │      │    <p>                                             ║
║          │            │          │      │ This static field public but not final, and        ║
║          │            │          │      │ could be changed by malicious code or              ║
║          │            │          │      │         by accident from another package.          ║
║          │            │          │      │         The field could be made final to avoid     ║
║          │            │          │      │         this vulnerability.</p>                    ║
╟──────────┼────────────┼──────────┼──────┼────────────────────────────────────────────────────╢
║ Findbugs │ NM_FIELD_N │ INFO     │ 6    │ Field names should start with a lower case letter  ║
║          │ AMING_CONV │          │      │                                                    ║
║          │ ENTION     │          │      │                                                    ║
║          │            │          │      │   <p>                                              ║
║          │            │          │      │ Names of fields that are not final should be in mi ║
║          │            │          │      │ xed case with a lowercase first letter and the fir ║
║          │            │          │      │ st letters of subsequent words capitalized.        ║
║          │            │          │      │ </p>                                               ║
╚══════════╧════════════╧══════════╧══════╧════════════════════════════════════════════════════╝

Summary of se/bjurr/violations/lib/example/OtherClass.java
╔══════════╤══════╤══════╤═══════╤═══════╗
║ Reporter │ INFO │ WARN │ ERROR │ Total ║
╠══════════╪══════╪══════╪═══════╪═══════╣
║ Findbugs │ 2    │ 0    │ 0     │ 2     ║
╟──────────┼──────┼──────┼───────┼───────╢
║          │ 2    │ 0    │ 0     │ 2     ║
╚══════════╧══════╧══════╧═══════╧═══════╝

Summary
╔════════════╤══════╤══════╤═══════╤═══════╗
║ Reporter   │ INFO │ WARN │ ERROR │ Total ║
╠════════════╪══════╪══════╪═══════╪═══════╣
║ Checkstyle │ 4    │ 1    │ 1     │ 6     ║
╟────────────┼──────┼──────┼───────┼───────╢
║ Findbugs   │ 2    │ 2    │ 5     │ 9     ║
╟────────────┼──────┼──────┼───────┼───────╢
║            │ 6    │ 3    │ 6     │ 15    ║
╚════════════╧══════╧══════╧═══════╧═══════╝

Example of supported reports are available here.

A number of parsers have been implemented. Some parsers can parse output from several reporters.

Reporter Parser Notes
ARM-GCC CLANG
AndroidLint ANDROIDLINT
Ansible-Later ANSIBLELATER With json format
AnsibleLint FLAKE8 With -p
Bandit CLANG With bandit -r examples/ -f custom -o bandit.out --msg-template "{abspath}:{line}: {severity}: {test_id}: {msg}"
CLang CLANG
CPD CPD
CPPCheck CPPCHECK With cppcheck test.cpp --output-file=cppcheck.xml --xml
CPPLint CPPLINT
CSSLint CSSLINT
Checkstyle CHECKSTYLE
CloudFormation Linter JUNIT cfn-lint . -f junit --output-file report-junit.xml
CodeClimate CODECLIMATE
CodeNarc CODENARC
Coverity COVERITY
Dart MACHINE With dart analyze --format=machine
Dependency Check SARIF Using --format SARIF
Detekt CHECKSTYLE With --output-format xml.
DocFX DOCFX
Doxygen CLANG
ERB CLANG With erb -P -x -T '-' "${it}" \| ruby -c 2>&1 >/dev/null \| grep '^-' \| sed -E 's/^-([a-zA-Z0-9:]+)/${filename}\1 ERROR:/p' > erbfiles.out.
ESLint CHECKSTYLE With format: 'checkstyle'.
Findbugs FINDBUGS
Flake8 FLAKE8
FxCop FXCOP
GCC CLANG
GHS GHS
Gendarme GENDARME
[Generic reporter]() GENERIC Will create one single violation with all the content as message.
GoLint GOLINT
GoVet GOLINT Same format as GoLint.
GolangCI-Lint CHECKSTYLE With --out-format=checkstyle.
GoogleErrorProne GOOGLEERRORPRONE
HadoLint CHECKSTYLE With -f checkstyle
IAR IAR With --no_wrap_diagnostics
Infer PMD Facebook Infer. With --pmd-xml.
JACOCO JACOCO
JCReport JCREPORT
JSHint JSLINT With --reporter=jslint or the CHECKSTYLE parser with --reporter=checkstyle
JUnit JUNIT It only contains the failures.
KTLint CHECKSTYLE
Klocwork KLOCWORK
KotlinGradle KOTLINGRADLE Output from Kotlin Gradle Plugin.
KotlinMaven KOTLINMAVEN Output from Kotlin Maven Plugin.
[Lint]() LINT A common XML format, used by different linters.
MSBuildLog MSBULDLOG With -fileLogger use .*msbuild\\.log$ as pattern or -fl -flp:logfile=MyProjectOutput.log;verbosity=diagnostic for a custom output filename
MSCpp MSCPP
Mccabe FLAKE8
MyPy MYPY
NullAway GOOGLEERRORPRONE Same format as Google Error Prone.
PCLint PCLINT PC-Lint using the same output format as the Jenkins warnings plugin, details here
PHPCS CHECKSTYLE With phpcs api.php --report=checkstyle.
PHPPMD PMD With phpmd api.php xml ruleset.xml.
PMD PMD
Pep8 FLAKE8
PerlCritic PERLCRITIC
PiTest PITEST
ProtoLint PROTOLINT
Puppet-Lint CLANG With -log-format %{fullpath}:%{line}:%{column}: %{kind}: %{message}
PyDocStyle PYDOCSTYLE
PyFlakes FLAKE8
PyLint PYLINT With pylint --output-format=parseable.
ReSharper RESHARPER
RubyCop CLANG With rubycop -f clang file.rb
SARIF SARIF v2.x. Microsoft Visual C# can generate it with ErrorLog="BuildErrors.sarif,version=2".
SbtScalac SBTSCALAC
Scalastyle CHECKSTYLE
Semgrep SEMGREP With --json.
Simian SIMIAN
Sonar SONAR With mvn sonar:sonar -Dsonar.analysis.mode=preview -Dsonar.report.export.path=sonar-report.json. Removed in 7.7, see SONAR-11670 but can be retrieved with: curl --silent 'http://sonar-server/api/issues/search?componentKeys=unique-key&resolved=false' \| jq -f sonar-report-builder.jq > sonar-report.json.
Spotbugs FINDBUGS
StyleCop STYLECOP
SwiftLint CHECKSTYLE With --reporter checkstyle.
TSLint CHECKSTYLE With -t checkstyle
Valgrind VALGRIND With --xml=yes.
XMLLint XMLLINT
XUnit XUNIT It only contains the failures.
YAMLLint YAMLLINT With -f parsable
ZPTLint ZPTLINT

52 parsers and 79 reporters.

Missing a format? Open an issue here!

Usage

There is a running example here. See also bjurr-bom.

The plugin needs to run after any static code analysis tools, so put it after them in the pom. Having the following in the pom will make the plugin run with mvn validate:

  <plugins>
   <plugin>
    <groupId>org.codehaus.mojo</groupId>
    <artifactId>findbugs-maven-plugin</artifactId>
    <version>3.0.5</version>
    <executions>
     <execution>
      <goals>
       <goal>check</goal>
      </goals>
     </execution>
    </executions>
   </plugin>
   <plugin>
    <groupId>se.bjurr.violations</groupId>
    <artifactId>violations-maven-plugin</artifactId>
    <version>X</version>
    <executions>
     <execution>
      <phase>validate</phase>
      <goals>
       <goal>violations</goal>
      </goals>
      <configuration>
       <!-- Optional config -->
       <!-- 0 is disabled -->
       <maxReporterColumnWidth>0</maxReporterColumnWidth>
       <maxRuleColumnWidth>60</maxRuleColumnWidth>
       <maxSeverityColumnWidth>0</maxSeverityColumnWidth>
       <maxLineColumnWidth>0</maxLineColumnWidth>
       <maxMessageColumnWidth>50</maxMessageColumnWidth>

       <!-- Global configuration, remove if you dont want to report violations 
            for the entire repo. -->
       <!-- INFO, WARN or ERROR -->
       <minSeverity>INFO</minSeverity>
       <!-- PER_FILE_COMPACT, COMPACT or VERBOSE -->
       <detailLevel>VERBOSE</detailLevel>
       <!-- Will fail the build if total number of found violations is higher -->
       <maxViolations>99999999</maxViolations>
       <!-- Will print violations found in diff -->
       <printViolations>true</printViolations>
       <!-- Will create a CodeClimate JSON report. -->
       <codeClimateFile>code-climate-file.json</codeClimateFile>
       <!-- Will create a normalized JSON report. -->
       <violationsFile>violations-file.json</violationsFile>

       <!-- Diff configuration, remove if you dont want to report violations 
            for files changed between specific revisions. -->
       <!-- Can be empty (ignored), Git-commit or any Git-reference -->
       <diffFrom></diffFrom>
       <!-- Same as above -->
       <diffTo></diffTo>
       <!-- INFO, WARN or ERROR -->
       <diffMinSeverity>INFO</diffMinSeverity>
       <!-- PER_FILE_COMPACT, COMPACT or VERBOSE -->
       <diffDetailLevel>VERBOSE</diffDetailLevel>
       <!-- Will fail the build if number of violations, in the diff within from/to, is higher -->
       <diffMaxViolations>99</diffMaxViolations>
       <!-- Will print violations found in diff -->
       <diffPrintViolations>true</diffPrintViolations>
       <!-- Where to look for Git -->
       <gitRepo>.</gitRepo>

       <!-- This is mandatory regardless of if you want to report violations 
            between revisions or the entire repo. -->
       <violations>
        <violation>
         <!-- Many more formats available, see:
              https://github.com/tomasbjerre/violations-lib
         -->
         <parser>FINDBUGS</parser>
         <reporter>Findbugs</reporter>
         <folder>.</folder>
         <pattern>.*/findbugsXml\.xml$</pattern>
        </violation>
       </violations>
      </configuration>
     </execution>
    </executions>
   </plugin>
  </plugins>