This is a fork
of tomasbjerre/violation-comments-to-github-gradle-plugin.
The original project is archived and no longer maintained. The main motivation of the author to
archive this project was that Github supports SARIF,
but this is a paid feature for private repositories, even if you are an enterprise user.
This fork is intended to keep the project alive and to provide a place for further development. Fortunately the main project https://github.com/tomasbjerre/violations-lib is still active, so the development of this fork will be usually limited to bumping the version of the main library.
- follow the same steps described in the original docs (check the next paragraphs)
- only the build script definition changes:
buildscript {
repositories {
maven {
url 'https://jitpack.io'
}
}
dependencies {
classpath "com.github.thefabulous:violation-comments-to-github-gradle-plugin:1.70.1"
}
}- see CHANGELOG.md for the list of changes for each release
- project is build using JitPack: https://jitpack.io/#thefabulous/violation-comments-to-github-gradle-plugin/
Archived, see motivation here https://github.com/tomasbjerre/violation-comments-to-github-lib
This is a Gradle plugin for Violation Comments to GitHub Lib.
It can be used in Travis, or any other build server, to read results from static code analysis and comment pull requests in GitHub with them.
The merge must be performed in order for the commented lines in the PR to match the lines reported by the analysis tools!
Example of supported reports are available here.
A number of parsers have been implemented. Some parsers can parse output from several * reporters*.
| Reporter | Parser | Notes |
|---|---|---|
| ARM-GCC | CLANG |
|
| AndroidLint | ANDROIDLINT |
|
| Ansible-Later | ANSIBLELATER |
With json format |
| AnsibleLint | FLAKE8 |
With -p |
| Bandit | CLANG |
With bandit -r examples/ -f custom -o bandit.out --msg-template "{abspath}:{line}: {severity}: {test_id}: {msg}" |
| CLang | CLANG |
|
| CPD | CPD |
|
| CPPCheck | CPPCHECK |
With cppcheck test.cpp --output-file=cppcheck.xml --xml |
| CPPLint | CPPLINT |
|
| CSSLint | CSSLINT |
|
| Checkstyle | CHECKSTYLE |
|
| CloudFormation Linter | JUNIT |
cfn-lint . -f junit --output-file report-junit.xml |
| CodeClimate | CODECLIMATE |
|
| CodeNarc | CODENARC |
|
| Dart | MACHINE |
With dart analyze --format=machine |
| Dependency Check | SARIF |
Using --format SARIF |
| Detekt | CHECKSTYLE |
With --output-format xml. |
| DocFX | DOCFX |
|
| Doxygen | CLANG |
|
| ERB | CLANG |
With `erb -P -x -T '-' "${it}" \ |
| ESLint | CHECKSTYLE |
With format: 'checkstyle'. |
| Findbugs | FINDBUGS |
|
| Flake8 | FLAKE8 |
|
| FxCop | FXCOP |
|
| GCC | CLANG |
|
| GHS | GHS |
|
| Gendarme | GENDARME |
|
| Generic reporter | GENERIC |
Will create one single violation with all the content as message. |
| GoLint | GOLINT |
|
| GoVet | GOLINT |
Same format as GoLint. |
| GolangCI-Lint | CHECKSTYLE |
With --out-format=checkstyle. |
| GoogleErrorProne | GOOGLEERRORPRONE |
|
| HadoLint | CHECKSTYLE |
With -f checkstyle |
| IAR | IAR |
With --no_wrap_diagnostics |
| Infer | PMD |
Facebook Infer. With --pmd-xml. |
| JACOCO | JACOCO |
|
| JCReport | JCREPORT |
|
| JSHint | JSLINT |
With --reporter=jslint or the CHECKSTYLE parser with --reporter=checkstyle |
| JUnit | JUNIT |
It only contains the failures. |
| KTLint | CHECKSTYLE |
|
| Klocwork | KLOCWORK |
|
| KotlinGradle | KOTLINGRADLE |
Output from Kotlin Gradle Plugin. |
| KotlinMaven | KOTLINMAVEN |
Output from Kotlin Maven Plugin. |
| Lint | LINT |
A common XML format, used by different linters. |
| MSBuildLog | MSBULDLOG |
With -fileLogger use .*msbuild\\.log$ as pattern or -fl -flp:logfile=MyProjectOutput.log;verbosity=diagnostic for a custom output filename |
| MSCpp | MSCPP |
|
| Mccabe | FLAKE8 |
|
| MyPy | MYPY |
|
| NullAway | GOOGLEERRORPRONE |
Same format as Google Error Prone. |
| PCLint | PCLINT |
PC-Lint using the same output format as the Jenkins warnings plugin, details here |
| PHPCS | CHECKSTYLE |
With phpcs api.php --report=checkstyle. |
| PHPPMD | PMD |
With phpmd api.php xml ruleset.xml. |
| PMD | PMD |
|
| Pep8 | FLAKE8 |
|
| PerlCritic | PERLCRITIC |
|
| PiTest | PITEST |
|
| ProtoLint | PROTOLINT |
|
| Puppet-Lint | CLANG |
With -log-format %{fullpath}:%{line}:%{column}: %{kind}: %{message} |
| PyDocStyle | PYDOCSTYLE |
|
| PyFlakes | FLAKE8 |
|
| PyLint | PYLINT |
With pylint --output-format=parseable. |
| ReSharper | RESHARPER |
|
| RubyCop | CLANG |
With rubycop -f clang file.rb |
| SARIF | SARIF |
v2.x. Microsoft Visual C# can generate it with ErrorLog="BuildErrors.sarif,version=2". |
| SbtScalac | SBTSCALAC |
|
| Scalastyle | CHECKSTYLE |
|
| Semgrep | SEMGREP |
With --json. |
| Simian | SIMIAN |
|
| Sonar | SONAR |
With mvn sonar:sonar -Dsonar.analysis.mode=preview -Dsonar.report.export.path=sonar-report.json. Removed in 7.7, see SONAR-11670 but can be retrieved with: `curl --silent 'http://sonar-server/api/issues/search?componentKeys=unique-key&resolved=false' \ |
| Spotbugs | FINDBUGS |
|
| StyleCop | STYLECOP |
|
| SwiftLint | CHECKSTYLE |
With --reporter checkstyle. |
| TSLint | CHECKSTYLE |
With -t checkstyle |
| Valgrind | VALGRIND |
With --xml=yes. |
| XMLLint | XMLLINT |
|
| XUnit | XUNIT |
It only contains the failures. |
| YAMLLint | YAMLLINT |
With -f parsable |
| ZPTLint | ZPTLINT |
51 parsers and 78 reporters.
Missing a format? Open an issue here!
There is a running example here.
Here is and example:
buildscript {
repositories {
maven {
url "https://plugins.gradle.org/m2/"
}
}
dependencies {
classpath "se.bjurr.violations:violation-comments-to-github-gradle-plugin:X"
}
}
apply plugin: "se.bjurr.violations.violation-comments-to-github-gradle-plugin"
task violationCommentsToGitHub(type: se.bjurr.violations.comments.github.plugin.gradle.ViolationCommentsToGitHubTask) {
repositoryOwner = "tomasbjerre";
repositoryName = "violations-test"
pullRequestId = System.properties['GITHUB_PULLREQUESTID']
username = System.properties['GITHUB_USERNAME']
password = System.properties['GITHUB_PASSWORD']
oAuth2Token = System.properties['GITHUB_OAUTH2TOKEN']
gitHubUrl = "https://api.github.com/"
createCommentWithAllSingleFileComments = false
createSingleFileComments = true
commentOnlyChangedContent = true
minSeverity = se.bjurr.violations.lib.model.SEVERITY.INFO //ERROR, INFO, WARN
maxNumberOfViolations: 99999
commentTemplate = """
**Reporter**: {{violation.reporter}}{{#violation.rule}}
**Rule**: {{violation.rule}}{{/violation.rule}}
**Severity**: {{violation.severity}}
**File**: {{violation.file}} L{{violation.startLine}}{{#violation.source}}
**Source**: {{violation.source}}{{/violation.source}}
{{violation.message}}
"""
violations = [
["FINDBUGS", ".", ".*/findbugs/.*\\.xml\$", "Findbugs"],
["PMD", ".", ".*/pmd/.*\\.xml\$", "PMD"],
["CHECKSTYLE", ".", ".*/checkstyle/.*\\.xml\$", "Checkstyle"],
["JSHINT", ".", ".*/jshint/.*\\.xml\$", "JSHint"],
["CSSLINT", ".", ".*/csslint/.*\\.xml\$", "CssLint"]
]
}
To send violations, just run:
./gradlew violationCommentsToGitHub -DGITHUB_PULLREQUESTID=$GITHUB_PULL_REQUEST -DGITHUB_USERNAME=... -DGITHUB_PASSWORD=...
Or if you want to use OAuth2:
./gradlew violationCommentsToGitHub -DGITHUB_PULLREQUESTID=$TRAVIS_PULL_REQUEST -DGITHUB_OAUTH2TOKEN=$GITHUB_OAUTH2TOKEN
You may also have a look at Violations Lib.
To build the code you need to run build.sh in root of repo. You may also have a look
at .travis.yml.
To do a release you need to
do ./gradlew release -Dgradle.publish.key=... -Dgradle.publish.secret=... and release the artifact
from staging. More
information here.