Home

Awesome

Violation Comments To Bitbucket Cloud Command Line

NPM Maven Central Docker Pulls

Report static code analysis to Bitbucket Cloud. It uses the Violations Lib.

Bitbucket Cloud Comment

The runnable can be found in NPM.

Run it with:

npx violation-comments-to-bitbucket-cloud-command-line \
 -u tomasbjerre \
 -p MY-APPLICATION-PASSWORD \
 -ws tomasbjerre \
 -rs violations-test \
 -prid 1 \
 -v "CHECKSTYLE" "." ".*checkstyle/main\.xml$" "Checkstyle" \
 -v "JSHINT" "." ".*jshint/report\.xml$" "JSHint"

Create application passwords like this: https://confluence.atlassian.com/bitbucket/app-passwords-828781300.html

If using it from Jenkins, you may integrate with Bitbucket Cloud with this plugin: https://github.com/jenkinsci/generic-webhook-trigger-plugin

You must perform the merge before build. If you don't perform the merge, the reported violations will refer to other lines then those in the pull request. The merge can be done with a shell script like this.

echo ---
echo --- Merging from $FROM in $FROMREPO to $TO in $TOREPO
echo ---
git clone $TOREPO
cd *
git reset --hard $TO
git status
git remote add from $FROMREPO
git fetch from
git merge $FROM
git --no-pager log --max-count=10 --graph --abbrev-commit

Your build command here!

Example of supported reports are available here.

A number of parsers have been implemented. Some parsers can parse output from several reporters.

ReporterParserNotes
ARM-GCCCLANG
AndroidLintANDROIDLINT
Ansible-LaterANSIBLELATERWith json format
AnsibleLintFLAKE8With -p
BanditCLANGWith bandit -r examples/ -f custom -o bandit.out --msg-template "{abspath}:{line}: {severity}: {test_id}: {msg}"
CLangCLANG
CPDCPD
CPPCheckCPPCHECKWith cppcheck test.cpp --output-file=cppcheck.xml --xml
CPPLintCPPLINT
CSSLintCSSLINT
CheckstyleCHECKSTYLE
CloudFormation LinterJUNITcfn-lint . -f junit --output-file report-junit.xml
CodeClimateCODECLIMATE
CodeNarcCODENARC
CoverityCOVERITY
DartMACHINEWith dart analyze --format=machine
Dependency CheckSARIFUsing --format SARIF
DetektCHECKSTYLEWith --output-format xml.
DocFXDOCFX
DoxygenCLANG
ERBCLANGWith erb -P -x -T '-' "${it}" | ruby -c 2>&1 >/dev/null | grep '^-' | sed -E 's/^-([a-zA-Z0-9:]+)/${filename}\1 ERROR:/p' > erbfiles.out.
ESLintCHECKSTYLEWith format: 'checkstyle'.
FindbugsFINDBUGS
Flake8FLAKE8
FxCopFXCOP
GCCCLANG
GHSGHS
GendarmeGENDARME
Generic reporterGENERICWill create one single violation with all the content as message.
GoLintGOLINT
GoVetGOLINTSame format as GoLint.
GolangCI-LintCHECKSTYLEWith --out-format=checkstyle.
GoogleErrorProneGOOGLEERRORPRONE
HadoLintCHECKSTYLEWith -f checkstyle
IARIARWith --no_wrap_diagnostics
InferPMDFacebook Infer. With --pmd-xml.
JACOCOJACOCO
JCReportJCREPORT
JSHintJSLINTWith --reporter=jslint or the CHECKSTYLE parser with --reporter=checkstyle
JUnitJUNITIt only contains the failures.
KTLintCHECKSTYLE
KlocworkKLOCWORK
KotlinGradleKOTLINGRADLEOutput from Kotlin Gradle Plugin.
KotlinMavenKOTLINMAVENOutput from Kotlin Maven Plugin.
LintLINTA common XML format, used by different linters.
MSBuildLogMSBULDLOGWith -fileLogger use .*msbuild\\.log$ as pattern or -fl -flp:logfile=MyProjectOutput.log;verbosity=diagnostic for a custom output filename
MSCppMSCPP
MccabeFLAKE8
MyPyMYPY
NullAwayGOOGLEERRORPRONESame format as Google Error Prone.
PCLintPCLINTPC-Lint using the same output format as the Jenkins warnings plugin, details here
PHPCSCHECKSTYLEWith phpcs api.php --report=checkstyle.
PHPPMDPMDWith phpmd api.php xml ruleset.xml.
PMDPMD
Pep8FLAKE8
PerlCriticPERLCRITIC
PiTestPITEST
ProtoLintPROTOLINT
Puppet-LintCLANGWith -log-format %{fullpath}:%{line}:%{column}: %{kind}: %{message}
PyDocStylePYDOCSTYLE
PyFlakesFLAKE8
PyLintPYLINTWith pylint --output-format=parseable.
ReSharperRESHARPER
RubyCopCLANGWith rubycop -f clang file.rb
SARIFSARIFv2.x. Microsoft Visual C# can generate it with ErrorLog="BuildErrors.sarif,version=2".
SbtScalacSBTSCALAC
ScalastyleCHECKSTYLE
SemgrepSEMGREPWith --json.
SimianSIMIAN
SonarSONARWith mvn sonar:sonar -Dsonar.analysis.mode=preview -Dsonar.report.export.path=sonar-report.json. Removed in 7.7, see SONAR-11670 but can be retrieved with: curl --silent 'http://sonar-server/api/issues/search?componentKeys=unique-key&resolved=false' | jq -f sonar-report-builder.jq > sonar-report.json.
SpotbugsFINDBUGS
StyleCopSTYLECOP
SwiftLintCHECKSTYLEWith --reporter checkstyle.
TSLintCHECKSTYLEWith -t checkstyle
ValgrindVALGRINDWith --xml=yes.
XMLLintXMLLINT
XUnitXUNITIt only contains the failures.
YAMLLintYAMLLINTWith -f parsable
ZPTLintZPTLINT

52 parsers and 79 reporters.

Missing a format? Open an issue here!

Usage

-comment-only-changed-content, -cocc <boolean>          True if only changed 
                                                        parts of the changed files 
                                                        should be commented. False if 
                                                        all findings on the 
                                                        changed files should be 
                                                        commented.
                                                        <boolean>: true or false
                                                        Default: true
-comment-only-changed-files, -cocf <boolean>            True if only changed 
                                                        files should be commented. 
                                                        False if all findings should 
                                                        be commented.
                                                        <boolean>: true or false
                                                        Default: true
-comment-template <string>                              https://github.
                                                        com/tomasbjerre/violation-comments-lib
                                                        <string>: any string
                                                        Default: 
-create-comment-with-all-single-file-comments, -        <boolean>: true or false
ccwasfc <boolean>                                       Default: false
-create-single-file-comments, -csfc <boolean>           <boolean>: true or false
                                                        Default: true
-h, --help <argument-to-print-help-for>                 <argument-to-print-help-for>: an argument to print help for
                                                        Default: If no specific parameter is given the whole usage text is given
-keep-old-comments <boolean>                            <boolean>: true or false
                                                        Default: false
-max-number-of-violations, -max <integer>               <integer>: -2,147,483,648 to 2,147,483,647
                                                        Default: 2,147,483,647
-password, -p <string>                                  You can create an 
                                                        'application password' in Bitbucket 
                                                        to use here. See https:
                                                        //confluence.atlassian.
                                                        com/bitbucket/app-passwords-828781300.
                                                        html
                                                        <string>: any string
                                                        Default: 
-pull-request-id, -prid <string>                        <string>: any string [Required]
-repository-slug, -rs <string>                          <string>: any string [Required]
-severity, -s <SEVERITY>                                Minimum severity level 
                                                        to report.
                                                        <SEVERITY>: {INFO | WARN | ERROR}
                                                        Default: INFO
-show-debug-info                                        Please run your 
                                                        command with this parameter 
                                                        and supply output when 
                                                        reporting bugs.
                                                        Default: disabled
-username, -u <string>                                  <string>: any string
                                                        Default: 
--violations, -v <string>                               The violations to look 
                                                        for. <PARSER> <FOLDER> 
                                                        <REGEXP PATTERN> <NAME> where 
                                                        PARSER is one of: 
                                                        ANDROIDLINT, CHECKSTYLE, CODENARC, 
                                                        CLANG, CPD, CPPCHECK, 
                                                        CPPLINT, CSSLINT, FINDBUGS, 
                                                        FLAKE8, FXCOP, GENDARME, IAR, 
                                                        JCREPORT, JSHINT, JUNIT, LINT, 
                                                        KLOCWORK, KOTLINMAVEN, 
                                                        KOTLINGRADLE, MSCPP, MYPY, GOLINT, 
                                                        GOOGLEERRORPRONE, PERLCRITIC, PITEST, 
                                                        PMD, PYDOCSTYLE, PYLINT, 
                                                        RESHARPER, SBTSCALAC, SIMIAN, 
                                                        SONAR, STYLECOP, XMLLINT, 
                                                        YAMLLINT, ZPTLINT, DOCFX, PCLINT
                                                        
                                                         Example: -v "JSHINT" 
                                                        "." ".*/jshint.xml$" 
                                                        "JSHint" [Supports Multiple occurrences]
                                                        <string>: any string
                                                        Default: Empty list
-workspace, -ws <string>                                The workspace is 
                                                        typically same as username. [Required]
                                                        <string>: any string

Checkout the Violations Lib for more documentation.