Home

Awesome

Violation Comments to GitHub Gradle Plugin

Maven Central


Archived, see motivation here https://github.com/tomasbjerre/violation-comments-to-github-lib

This is a Gradle plugin for Violation Comments to GitHub Lib.

It can be used in Travis, or any other build server, to read results from static code analysis and comment pull requests in GitHub with them.

The merge must be performed in order for the commented lines in the PR to match the lines reported by the analysis tools!

Example of supported reports are available here.

A number of parsers have been implemented. Some parsers can parse output from several reporters.

ReporterParserNotes
ARM-GCCCLANG
AndroidLintANDROIDLINT
Ansible-LaterANSIBLELATERWith json format
AnsibleLintFLAKE8With -p
BanditCLANGWith bandit -r examples/ -f custom -o bandit.out --msg-template "{abspath}:{line}: {severity}: {test_id}: {msg}"
CLangCLANG
CPDCPD
CPPCheckCPPCHECKWith cppcheck test.cpp --output-file=cppcheck.xml --xml
CPPLintCPPLINT
CSSLintCSSLINT
CheckstyleCHECKSTYLE
CloudFormation LinterJUNITcfn-lint . -f junit --output-file report-junit.xml
CodeClimateCODECLIMATE
CodeNarcCODENARC
DartMACHINEWith dart analyze --format=machine
Dependency CheckSARIFUsing --format SARIF
DetektCHECKSTYLEWith --output-format xml.
DocFXDOCFX
DoxygenCLANG
ERBCLANGWith erb -P -x -T '-' "${it}" | ruby -c 2>&1 >/dev/null | grep '^-' | sed -E 's/^-([a-zA-Z0-9:]+)/${filename}\1 ERROR:/p' > erbfiles.out.
ESLintCHECKSTYLEWith format: 'checkstyle'.
FindbugsFINDBUGS
Flake8FLAKE8
FxCopFXCOP
GCCCLANG
GHSGHS
GendarmeGENDARME
Generic reporterGENERICWill create one single violation with all the content as message.
GoLintGOLINT
GoVetGOLINTSame format as GoLint.
GolangCI-LintCHECKSTYLEWith --out-format=checkstyle.
GoogleErrorProneGOOGLEERRORPRONE
HadoLintCHECKSTYLEWith -f checkstyle
IARIARWith --no_wrap_diagnostics
InferPMDFacebook Infer. With --pmd-xml.
JACOCOJACOCO
JCReportJCREPORT
JSHintJSLINTWith --reporter=jslint or the CHECKSTYLE parser with --reporter=checkstyle
JUnitJUNITIt only contains the failures.
KTLintCHECKSTYLE
KlocworkKLOCWORK
KotlinGradleKOTLINGRADLEOutput from Kotlin Gradle Plugin.
KotlinMavenKOTLINMAVENOutput from Kotlin Maven Plugin.
LintLINTA common XML format, used by different linters.
MSBuildLogMSBULDLOGWith -fileLogger use .*msbuild\\.log$ as pattern or -fl -flp:logfile=MyProjectOutput.log;verbosity=diagnostic for a custom output filename
MSCppMSCPP
MccabeFLAKE8
MyPyMYPY
NullAwayGOOGLEERRORPRONESame format as Google Error Prone.
PCLintPCLINTPC-Lint using the same output format as the Jenkins warnings plugin, details here
PHPCSCHECKSTYLEWith phpcs api.php --report=checkstyle.
PHPPMDPMDWith phpmd api.php xml ruleset.xml.
PMDPMD
Pep8FLAKE8
PerlCriticPERLCRITIC
PiTestPITEST
ProtoLintPROTOLINT
Puppet-LintCLANGWith -log-format %{fullpath}:%{line}:%{column}: %{kind}: %{message}
PyDocStylePYDOCSTYLE
PyFlakesFLAKE8
PyLintPYLINTWith pylint --output-format=parseable.
ReSharperRESHARPER
RubyCopCLANGWith rubycop -f clang file.rb
SARIFSARIFv2.x. Microsoft Visual C# can generate it with ErrorLog="BuildErrors.sarif,version=2".
SbtScalacSBTSCALAC
ScalastyleCHECKSTYLE
SemgrepSEMGREPWith --json.
SimianSIMIAN
SonarSONARWith mvn sonar:sonar -Dsonar.analysis.mode=preview -Dsonar.report.export.path=sonar-report.json. Removed in 7.7, see SONAR-11670 but can be retrieved with: curl --silent 'http://sonar-server/api/issues/search?componentKeys=unique-key&resolved=false' | jq -f sonar-report-builder.jq > sonar-report.json.
SpotbugsFINDBUGS
StyleCopSTYLECOP
SwiftLintCHECKSTYLEWith --reporter checkstyle.
TSLintCHECKSTYLEWith -t checkstyle
ValgrindVALGRINDWith --xml=yes.
XMLLintXMLLINT
XUnitXUNITIt only contains the failures.
YAMLLintYAMLLINTWith -f parsable
ZPTLintZPTLINT

51 parsers and 78 reporters.

Missing a format? Open an issue here!

Usage

There is a running example here.

Here is and example:

  buildscript {
    repositories {
      maven {
        url "https://plugins.gradle.org/m2/"
      }
    }
    dependencies {
      classpath "se.bjurr.violations:violation-comments-to-github-gradle-plugin:X"
    }
  }

  apply plugin: "se.bjurr.violations.violation-comments-to-github-gradle-plugin"

  task violationCommentsToGitHub(type: se.bjurr.violations.comments.github.plugin.gradle.ViolationCommentsToGitHubTask) {
   repositoryOwner = "tomasbjerre";
   repositoryName = "violations-test"
   pullRequestId = System.properties['GITHUB_PULLREQUESTID']
   username = System.properties['GITHUB_USERNAME']
   password = System.properties['GITHUB_PASSWORD']
   oAuth2Token = System.properties['GITHUB_OAUTH2TOKEN']
   gitHubUrl = "https://api.github.com/"
   createCommentWithAllSingleFileComments = false
   createSingleFileComments = true
   commentOnlyChangedContent = true
   minSeverity = se.bjurr.violations.lib.model.SEVERITY.INFO //ERROR, INFO, WARN
   maxNumberOfViolations: 99999
   commentTemplate = """
**Reporter**: {{violation.reporter}}{{#violation.rule}}

**Rule**: {{violation.rule}}{{/violation.rule}}
**Severity**: {{violation.severity}}
**File**: {{violation.file}} L{{violation.startLine}}{{#violation.source}}

**Source**: {{violation.source}}{{/violation.source}}

{{violation.message}}
"""
   violations = [
    ["FINDBUGS",   ".", ".*/findbugs/.*\\.xml\$",   "Findbugs"],
    ["PMD",        ".", ".*/pmd/.*\\.xml\$",        "PMD"],
    ["CHECKSTYLE", ".", ".*/checkstyle/.*\\.xml\$", "Checkstyle"],
    ["JSHINT",     ".", ".*/jshint/.*\\.xml\$",     "JSHint"],
    ["CSSLINT",    ".", ".*/csslint/.*\\.xml\$",     "CssLint"]
   ]
  }

To send violations, just run:

./gradlew violationCommentsToGitHub -DGITHUB_PULLREQUESTID=$GITHUB_PULL_REQUEST -DGITHUB_USERNAME=... -DGITHUB_PASSWORD=...

Or if you want to use OAuth2:

./gradlew violationCommentsToGitHub -DGITHUB_PULLREQUESTID=$TRAVIS_PULL_REQUEST -DGITHUB_OAUTH2TOKEN=$GITHUB_OAUTH2TOKEN

You may also have a look at Violations Lib.

Developer instructions

To build the code you need to run build.sh in root of repo. You may also have a look at .travis.yml.

To do a release you need to do ./gradlew release -Dgradle.publish.key=... -Dgradle.publish.secret=... and release the artifact from staging. More information here.