npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

violations-command-line

v3.1.0

Published

CLI find report files from static code analysis, present and optionally fail.

Downloads

2,319

Readme

Violations Command Line

Maven Central NPM NPM Downloads Docker Pulls

This is a command line tool that will find report files from static code analysis, present and optionally fail the command. It uses the Violations Lib.

  • The runnable can be found in Maven Central
  • or NPM.
  • The Docker image can be found in Dockerhub
    • Can used like docker run --mount src="$(pwd)",target=/home/violations-command-line,type=bind tomasbjerre/violations-command-line:a.b.c -v "FINDBUGS" src/test/resources/findbugs/ ".*main\.xml$" "Spotbugs".
    • Or open a shell to have a look docker run --rm -it --entrypoint sh tomasbjerre/violations-command-line:a.b.c

| Version | Java Version | | ------------------| ------------ | | version < 2.0.0 | 8 | | 2.0.0 <= version | 11 |

Run it with:

npx violations-command-line -s ERROR -mv 0 \
 -v "CHECKSTYLE" "." ".*checkstyle/main\.xml$" "Checkstyle" \
 -v "JSLINT" "." ".*jshint/report\.xml$" "JSHint"

It can parse results from static code analysis and:

  • Report violations in the build log.
  • Export to a normalized JSON format.
npx violations-command-line -vf violations-report.json \
 -v "CHECKSTYLE" "." ".*checkstyle/main\.xml$" "Checkstyle"
  • Export to CodeClimate JSON.
npx violations-command-line -cc code-climate-report.json \
 -v "CHECKSTYLE" "." ".*checkstyle/main\.xml$" "Checkstyle"
  • Export to Sarif JSON.
npx violations-command-line -sa sarif-report.json \
 -v "CHECKSTYLE" "." ".*checkstyle/main\.xml$" "Checkstyle"
  • Optionally fail the build depending on violations found.

A snippet of the output may look like this:

...
se/bjurr/violations/lib/example/OtherClass.java
╔══════════╤════════════╤══════════╤══════╤════════════════════════════════════════════════════╗
║ Reporter │ Rule       │ Severity │ Line │ Message                                            ║
╠══════════╪════════════╪══════════╪══════╪════════════════════════════════════════════════════╣
║ Findbugs │ MS_SHOULD_ │ INFO     │ 7    │ Field isn't final but should be                    ║
║          │ BE_FINAL   │          │      │                                                    ║
║          │            │          │      │                                                    ║
║          │            │          │      │    <p>                                             ║
║          │            │          │      │ This static field public but not final, and        ║
║          │            │          │      │ could be changed by malicious code or              ║
║          │            │          │      │         by accident from another package.          ║
║          │            │          │      │         The field could be made final to avoid     ║
║          │            │          │      │         this vulnerability.</p>                    ║
╟──────────┼────────────┼──────────┼──────┼────────────────────────────────────────────────────╢
║ Findbugs │ NM_FIELD_N │ INFO     │ 6    │ Field names should start with a lower case letter  ║
║          │ AMING_CONV │          │      │                                                    ║
║          │ ENTION     │          │      │                                                    ║
║          │            │          │      │   <p>                                              ║
║          │            │          │      │ Names of fields that are not final should be in mi ║
║          │            │          │      │ xed case with a lowercase first letter and the fir ║
║          │            │          │      │ st letters of subsequent words capitalized.        ║
║          │            │          │      │ </p>                                               ║
╚══════════╧════════════╧══════════╧══════╧════════════════════════════════════════════════════╝

Summary of se/bjurr/violations/lib/example/OtherClass.java
╔══════════╤══════╤══════╤═══════╤═══════╗
║ Reporter │ INFO │ WARN │ ERROR │ Total ║
╠══════════╪══════╪══════╪═══════╪═══════╣
║ Findbugs │ 2    │ 0    │ 0     │ 2     ║
╟──────────┼──────┼──────┼───────┼───────╢
║          │ 2    │ 0    │ 0     │ 2     ║
╚══════════╧══════╧══════╧═══════╧═══════╝


Summary
╔════════════╤══════╤══════╤═══════╤═══════╗
║ Reporter   │ INFO │ WARN │ ERROR │ Total ║
╠════════════╪══════╪══════╪═══════╪═══════╣
║ Checkstyle │ 4    │ 1    │ 1     │ 6     ║
╟────────────┼──────┼──────┼───────┼───────╢
║ Findbugs   │ 2    │ 2    │ 5     │ 9     ║
╟────────────┼──────┼──────┼───────┼───────╢
║            │ 6    │ 3    │ 6     │ 15    ║
╚════════════╧══════╧══════╧═══════╧═══════╝

GitHub

GitHub is supported via SARIF. This tool can export SARIF format and it can be uploaded to Github to get feedback in pull-requests.

name: My workflow

on: [workflow_call, push, pull_request]

jobs:
  build:
    permissions:
      security-events: write
      actions: read
      contents: read
    steps:
      - name: Build
        run: |
          your-build-command-here
      - name: Transorm static code analysis to SARIF
        if: success() || failure()
        run: |
          npx violations-command-line -sarif sarif-report.json \
          -v "FINDBUGS" "." ".*spotbugs/main\.xml$" "Spotbugs" \
          -v "CHECKSTYLE" "." ".*checkstyle/main\.xml$" "Checkstyle" \
          -v "PMD" "." ".*pmd/main\.xml$" "PMD" \
          -v "JUNIT" "." ".*test/TEST-.*\.xml$" "JUNIT"
      - uses: github/codeql-action/upload-sarif@v3
        if: success() || failure()
        with:
          sarif_file: sarif-report.json
          category: violations-lib

GitLab

GitLab is supported via CodeClimate. This tool can export CodeClimate format and it can be uploaded to GitLab to get feedback in pull-requests.

If you export CodeClimate like this:

npx violations-command-line -cc code-climate-report.json \
  -v "FINDBUGS" "." ".*spotbugs/main\.xml$" "Spotbugs" \
  -v "CHECKSTYLE" "." ".*checkstyle/main\.xml$" "Checkstyle" \
  -v "PMD" "." ".*pmd/main\.xml$" "PMD" \
  -v "JUNIT" "." ".*test/TEST-.*\.xml$" "JUNIT"

You can upload it like this:

  artifacts:
    paths:
      - code-climate-report.json
    reports:
      codequality: code-climate-report.json

Formats

Example of supported reports are available here.

A number of parsers have been implemented. Some parsers can parse output from several reporters.

| Reporter | Parser | Notes | --- | --- | --- | ARM-GCC | CLANG | | AndroidLint | ANDROIDLINT | | Ansible-Later | ANSIBLELATER | With json format | AnsibleLint | FLAKE8 | With -p | Bandit | CLANG | With bandit -r examples/ -f custom -o bandit.out --msg-template "{abspath}:{line}: {severity}: {test_id}: {msg}" | CLang | CLANG | | CPD | CPD | | CPPCheck | CPPCHECK | With cppcheck test.cpp --output-file=cppcheck.xml --xml | CPPLint | CPPLINT | | CSSLint | CSSLINT | | Checkstyle | CHECKSTYLE | | CloudFormation Linter | JUNIT | cfn-lint . -f junit --output-file report-junit.xml | CodeClimate | CODECLIMATE | | CodeNarc | CODENARC | | Coverity | COVERITY | | Dart | MACHINE | With dart analyze --format=machine | Dependency Check | SARIF | Using --format SARIF | Detekt | CHECKSTYLE | With --output-format xml. | DocFX | DOCFX | | Doxygen | CLANG | | ERB | CLANG | With erb -P -x -T '-' "${it}" \| ruby -c 2>&1 >/dev/null \| grep '^-' \| sed -E 's/^-([a-zA-Z0-9:]+)/${filename}\1 ERROR:/p' > erbfiles.out. | ESLint | CHECKSTYLE | With format: 'checkstyle'. | Findbugs | FINDBUGS | | Flake8 | FLAKE8 | | FxCop | FXCOP | | GCC | CLANG | | GHS | GHS | | Gendarme | GENDARME | | Generic reporter | GENERIC | Will create one single violation with all the content as message. | GoLint | GOLINT | | GoVet | GOLINT | Same format as GoLint. | GolangCI-Lint | CHECKSTYLE | With --out-format=checkstyle. | GoogleErrorProne | GOOGLEERRORPRONE | | HadoLint | CHECKSTYLE | With -f checkstyle | IAR | IAR | With --no_wrap_diagnostics | Infer | PMD | Facebook Infer. With --pmd-xml. | JACOCO | JACOCO | | JCReport | JCREPORT | | JSHint | JSLINT | With --reporter=jslint or the CHECKSTYLE parser with --reporter=checkstyle | JUnit | JUNIT | It only contains the failures. | KTLint | CHECKSTYLE | | Klocwork | KLOCWORK | | KotlinGradle | KOTLINGRADLE | Output from Kotlin Gradle Plugin. | KotlinMaven | KOTLINMAVEN | Output from Kotlin Maven Plugin. | Lint | LINT | A common XML format, used by different linters. | MSBuildLog | MSBULDLOG | With -fileLogger use .*msbuild\\.log$ as pattern or -fl -flp:logfile=MyProjectOutput.log;verbosity=diagnostic for a custom output filename | MSCpp | MSCPP | | Mccabe | FLAKE8 | | MyPy | MYPY | | NullAway | GOOGLEERRORPRONE | Same format as Google Error Prone. | PCLint | PCLINT | PC-Lint using the same output format as the Jenkins warnings plugin, details here | PHPCS | CHECKSTYLE | With phpcs api.php --report=checkstyle. | PHPPMD | PMD | With phpmd api.php xml ruleset.xml. | PMD | PMD | | Pep8 | FLAKE8 | | PerlCritic | PERLCRITIC | | PiTest | PITEST | | ProtoLint | PROTOLINT | | Puppet-Lint | CLANG | With -log-format %{fullpath}:%{line}:%{column}: %{kind}: %{message} | PyDocStyle | PYDOCSTYLE | | PyFlakes | FLAKE8 | | PyLint | PYLINT | With pylint --output-format=parseable. | ReSharper | RESHARPER | | RubyCop | CLANG | With rubycop -f clang file.rb | SARIF | SARIF | v2.x. Microsoft Visual C# can generate it with ErrorLog="BuildErrors.sarif,version=2". | SbtScalac | SBTSCALAC | | Scalastyle | CHECKSTYLE | | Semgrep | SEMGREP | With --json. | Simian | SIMIAN | | Sonar | SONAR | With mvn sonar:sonar -Dsonar.analysis.mode=preview -Dsonar.report.export.path=sonar-report.json. Removed in 7.7, see SONAR-11670 but can be retrieved with: curl --silent 'http://sonar-server/api/issues/search?componentKeys=unique-key&resolved=false' \| jq -f sonar-report-builder.jq > sonar-report.json. | Spotbugs | FINDBUGS | | StyleCop | STYLECOP | | SwiftLint | CHECKSTYLE | With --reporter checkstyle. | TSLint | CHECKSTYLE | With -t checkstyle | Valgrind | VALGRIND | With --xml=yes. | XMLLint | XMLLINT | | XUnit | XUNIT | It only contains the failures. | YAMLLint | YAMLLINT | With -f parsable | ZPTLint | ZPTLINT |

52 parsers and 79 reporters.

Missing a format? Open an issue here!

Usage

Available parsers are:
ANDROIDLINT, ANSIBLELATER, CHECKSTYLE, CODENARC, CLANG, COVERITY, CPD, CPPCHECK, CPPLINT, CSSLINT, GENERIC, GHS, FINDBUGS, FLAKE8, MACHINE, FXCOP, GENDARME, IAR, JACOCO, JCREPORT, JSLINT, JUNIT, LINT, KLOCWORK, KOTLINMAVEN, KOTLINGRADLE, MSCPP, MSBULDLOG, MYPY, GOLINT, GOOGLEERRORPRONE, PERLCRITIC, PITEST, PMD, PROTOLINT, PYDOCSTYLE, PYLINT, RESHARPER, SARIF, SBTSCALAC, SEMGREP, SIMIAN, SONAR, STYLECOP, XMLLINT, YAMLLINT, ZPTLINT, DOCFX, PCLINT, CODECLIMATE, XUNIT, VALGRIND

Usage: violations-command-line [-dpv] [--help] [-pv] [-show-debug-info]
                               [-show-json-config] [-cc=<codeClimateFileArg>]
                               [-cf=<configFileArg>] [-ddl=<diffDetailLevel>]
                               [-df=<diffFrom>] [-dl=<detailLevelArg>]
                               [-dmv=<diffMaxViolations>]
                               [-ds=<diffMinSeverity>] [-dt=<diffTo>]
                               [-gr=<gitRepoArg>] [-jmc=<jacocoMinCoverage>]
                               [-jmlc=<jacocoMinLineCount>]
                               [-mlcw=<maxLineColumnWidth>]
                               [-mmcw=<maxMessageColumnWidth>]
                               [-mrcw=<maxReporterColumnWidth>]
                               [-mrucw=<maxRuleColumnWidth>]
                               [-mscw=<maxSeverityColumnWidth>]
                               [-mv=<maxViolationsArg>] [-s=<minSeverityArg>]
                               [-ss=<sarifFileArg>] [-vf=<violationsFileArg>]
                               [-v=<violationsArg>]...
      -cc, -code-climate=<codeClimateFileArg>
                          Create a CodeClimate file with all the violations.
      -cf, -config-file=<configFileArg>
                          Will read config from given file. Can also be
                            configured with environment variable
                            VIOLATIONS_CONFIG. Format is what you get from
                            -show-json-config.
      -ddl, -diff-detail-level=<diffDetailLevel>
                          VERBOSE, COMPACT, PER_FILE_COMPACT
      -df, -diff-from=<diffFrom>
                          Can be empty (ignored), Git-commit or any
                            Git-reference
      -dl, -detail-level=<detailLevelArg>
                          Verbosity VERBOSE, COMPACT, PER_FILE_COMPACT
      -dmv, -diff-max-violations=<diffMaxViolations>
                          Will fail the build if total number of found
                            violations is higher
      -dpv, -diff-print-violations
                          Will print violations found in diff
      -ds, -diff-severity=<diffMinSeverity>
                          INFO, WARN, ERROR
      -dt, -diff-to=<diffTo>
                          Can be empty (ignored), Git-commit or any
                            Git-reference
      -gr, -git-repo=<gitRepoArg>
                          Where to look for Git.
      --help              display this help and exit
      -jmc, -jacoco-min-coverage=<jacocoMinCoverage>
                          Minimum coverage in Jacoco that will generate a
                            violation.
      -jmlc, -jacoco-min-line-count=<jacocoMinLineCount>
                          Minimum line count in Jacoco that will generate a
                            violation.
      -mlcw, -max-line-column-width=<maxLineColumnWidth>
                          0 means no limit
      -mmcw, -max-message-column-width=<maxMessageColumnWidth>
                          0 means no limit
      -mrcw, -max-reporter-column-width=<maxReporterColumnWidth>
                          0 means no limit
      -mrucw, -max-rule-column-width=<maxRuleColumnWidth>
                          0 means no limit
      -mscw, -max-severity-column-width=<maxSeverityColumnWidth>
                          0 means no limit
      -mv, -max-violations=<maxViolationsArg>
                          Will fail the build if total number of found
                            violations is higher.
      -pv, -print-violations
                          Will print violations found
  -s, -severity=<minSeverityArg>
                          Minimum severity level to report. INFO, WARN, ERROR
      -show-debug-info    Please run your command with this parameter and
                            supply output when reporting bugs.
      -show-json-config   Will print the given config as JSON.
      -ss, -sarif=<sarifFileArg>
                          Create a Sarif file with all the violations.
  -v, --violations=<violationsArg>
                          Format: <PARSER> <FOLDER> <REGEXP PATTERN> <NAME>,
                            Example: -v "JSLINT" "." ".*/jshint.xml$" "JSHint"
      -vf, -violations-file=<violationsFileArg>
                          Create a JSON file with all the violations.

Checkout the Violations Lib for more documentation.