violations-command-line
v3.1.0
Published
CLI find report files from static code analysis, present and optionally fail.
Downloads
2,319
Readme
Violations Command Line
This is a command line tool that will find report files from static code analysis, present and optionally fail the command. It uses the Violations Lib.
- The runnable can be found in Maven Central
- or NPM.
- The
Docker
image can be found in Dockerhub- Can used like
docker run --mount src="$(pwd)",target=/home/violations-command-line,type=bind tomasbjerre/violations-command-line:a.b.c -v "FINDBUGS" src/test/resources/findbugs/ ".*main\.xml$" "Spotbugs"
. - Or open a shell to have a look
docker run --rm -it --entrypoint sh tomasbjerre/violations-command-line:a.b.c
- Can used like
| Version | Java Version | | ------------------| ------------ | | version < 2.0.0 | 8 | | 2.0.0 <= version | 11 |
Run it with:
npx violations-command-line -s ERROR -mv 0 \
-v "CHECKSTYLE" "." ".*checkstyle/main\.xml$" "Checkstyle" \
-v "JSLINT" "." ".*jshint/report\.xml$" "JSHint"
It can parse results from static code analysis and:
- Report violations in the build log.
- Export to a normalized JSON format.
npx violations-command-line -vf violations-report.json \
-v "CHECKSTYLE" "." ".*checkstyle/main\.xml$" "Checkstyle"
- Export to CodeClimate JSON.
npx violations-command-line -cc code-climate-report.json \
-v "CHECKSTYLE" "." ".*checkstyle/main\.xml$" "Checkstyle"
- Export to Sarif JSON.
npx violations-command-line -sa sarif-report.json \
-v "CHECKSTYLE" "." ".*checkstyle/main\.xml$" "Checkstyle"
- Optionally fail the build depending on violations found.
A snippet of the output may look like this:
...
se/bjurr/violations/lib/example/OtherClass.java
╔══════════╤════════════╤══════════╤══════╤════════════════════════════════════════════════════╗
║ Reporter │ Rule │ Severity │ Line │ Message ║
╠══════════╪════════════╪══════════╪══════╪════════════════════════════════════════════════════╣
║ Findbugs │ MS_SHOULD_ │ INFO │ 7 │ Field isn't final but should be ║
║ │ BE_FINAL │ │ │ ║
║ │ │ │ │ ║
║ │ │ │ │ <p> ║
║ │ │ │ │ This static field public but not final, and ║
║ │ │ │ │ could be changed by malicious code or ║
║ │ │ │ │ by accident from another package. ║
║ │ │ │ │ The field could be made final to avoid ║
║ │ │ │ │ this vulnerability.</p> ║
╟──────────┼────────────┼──────────┼──────┼────────────────────────────────────────────────────╢
║ Findbugs │ NM_FIELD_N │ INFO │ 6 │ Field names should start with a lower case letter ║
║ │ AMING_CONV │ │ │ ║
║ │ ENTION │ │ │ ║
║ │ │ │ │ <p> ║
║ │ │ │ │ Names of fields that are not final should be in mi ║
║ │ │ │ │ xed case with a lowercase first letter and the fir ║
║ │ │ │ │ st letters of subsequent words capitalized. ║
║ │ │ │ │ </p> ║
╚══════════╧════════════╧══════════╧══════╧════════════════════════════════════════════════════╝
Summary of se/bjurr/violations/lib/example/OtherClass.java
╔══════════╤══════╤══════╤═══════╤═══════╗
║ Reporter │ INFO │ WARN │ ERROR │ Total ║
╠══════════╪══════╪══════╪═══════╪═══════╣
║ Findbugs │ 2 │ 0 │ 0 │ 2 ║
╟──────────┼──────┼──────┼───────┼───────╢
║ │ 2 │ 0 │ 0 │ 2 ║
╚══════════╧══════╧══════╧═══════╧═══════╝
Summary
╔════════════╤══════╤══════╤═══════╤═══════╗
║ Reporter │ INFO │ WARN │ ERROR │ Total ║
╠════════════╪══════╪══════╪═══════╪═══════╣
║ Checkstyle │ 4 │ 1 │ 1 │ 6 ║
╟────────────┼──────┼──────┼───────┼───────╢
║ Findbugs │ 2 │ 2 │ 5 │ 9 ║
╟────────────┼──────┼──────┼───────┼───────╢
║ │ 6 │ 3 │ 6 │ 15 ║
╚════════════╧══════╧══════╧═══════╧═══════╝
GitHub
GitHub is supported via SARIF
. This tool can export SARIF
format and it can be uploaded to Github to get feedback in pull-requests.
name: My workflow
on: [workflow_call, push, pull_request]
jobs:
build:
permissions:
security-events: write
actions: read
contents: read
steps:
- name: Build
run: |
your-build-command-here
- name: Transorm static code analysis to SARIF
if: success() || failure()
run: |
npx violations-command-line -sarif sarif-report.json \
-v "FINDBUGS" "." ".*spotbugs/main\.xml$" "Spotbugs" \
-v "CHECKSTYLE" "." ".*checkstyle/main\.xml$" "Checkstyle" \
-v "PMD" "." ".*pmd/main\.xml$" "PMD" \
-v "JUNIT" "." ".*test/TEST-.*\.xml$" "JUNIT"
- uses: github/codeql-action/upload-sarif@v3
if: success() || failure()
with:
sarif_file: sarif-report.json
category: violations-lib
GitLab
GitLab is supported via CodeClimate
. This tool can export CodeClimate
format and it can be uploaded to GitLab to get feedback in pull-requests.
If you export CodeClimate
like this:
npx violations-command-line -cc code-climate-report.json \
-v "FINDBUGS" "." ".*spotbugs/main\.xml$" "Spotbugs" \
-v "CHECKSTYLE" "." ".*checkstyle/main\.xml$" "Checkstyle" \
-v "PMD" "." ".*pmd/main\.xml$" "PMD" \
-v "JUNIT" "." ".*test/TEST-.*\.xml$" "JUNIT"
You can upload it like this:
artifacts:
paths:
- code-climate-report.json
reports:
codequality: code-climate-report.json
Formats
Example of supported reports are available here.
A number of parsers have been implemented. Some parsers can parse output from several reporters.
| Reporter | Parser | Notes
| --- | --- | ---
| ARM-GCC | CLANG
|
| AndroidLint | ANDROIDLINT
|
| Ansible-Later | ANSIBLELATER
| With json
format
| AnsibleLint | FLAKE8
| With -p
| Bandit | CLANG
| With bandit -r examples/ -f custom -o bandit.out --msg-template "{abspath}:{line}: {severity}: {test_id}: {msg}"
| CLang | CLANG
|
| CPD | CPD
|
| CPPCheck | CPPCHECK
| With cppcheck test.cpp --output-file=cppcheck.xml --xml
| CPPLint | CPPLINT
|
| CSSLint | CSSLINT
|
| Checkstyle | CHECKSTYLE
|
| CloudFormation Linter | JUNIT
| cfn-lint . -f junit --output-file report-junit.xml
| CodeClimate | CODECLIMATE
|
| CodeNarc | CODENARC
|
| Coverity | COVERITY
|
| Dart | MACHINE
| With dart analyze --format=machine
| Dependency Check | SARIF
| Using --format SARIF
| Detekt | CHECKSTYLE
| With --output-format xml
.
| DocFX | DOCFX
|
| Doxygen | CLANG
|
| ERB | CLANG
| With erb -P -x -T '-' "${it}" \| ruby -c 2>&1 >/dev/null \| grep '^-' \| sed -E 's/^-([a-zA-Z0-9:]+)/${filename}\1 ERROR:/p' > erbfiles.out
.
| ESLint | CHECKSTYLE
| With format: 'checkstyle'
.
| Findbugs | FINDBUGS
|
| Flake8 | FLAKE8
|
| FxCop | FXCOP
|
| GCC | CLANG
|
| GHS | GHS
|
| Gendarme | GENDARME
|
| Generic reporter | GENERIC
| Will create one single violation with all the content as message.
| GoLint | GOLINT
|
| GoVet | GOLINT
| Same format as GoLint.
| GolangCI-Lint | CHECKSTYLE
| With --out-format=checkstyle
.
| GoogleErrorProne | GOOGLEERRORPRONE
|
| HadoLint | CHECKSTYLE
| With -f checkstyle
| IAR | IAR
| With --no_wrap_diagnostics
| Infer | PMD
| Facebook Infer. With --pmd-xml
.
| JACOCO | JACOCO
|
| JCReport | JCREPORT
|
| JSHint | JSLINT
| With --reporter=jslint
or the CHECKSTYLE parser with --reporter=checkstyle
| JUnit | JUNIT
| It only contains the failures.
| KTLint | CHECKSTYLE
|
| Klocwork | KLOCWORK
|
| KotlinGradle | KOTLINGRADLE
| Output from Kotlin Gradle Plugin.
| KotlinMaven | KOTLINMAVEN
| Output from Kotlin Maven Plugin.
| Lint | LINT
| A common XML format, used by different linters.
| MSBuildLog | MSBULDLOG
| With -fileLogger
use .*msbuild\\.log$
as pattern or -fl -flp:logfile=MyProjectOutput.log;verbosity=diagnostic
for a custom output filename
| MSCpp | MSCPP
|
| Mccabe | FLAKE8
|
| MyPy | MYPY
|
| NullAway | GOOGLEERRORPRONE
| Same format as Google Error Prone.
| PCLint | PCLINT
| PC-Lint using the same output format as the Jenkins warnings plugin, details here
| PHPCS | CHECKSTYLE
| With phpcs api.php --report=checkstyle
.
| PHPPMD | PMD
| With phpmd api.php xml ruleset.xml
.
| PMD | PMD
|
| Pep8 | FLAKE8
|
| PerlCritic | PERLCRITIC
|
| PiTest | PITEST
|
| ProtoLint | PROTOLINT
|
| Puppet-Lint | CLANG
| With -log-format %{fullpath}:%{line}:%{column}: %{kind}: %{message}
| PyDocStyle | PYDOCSTYLE
|
| PyFlakes | FLAKE8
|
| PyLint | PYLINT
| With pylint --output-format=parseable
.
| ReSharper | RESHARPER
|
| RubyCop | CLANG
| With rubycop -f clang file.rb
| SARIF | SARIF
| v2.x. Microsoft Visual C# can generate it with ErrorLog="BuildErrors.sarif,version=2"
.
| SbtScalac | SBTSCALAC
|
| Scalastyle | CHECKSTYLE
|
| Semgrep | SEMGREP
| With --json
.
| Simian | SIMIAN
|
| Sonar | SONAR
| With mvn sonar:sonar -Dsonar.analysis.mode=preview -Dsonar.report.export.path=sonar-report.json
. Removed in 7.7, see SONAR-11670 but can be retrieved with: curl --silent 'http://sonar-server/api/issues/search?componentKeys=unique-key&resolved=false' \| jq -f sonar-report-builder.jq > sonar-report.json
.
| Spotbugs | FINDBUGS
|
| StyleCop | STYLECOP
|
| SwiftLint | CHECKSTYLE
| With --reporter checkstyle
.
| TSLint | CHECKSTYLE
| With -t checkstyle
| Valgrind | VALGRIND
| With --xml=yes
.
| XMLLint | XMLLINT
|
| XUnit | XUNIT
| It only contains the failures.
| YAMLLint | YAMLLINT
| With -f parsable
| ZPTLint | ZPTLINT
|
52 parsers and 79 reporters.
Missing a format? Open an issue here!
Usage
Available parsers are:
ANDROIDLINT, ANSIBLELATER, CHECKSTYLE, CODENARC, CLANG, COVERITY, CPD, CPPCHECK, CPPLINT, CSSLINT, GENERIC, GHS, FINDBUGS, FLAKE8, MACHINE, FXCOP, GENDARME, IAR, JACOCO, JCREPORT, JSLINT, JUNIT, LINT, KLOCWORK, KOTLINMAVEN, KOTLINGRADLE, MSCPP, MSBULDLOG, MYPY, GOLINT, GOOGLEERRORPRONE, PERLCRITIC, PITEST, PMD, PROTOLINT, PYDOCSTYLE, PYLINT, RESHARPER, SARIF, SBTSCALAC, SEMGREP, SIMIAN, SONAR, STYLECOP, XMLLINT, YAMLLINT, ZPTLINT, DOCFX, PCLINT, CODECLIMATE, XUNIT, VALGRIND
Usage: violations-command-line [-dpv] [--help] [-pv] [-show-debug-info]
[-show-json-config] [-cc=<codeClimateFileArg>]
[-cf=<configFileArg>] [-ddl=<diffDetailLevel>]
[-df=<diffFrom>] [-dl=<detailLevelArg>]
[-dmv=<diffMaxViolations>]
[-ds=<diffMinSeverity>] [-dt=<diffTo>]
[-gr=<gitRepoArg>] [-jmc=<jacocoMinCoverage>]
[-jmlc=<jacocoMinLineCount>]
[-mlcw=<maxLineColumnWidth>]
[-mmcw=<maxMessageColumnWidth>]
[-mrcw=<maxReporterColumnWidth>]
[-mrucw=<maxRuleColumnWidth>]
[-mscw=<maxSeverityColumnWidth>]
[-mv=<maxViolationsArg>] [-s=<minSeverityArg>]
[-ss=<sarifFileArg>] [-vf=<violationsFileArg>]
[-v=<violationsArg>]...
-cc, -code-climate=<codeClimateFileArg>
Create a CodeClimate file with all the violations.
-cf, -config-file=<configFileArg>
Will read config from given file. Can also be
configured with environment variable
VIOLATIONS_CONFIG. Format is what you get from
-show-json-config.
-ddl, -diff-detail-level=<diffDetailLevel>
VERBOSE, COMPACT, PER_FILE_COMPACT
-df, -diff-from=<diffFrom>
Can be empty (ignored), Git-commit or any
Git-reference
-dl, -detail-level=<detailLevelArg>
Verbosity VERBOSE, COMPACT, PER_FILE_COMPACT
-dmv, -diff-max-violations=<diffMaxViolations>
Will fail the build if total number of found
violations is higher
-dpv, -diff-print-violations
Will print violations found in diff
-ds, -diff-severity=<diffMinSeverity>
INFO, WARN, ERROR
-dt, -diff-to=<diffTo>
Can be empty (ignored), Git-commit or any
Git-reference
-gr, -git-repo=<gitRepoArg>
Where to look for Git.
--help display this help and exit
-jmc, -jacoco-min-coverage=<jacocoMinCoverage>
Minimum coverage in Jacoco that will generate a
violation.
-jmlc, -jacoco-min-line-count=<jacocoMinLineCount>
Minimum line count in Jacoco that will generate a
violation.
-mlcw, -max-line-column-width=<maxLineColumnWidth>
0 means no limit
-mmcw, -max-message-column-width=<maxMessageColumnWidth>
0 means no limit
-mrcw, -max-reporter-column-width=<maxReporterColumnWidth>
0 means no limit
-mrucw, -max-rule-column-width=<maxRuleColumnWidth>
0 means no limit
-mscw, -max-severity-column-width=<maxSeverityColumnWidth>
0 means no limit
-mv, -max-violations=<maxViolationsArg>
Will fail the build if total number of found
violations is higher.
-pv, -print-violations
Will print violations found
-s, -severity=<minSeverityArg>
Minimum severity level to report. INFO, WARN, ERROR
-show-debug-info Please run your command with this parameter and
supply output when reporting bugs.
-show-json-config Will print the given config as JSON.
-ss, -sarif=<sarifFileArg>
Create a Sarif file with all the violations.
-v, --violations=<violationsArg>
Format: <PARSER> <FOLDER> <REGEXP PATTERN> <NAME>,
Example: -v "JSLINT" "." ".*/jshint.xml$" "JSHint"
-vf, -violations-file=<violationsFileArg>
Create a JSON file with all the violations.
Checkout the Violations Lib for more documentation.