tomasbjerre / violations-maven-plugin Goto Github PK

View Code? Open in Web Editor NEW

3.0 2.0 2.0 203 KB

Maven plugin that will find report files from static code analysis, present and optionally fail the build.

License: Other

Shell 2.46% Java 97.54%

findbugs checkstyle pmd lint golint csslint jshint detekt static-analysis

violations-maven-plugin's People

Stargazers

Watchers

Forkers

avinash-chellapandian liuhaoduoduo

violations-maven-plugin's Issues

how to config sub module target dir

now docs is one target dir:

<violation>
  <parser>CHECKSTYLE</parser>
  <reporter>Checkstyle</reporter>
  <folder>.</folder>
  <pattern>.*/target/checkstyle-result\.xml$</pattern>
</violation>

does this plugin support sub module target dir?

such as:

JavaProject/
--pom.xml
--UserService/
----pom.xml
----target/checkstyle-result.xml
--WikiService/
----pom.xml
----target/checkstyle-result.xml

should I change the folder or pattern?

what's the "folder" config meaning?

suggestion: change phase from verify to validate

https://github.com/tomasbjerre/violations-maven-plugin/blob/master/violations-maven-plugin-example/pom.xml#L23

now the docs tell us to using mvn verify, but unit test and it test are in verify too, it will cause 2 problem:

violations-maven-plugin can not run alone, always run with test, the speed is slow.
if test failed and stop, this plugin violations-maven-plugin will not run, so we can not get a report.

Demo: https://github.com/WebGoat/WebGoat

if we want lint and collect report first, if lint success, run test and collect report, this plugin can not do it:

image: bellsoft/liberica-openjdk-debian:17

stages:
  - lint
  - test
  - build

lint_and_report:
  stage: lint
  script:
    - ./mvnw checkstyle:check
    - ./mvnw verify # convert format after test, so it failed
  artifacts:
    when: always
    reports:
      codequality: gl-code-quality-report.json.json

test_and_report:
  stage: test
  script:
    - ./mvnw verify
  artifacts:
    when: always
    reports:
      junit:
        - target/surefire-reports/TEST-*.xml
        - target/failsafe-reports/TEST-*.xml

build_java:
  stage: build
  script:
    - ./mvnw package -Dmaven.test.skip=true

how to make the build failed?

Hi,

I have read in the readme.md that it can fail the build optionally if violations are fount but haven't found any config option to do so. How can I do that?

I am trying to use this lib to make the build failed when JaCoCo coverage is below threshold.
Should I set anything beside
<violation>
<parser>JACOCO</parser>
<reporter>JACOCO</reporter>
<folder>./target/site/jacoco</folder>
<pattern>.*/jacoco\.xml$</pattern>
</violation>

in the pom.xml?

The jacoco maven plugin is properly set up in theory.
I started to debug it with mvnDebug and I can see that the content of the file is read by violations-lib, so JacocoParser.parseReportOutput() gets the content of the jacoco.xml file but finds 0 violations although some values are below threshold.

If you want to take a look on my jacoco.xml or want more details then just please tell me.

Thanks,

Daniel

Whether skip is supported

In projects with more problems or submodules。The execution of plug-ins can take a long time。
Can you temporarily skip plug-in execution by using command line arguments？For example, mvn package -Dmaven.violations.skip=true

file path is wrong in GitLab MR widget

Summary

the file path in GitLab MR widget is wrong, so the URL is 404

Steps to reproduce

use violations-maven-plugin for checkstyle in Java project
run ./mvnw validate in GitLab CI

Example Project

https://jihulab.com/ultimate-plan/demo/java-17-maven-demo/-/merge_requests/1

What is the current bug behavior?

file path: /builds/ultimate-plan/demo/java-17-maven-demo/src/main/java/org/owasp/webgoat/lessons/jwt/JWTFinalEndpoint.java:96

url: https://jihulab.com/ultimate-plan/demo/java-17-maven-demo/-/blob/9e6c41a0591484eeaab818dd25fc194c594af37b//builds/ultimate-plan/demo/java-17-maven-demo/src/main/java/org/owasp/webgoat/lessons/jwt/JWTFinalEndpoint.java#L96

What is the expected correct behavior?

file path: src/main/java/org/owasp/webgoat/lessons/jwt/JWTFinalEndpoint.java:96

url: https://jihulab.com/ultimate-plan/demo/java-17-maven-demo/-/blob/9e6c41a0591484eeaab818dd25fc194c594af37b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTFinalEndpoint.java#L96

Relevant logs and/or screenshots

target/checkstyle-result.xml

<?xml version="1.0" encoding="UTF-8"?>
<checkstyle version="9.3">
<file name="/Volumes/Code/ultimate-plan/demo/WebGoat/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java">
<error line="5" column="1" severity="warning" message="foo" source="com.puppycrawl.tools.checkstyle.checks.imports.CustomImportOrderCheck"/>

target/pmd.xml

<?xml version="1.0" encoding="UTF-8"?>
<pmd xmlns="http://pmd.sourceforge.net/report/2.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://pmd.sourceforge.net/report/2.0.0 http://pmd.sourceforge.net/report_2_0_0.xsd" version="6.49.0" timestamp="2022-09-20T10:08:44.599">
<file name="/Volumes/Code/ultimate-plan/demo/WebGoat/src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java">
<violation beginline="34" endline="34" begincolumn="1" endcolumn="49" rule="UnnecessaryImport" ruleset="Code Style" package="org.owasp.webgoat.container" class="WebSecurityConfig" externalInfoUrl="https://pmd.github.io/pmd-6.49.0/pmd_rules_java_codestyle.html#unnecessaryimport" priority="4">
Unused import 'org.owasp.webgoat.container.i18n.Language'
</violation>

gl-code-quality-report.json

[
  {
    "description": "tab in line",
    "fingerprint": "871ea4ab645d5d0e497b475c186acb5a57f764419e9ba4cd3dae8aa0a1093e10",
    "location": {
      "path": "/Volumes/Code/ultimate-plan/demo/WebGoat/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java",
      "lines": {
        "begin": 73
      }
    }
]

build failed after change README.md on Mac

steps:

fork this project
change and commit README.md
run ./mwnw package

output:

[INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ violations-maven-plugin ---
[INFO] Surefire report directory: /Volumes/Code/ultimate-plan/jihu-gitlab-app/violations-maven-plugin/target/surefire-reports

-------------------------------------------------------
 T E S T S
-------------------------------------------------------
Running se.bjurr.violations.maven.plugin.ViolationCommentsMojoTest
Tests run: 2, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.212 sec
Running se.bjurr.violations.maven.plugin.UpdateReadmeTest
Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.006 sec <<< FAILURE!
doUpdateReadmeWithReporters(se.bjurr.violations.maven.plugin.UpdateReadmeTest)  Time elapsed: 0.006 sec  <<< ERROR!
java.lang.RuntimeException: Could not find:

| Reporter | Parser | Notes
Missing a format? Open an issue [here](https://github.com/tomasbjerre/violations-lib/issues)!

 in ./README.md
	at se.bjurr.violations.lib.util.Utils.updateReadmeWithReporters(Utils.java:116)

False positives in GitLab using the Code Climate output

First off: Fantastic plugin, really appreciate your work and it helps us a lot!

Problem: We use your tool create a code climate output that we then import into GitLab. When code is changed, we get a lot of false positives changes, where the same change will be listed (by Gitlab) as both new and fixed, causing us to miss the 'real' issue.

I think the problem is that

the hash generation used for 'fingerprint' field in the code climate output by violations-maven-plugin seems to includes the line number, and,
gitlab uses the fingerprint exclusively to identify new and fixed items (see https://gitlab.com/gitlab-org/gitlab/-/blob/9b319658ece205d3960414ab9d7887a2f1c1cf24/ee/app/assets/javascripts/vue_merge_request_widget/workers/code_quality_comparison_worker.js)

Therefore, would it be possible to create a unique hash as fingerprint per item that does not include line number as input?