Report static code analysis to Bitbucket Server. It uses the Violations Lib.
- The runnable
jarcan be found in Maven Central and used likejava -jar violation-comments-to-bitbucket-server-command-line-*.jar ..... - The runnable can be found in NPM.
- The
Dockerimage can be found in Dockerhub and used likedocker run --mount src="$(pwd)",target=/usr/src/violation-comments-to-bitbucket-server-command-line,type=bind tomasbjerre/violation-comments-to-bitbucket-server-command-line:X.
Run it with:
npx violation-comments-to-bitbucket-server-command-line \
-pat TOKENHERE \
-pk PROJECT_KEY \
-rs REPO_SLUT \
-prid 1234 \
-v "CHECKSTYLE" "." ".*checkstyle/main\.xml$" "Checkstyle" \
-v "JSHINT" "." ".*jshint/report\.xml$" "JSHint"You must perform the merge before build. If you don't perform the merge, the reported violations will refer to other lines then those in the pull request. The merge can be done with a shell script like this.
echo ---
echo --- Merging from $FROM in $FROMREPO to $TO in $TOREPO
echo ---
git clone $TOREPO
cd *
git reset --hard $TO
git status
git remote add from $FROMREPO
git fetch from
git merge $FROM
git --no-pager log --max-count=10 --graph --abbrev-commit
Your build command here!
Example of supported reports are available here.
A number of parsers have been implemented. Some parsers can parse output from several reporters.
| Reporter | Parser | Notes |
|---|---|---|
| ARM-GCC | CLANG |
|
| AndroidLint | ANDROIDLINT |
|
| Ansible-Later | ANSIBLELATER |
With json format |
| AnsibleLint | FLAKE8 |
With -p |
| Bandit | CLANG |
With bandit -r examples/ -f custom -o bandit.out --msg-template "{abspath}:{line}: {severity}: {test_id}: {msg}" |
| CLang | CLANG |
|
| CPD | CPD |
|
| CPPCheck | CPPCHECK |
With cppcheck test.cpp --output-file=cppcheck.xml --xml |
| CPPLint | CPPLINT |
|
| CSSLint | CSSLINT |
|
| Checkstyle | CHECKSTYLE |
|
| CloudFormation Linter | JUNIT |
cfn-lint . -f junit --output-file report-junit.xml |
| CodeClimate | CODECLIMATE |
|
| CodeNarc | CODENARC |
|
| Coverity | COVERITY |
|
| Dart | MACHINE |
With dart analyze --format=machine |
| Dependency Check | SARIF |
Using --format SARIF |
| Detekt | CHECKSTYLE |
With --output-format xml. |
| DocFX | DOCFX |
|
| Doxygen | CLANG |
|
| ERB | CLANG |
With erb -P -x -T '-' "${it}" | ruby -c 2>&1 >/dev/null | grep '^-' | sed -E 's/^-([a-zA-Z0-9:]+)/${filename}\1 ERROR:/p' > erbfiles.out. |
| ESLint | CHECKSTYLE |
With format: 'checkstyle'. |
| Findbugs | FINDBUGS |
|
| Flake8 | FLAKE8 |
|
| FxCop | FXCOP |
|
| GCC | CLANG |
|
| GHS | GHS |
|
| Gendarme | GENDARME |
|
| Generic reporter | GENERIC |
Will create one single violation with all the content as message. |
| GoLint | GOLINT |
|
| GoVet | GOLINT |
Same format as GoLint. |
| GolangCI-Lint | CHECKSTYLE |
With --out-format=checkstyle. |
| GoogleErrorProne | GOOGLEERRORPRONE |
|
| HadoLint | CHECKSTYLE |
With -f checkstyle |
| IAR | IAR |
With --no_wrap_diagnostics |
| Infer | PMD |
Facebook Infer. With --pmd-xml. |
| JACOCO | JACOCO |
|
| JCReport | JCREPORT |
|
| JSHint | JSLINT |
With --reporter=jslint or the CHECKSTYLE parser with --reporter=checkstyle |
| JUnit | JUNIT |
It only contains the failures. |
| KTLint | CHECKSTYLE |
|
| Klocwork | KLOCWORK |
|
| KotlinGradle | KOTLINGRADLE |
Output from Kotlin Gradle Plugin. |
| KotlinMaven | KOTLINMAVEN |
Output from Kotlin Maven Plugin. |
| Lint | LINT |
A common XML format, used by different linters. |
| MSBuildLog | MSBULDLOG |
With -fileLogger use .*msbuild\\.log$ as pattern or -fl -flp:logfile=MyProjectOutput.log;verbosity=diagnostic for a custom output filename |
| MSCpp | MSCPP |
|
| Mccabe | FLAKE8 |
|
| MyPy | MYPY |
|
| NullAway | GOOGLEERRORPRONE |
Same format as Google Error Prone. |
| PCLint | PCLINT |
PC-Lint using the same output format as the Jenkins warnings plugin, details here |
| PHPCS | CHECKSTYLE |
With phpcs api.php --report=checkstyle. |
| PHPPMD | PMD |
With phpmd api.php xml ruleset.xml. |
| PMD | PMD |
|
| Pep8 | FLAKE8 |
|
| PerlCritic | PERLCRITIC |
|
| PiTest | PITEST |
|
| ProtoLint | PROTOLINT |
|
| Puppet-Lint | CLANG |
With -log-format %{fullpath}:%{line}:%{column}: %{kind}: %{message} |
| PyDocStyle | PYDOCSTYLE |
|
| PyFlakes | FLAKE8 |
|
| PyLint | PYLINT |
With pylint --output-format=parseable. |
| ReSharper | RESHARPER |
|
| RubyCop | CLANG |
With rubycop -f clang file.rb |
| SARIF | SARIF |
v2.x. Microsoft Visual C# can generate it with ErrorLog="BuildErrors.sarif,version=2". |
| SbtScalac | SBTSCALAC |
|
| Scalastyle | CHECKSTYLE |
|
| Semgrep | SEMGREP |
With --json. |
| Simian | SIMIAN |
|
| Sonar | SONAR |
With mvn sonar:sonar -Dsonar.analysis.mode=preview -Dsonar.report.export.path=sonar-report.json. Removed in 7.7, see SONAR-11670 but can be retrieved with: curl --silent 'http://sonar-server/api/issues/search?componentKeys=unique-key&resolved=false' | jq -f sonar-report-builder.jq > sonar-report.json. |
| Spotbugs | FINDBUGS |
|
| StyleCop | STYLECOP |
|
| SwiftLint | CHECKSTYLE |
With --reporter checkstyle. |
| TSLint | CHECKSTYLE |
With -t checkstyle |
| Valgrind | VALGRIND |
With --xml=yes. |
| XMLLint | XMLLINT |
|
| XUnit | XUNIT |
It only contains the failures. |
| YAMLLint | YAMLLINT |
With -f parsable |
| ZPTLint | ZPTLINT |
52 parsers and 79 reporters.
Missing a format? Open an issue here!
-comment-only-changed-content, -cocc <boolean> <boolean>: true or false
Default: true
-comment-only-changed-content-context, -coccc <integer> <integer>: -2,147,483,648 to 2,147,483,647
Default: 5
-comment-only-changed-files, -cocf <boolean> True if only changed
files should be commented.
False if all findings should
be commented.
<boolean>: true or false
Default: true
-comment-template <string> https://github.
com/tomasbjerre/violation-comments-lib
<string>: any string
Default:
-create-comment-with-all-single-file-comments, - <boolean>: true or false
ccwasfc <boolean> Default: false
-create-single-file-comments, -csfc <boolean> <boolean>: true or false
Default: true
-create-single-file-comments-tasks, -csfct <boolean> <boolean>: true or false
Default: false
-h, --help <argument-to-print-help-for> <argument-to-print-help-for>: an argument to print help for
Default: If no specific parameter is given the whole usage text is given
--ignorePaths, -i <string> Ignore given paths
Example: -i node_modules [Supports Multiple occurrences]
<string>: any string
Default: Empty list
-keep-old-comments <boolean> <boolean>: true or false
Default: false
-keystore-pass <string> <string>: any string
Default: changeit
-keystore-path <string> <string>: any string
Default:
-max-number-of-violations, -max <integer> <integer>: -2,147,483,648 to 2,147,483,647
Default: 2,147,483,647
-password <string> <string>: any string
Default:
-personal-access-token, -pat <string> <string>: any string
Default:
-project-key, -pk <string> <string>: any string [Required]
-proxy-host <string> <string>: any string
Default:
-proxy-password <string> <string>: any string
Default:
-proxy-port <integer> <integer>: -2,147,483,648 to 2,147,483,647
Default: 0
-proxy-user <string> <string>: any string
Default:
-pull-request-id, -prid <integer> <integer>: -2,147,483,648 to 2,147,483,647 [Required]
-repo-slug, -rs <string> <string>: any string [Required]
-server-url, -url <string> <string>: any string [Required]
-severity, -s <SEVERITY> Minimum severity level
to report.
<SEVERITY>: {INFO | WARN | ERROR}
Default: INFO
-show-debug-info Please run your
command with this parameter
and supply output when
reporting bugs.
Default: disabled
-username <string> <string>: any string
Default:
--violations, -v <string> The violations to look
for. <PARSER> <FOLDER>
<REGEXP PATTERN> <NAME> where
PARSER is one of:
ANDROIDLINT, CHECKSTYLE, CODENARC,
CLANG, CPD, CPPCHECK,
CPPLINT, CSSLINT, GENERIC,
FINDBUGS, FLAKE8, FXCOP,
GENDARME, IAR, JCREPORT, JSLINT,
JUNIT, LINT, KLOCWORK,
KOTLINMAVEN, KOTLINGRADLE, MSCPP,
MYPY, GOLINT,
GOOGLEERRORPRONE, PERLCRITIC, PITEST,
PMD, PROTOLINT, PYDOCSTYLE,
PYLINT, RESHARPER, SBTSCALAC,
SIMIAN, SONAR, STYLECOP,
XMLLINT, YAMLLINT, ZPTLINT,
DOCFX, PCLINT, CODECLIMATE,
XUNIT
Example: -v "JSHINT"
"." ".*/jshint.xml$"
"JSHint" [Supports Multiple occurrences]
<string>: any string
Default: Empty listCheckout the Violations Lib for more documentation.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent