-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2 from synergy-au/feature/sarif-report
Produces SARIF reports to upload to GitHub
- Loading branch information
Showing
3 changed files
with
94 additions
and
37 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,38 +1,33 @@ | ||
# shellcheck shell=sh | ||
|
||
ERROR_COUNT=0 | ||
|
||
# Download PMD | ||
wget https://github.com/pmd/pmd/releases/download/pmd_releases%2F"${PMD_VERSION}"/pmd-bin-"${PMD_VERSION}".zip | ||
unzip pmd-bin-"${PMD_VERSION}".zip | ||
# Now either run the full analysis or files changed based on the settings defined | ||
if [ "$ANALYSE_ALL_CODE" == 'true' ]; then | ||
pmd-bin-"${PMD_VERSION}"/bin/run.sh pmd -d "$FILE_PATH" -R "$RULES_PATH" -failOnViolation false -f json > pmd-output.json | ||
pmd-bin-"${PMD_VERSION}"/bin/run.sh pmd -d "$FILE_PATH" -R "$RULES_PATH" -failOnViolation false -f sarif > pmd-raw-output.sarif | ||
else | ||
# Generate a CSV file first with the files changed | ||
git diff --name-only --diff-filter=d origin/"$TARGET_BRANCH"..origin/"${SOURCE_BRANCH#"refs/heads/"}" | paste -s -d "," >> diff-file.csv | ||
# Now to determine whether to get the files changed from a git diff or using the files changed in a GitHub Pull Request | ||
# Both options will generate a CSV file first with the files changed | ||
if [ "$FILE_DIFF_TYPE" == 'git' ]; then | ||
git diff --name-only --diff-filter=d origin/"$TARGET_BRANCH"..origin/"${SOURCE_BRANCH#"refs/heads/"}" | paste -s -d "," >> diff-file.csv | ||
else | ||
curl -H "Accept: application/vnd.github.v3+json" -H "Authorization: token ${AUTH_TOKEN}" https://api.github.com/repos/"$REPO_NAME"/pulls/"$PR_NUMBER"/files | jq --raw-output '.[] .filename' | paste -s -d "," >> diff-file.csv | ||
fi | ||
# Run the analysis | ||
pmd-bin-"${PMD_VERSION}"/bin/run.sh pmd -filelist diff-file.csv -R "$RULES_PATH" -failOnViolation false -f json > pmd-output.json | ||
pmd-bin-"${PMD_VERSION}"/bin/run.sh pmd -filelist diff-file.csv -R "$RULES_PATH" -failOnViolation false -f sarif > pmd-raw-output.sarif | ||
fi | ||
# Loop through each file and then loop through each violation identified | ||
while read -r file; do | ||
FILENAME="$(echo "$file" | jq --raw-output '.filename | ltrimstr("${{ github.workspace }}/")')" | ||
while read -r violation; do | ||
MESSAGE="$(echo "$violation" | jq --raw-output '" \(.ruleset) - \(.rule): \(.description). This applies from line \(.beginline) to \(.endline) and from column \(.begincolumn) to \(.endcolumn). For more information on this rule visit \(.externalInfoUrl)"')" | ||
LINE="$(echo "$violation" | jq --raw-output '.beginline')" | ||
COLUMN="$(echo "$violation" | jq --raw-output '.begincolumn')" | ||
RULE="$(echo "$violation" | jq --raw-output '.rule')" | ||
if [ -n "$RULE" ]; then | ||
if [[ "$ERROR_RULES" == *"$RULE"* ]]; then | ||
echo ::error file="$FILENAME",line="$LINE",col="$COLUMN"::"$MESSAGE" | ||
ERROR_COUNT=$((ERROR_COUNT + 1)) | ||
else | ||
echo ::warning file="$FILENAME",line="$LINE",col="$COLUMN"::"$MESSAGE" | ||
fi | ||
fi | ||
done <<< "$(echo "$file" | jq --compact-output '.violations[]')" | ||
done <<< "$(cat pmd-output.json | jq --compact-output '.files[]')" | ||
# If there are any errors logged we want this to fail (warnings don't count) | ||
if [ "$ERROR_COUNT" -gt 0 ]; then | ||
exit 3 | ||
fi | ||
# Loop through each rule and see if an error should be thrown | ||
echo "::set-output name=error-found::false" | ||
while read -r rule; do | ||
RULE="$(echo "$rule" | jq --raw-output '.id')" | ||
if [[ $RULE && "$ERROR_RULES" == *"$RULE"* ]]; then | ||
echo "::set-output name=error-found::true" | ||
break | ||
fi | ||
done <<< "$(cat pmd-raw-output.sarif | jq --compact-output '.runs[] .tool .driver .rules[]')" | ||
# Set the correct file location for the report | ||
cat pmd-raw-output.sarif | jq --arg workspace "$WORKSPACE" '(.runs[] .results[] .locations[] .physicalLocation .artifactLocation .uri) |= ltrimstr($workspace)' > pmd-file-locations-output.sarif | ||
# Set the rule level configurations for whether they are notes or errors | ||
cat pmd-file-locations-output.sarif | jq --arg errors "$ERROR_RULES" '((.runs[] .tool .driver .rules[]) | select(.id==($errors | split(",")[]))) += {"defaultConfiguration": {"level": "error"}}' > pmd-errors-output.sarif | ||
cat pmd-errors-output.sarif | jq --arg notes "$NOTE_RULES" '((.runs[] .tool .driver .rules[]) | select(.id==($notes | split(",")[]))) += {"defaultConfiguration": {"level": "note"}}' > pmd-output.sarif |