Violations Maven Plugin

Version	Java Version
version < 2.2.0	8
2.2.0 <= version	11

This is a Maven plugin for Violations Lib. There is also a Gradle plugin and a command line tool.

It can parse results from static code analysis and:

• Report violations in the build log.
• Optionally fail the build depending on violations found.

A snippet of the output may look like this:

se/bjurr/violations/lib/example/OtherClass.java
╔══════════╤════════════╤══════════╤══════╤════════════════════════════════════════════════════╗
║ Reporter │ Rule       │ Severity │ Line │ Message                                            ║
╠══════════╪════════════╪══════════╪══════╪════════════════════════════════════════════════════╣
║ Findbugs │ MS_SHOULD_ │ INFO     │ 7    │ Field isn't final but should be                    ║
║          │ BE_FINAL   │          │      │                                                    ║
║          │            │          │      │                                                    ║
║          │            │          │      │    <p>                                             ║
║          │            │          │      │ This static field public but not final, and        ║
║          │            │          │      │ could be changed by malicious code or              ║
║          │            │          │      │         by accident from another package.          ║
║          │            │          │      │         The field could be made final to avoid     ║
║          │            │          │      │         this vulnerability.</p>                    ║
╟──────────┼────────────┼──────────┼──────┼────────────────────────────────────────────────────╢
║ Findbugs │ NM_FIELD_N │ INFO     │ 6    │ Field names should start with a lower case letter  ║
║          │ AMING_CONV │          │      │                                                    ║
║          │ ENTION     │          │      │                                                    ║
║          │            │          │      │   <p>                                              ║
║          │            │          │      │ Names of fields that are not final should be in mi ║
║          │            │          │      │ xed case with a lowercase first letter and the fir ║
║          │            │          │      │ st letters of subsequent words capitalized.        ║
║          │            │          │      │ </p>                                               ║
╚══════════╧════════════╧══════════╧══════╧════════════════════════════════════════════════════╝

Summary of se/bjurr/violations/lib/example/OtherClass.java
╔══════════╤══════╤══════╤═══════╤═══════╗
║ Reporter │ INFO │ WARN │ ERROR │ Total ║
╠══════════╪══════╪══════╪═══════╪═══════╣
║ Findbugs │ 2    │ 0    │ 0     │ 2     ║
╟──────────┼──────┼──────┼───────┼───────╢
║          │ 2    │ 0    │ 0     │ 2     ║
╚══════════╧══════╧══════╧═══════╧═══════╝


Summary
╔════════════╤══════╤══════╤═══════╤═══════╗
║ Reporter   │ INFO │ WARN │ ERROR │ Total ║
╠════════════╪══════╪══════╪═══════╪═══════╣
║ Checkstyle │ 4    │ 1    │ 1     │ 6     ║
╟────────────┼──────┼──────┼───────┼───────╢
║ Findbugs   │ 2    │ 2    │ 5     │ 9     ║
╟────────────┼──────┼──────┼───────┼───────╢
║            │ 6    │ 3    │ 6     │ 15    ║
╚════════════╧══════╧══════╧═══════╧═══════╝

Example of supported reports are available here.

A number of parsers have been implemented. Some parsers can parse output from several reporters.

Reporter	Parser	Notes
ARM-GCC	CLANG
AndroidLint	ANDROIDLINT
Ansible-Later	ANSIBLELATER	With json format
AnsibleLint	FLAKE8	With -p
Bandit	CLANG	With bandit -r examples/ -f custom -o bandit.out --msg-template "{abspath}:{line}: {severity}: {test_id}: {msg}"
CLang	CLANG
CPD	CPD
CPPCheck	CPPCHECK	With cppcheck test.cpp --output-file=cppcheck.xml --xml
CPPLint	CPPLINT
CSSLint	CSSLINT
Checkstyle	CHECKSTYLE
CloudFormation Linter	JUNIT	cfn-lint . -f junit --output-file report-junit.xml
CodeClimate	CODECLIMATE
CodeNarc	CODENARC
Coverity	COVERITY
Dart	MACHINE	With dart analyze --format=machine
Dependency Check	SARIF	Using --format SARIF
Detekt	CHECKSTYLE	With --output-format xml.
DocFX	DOCFX
Doxygen	CLANG
ERB	CLANG	With erb -P -x -T '-' "${it}" | ruby -c 2>&1 >/dev/null | grep '^-' | sed -E 's/^-([a-zA-Z0-9:]+)/${filename}\1 ERROR:/p' > erbfiles.out.
ESLint	CHECKSTYLE	With format: 'checkstyle'.
Findbugs	FINDBUGS
Flake8	FLAKE8
FxCop	FXCOP
GCC	CLANG
GHS	GHS
Gendarme	GENDARME
Generic reporter	GENERIC	Will create one single violation with all the content as message.
GoLint	GOLINT
GoVet	GOLINT	Same format as GoLint.
GolangCI-Lint	CHECKSTYLE	With --out-format=checkstyle.
GoogleErrorProne	GOOGLEERRORPRONE
HadoLint	CHECKSTYLE	With -f checkstyle
IAR	IAR	With --no_wrap_diagnostics
Infer	PMD	Facebook Infer. With --pmd-xml.
JACOCO	JACOCO
JCReport	JCREPORT
JSHint	JSLINT	With --reporter=jslint or the CHECKSTYLE parser with --reporter=checkstyle
JUnit	JUNIT	It only contains the failures.
KTLint	CHECKSTYLE
Klocwork	KLOCWORK
KotlinGradle	KOTLINGRADLE	Output from Kotlin Gradle Plugin.
KotlinMaven	KOTLINMAVEN	Output from Kotlin Maven Plugin.
Lint	LINT	A common XML format, used by different linters.
MSBuildLog	MSBULDLOG	With -fileLogger use .*msbuild\\.log$ as pattern or -fl -flp:logfile=MyProjectOutput.log;verbosity=diagnostic for a custom output filename
MSCpp	MSCPP
Mccabe	FLAKE8
MyPy	MYPY
NullAway	GOOGLEERRORPRONE	Same format as Google Error Prone.
PCLint	PCLINT	PC-Lint using the same output format as the Jenkins warnings plugin, details here
PHPCS	CHECKSTYLE	With phpcs api.php --report=checkstyle.
PHPPMD	PMD	With phpmd api.php xml ruleset.xml.
PMD	PMD
Pep8	FLAKE8
PerlCritic	PERLCRITIC
PiTest	PITEST
ProtoLint	PROTOLINT
Puppet-Lint	CLANG	With -log-format %{fullpath}:%{line}:%{column}: %{kind}: %{message}
PyDocStyle	PYDOCSTYLE
PyFlakes	FLAKE8
PyLint	PYLINT	With pylint --output-format=parseable.
ReSharper	RESHARPER
RubyCop	CLANG	With rubycop -f clang file.rb
SARIF	SARIF	v2.x. Microsoft Visual C# can generate it with ErrorLog="BuildErrors.sarif,version=2".
SbtScalac	SBTSCALAC
Scalastyle	CHECKSTYLE
Semgrep	SEMGREP	With --json.
Simian	SIMIAN
Sonar	SONAR	With mvn sonar:sonar -Dsonar.analysis.mode=preview -Dsonar.report.export.path=sonar-report.json. Removed in 7.7, see SONAR-11670 but can be retrieved with: curl --silent 'http://sonar-server/api/issues/search?componentKeys=unique-key&resolved=false' | jq -f sonar-report-builder.jq > sonar-report.json.
Spotbugs	FINDBUGS
StyleCop	STYLECOP
SwiftLint	CHECKSTYLE	With --reporter checkstyle.
TSLint	CHECKSTYLE	With -t checkstyle
Valgrind	VALGRIND	With --xml=yes.
XMLLint	XMLLINT
XUnit	XUNIT	It only contains the failures.
YAMLLint	YAMLLINT	With -f parsable
ZPTLint	ZPTLINT

52 parsers and 79 reporters.

Missing a format? Open an issue here!

Usage

There is a running example here. See also bjurr-bom.

The plugin needs to run after any static code analysis tools, so put it after them in the pom. Having the following in the pom will make the plugin run with mvn validate:

  <plugins>
   <plugin>
    <groupId>org.codehaus.mojo</groupId>
    <artifactId>findbugs-maven-plugin</artifactId>
    <version>3.0.5</version>
    <executions>
     <execution>
      <goals>
       <goal>check</goal>
      </goals>
     </execution>
    </executions>
   </plugin>
   <plugin>
    <groupId>se.bjurr.violations</groupId>
    <artifactId>violations-maven-plugin</artifactId>
    <version>X</version>
    <executions>
     <execution>
      <phase>validate</phase>
      <goals>
       <goal>violations</goal>
      </goals>
      <configuration>
       <!-- Optional config -->
       <!-- 0 is disabled -->
       <maxReporterColumnWidth>0</maxReporterColumnWidth>
       <maxRuleColumnWidth>60</maxRuleColumnWidth>
       <maxSeverityColumnWidth>0</maxSeverityColumnWidth>
       <maxLineColumnWidth>0</maxLineColumnWidth>
       <maxMessageColumnWidth>50</maxMessageColumnWidth>
     
       <!-- Global configuration, remove if you dont want to report violations 
            for the entire repo. -->
       <!-- INFO, WARN or ERROR -->
       <minSeverity>INFO</minSeverity>
       <!-- PER_FILE_COMPACT, COMPACT or VERBOSE -->
       <detailLevel>VERBOSE</detailLevel>
       <!-- Will fail the build if total number of found violations is higher -->
       <maxViolations>99999999</maxViolations>
       <!-- Will print violations found in diff -->
       <printViolations>true</printViolations>
       <!-- Will create a CodeClimate JSON report. -->
       <codeClimateFile>code-climate-file.json</codeClimateFile>
       <!-- Will create a normalized JSON report. -->
       <violationsFile>violations-file.json</violationsFile>
     
       <!-- Diff configuration, remove if you dont want to report violations 
            for files changed between specific revisions. -->
       <!-- Can be empty (ignored), Git-commit or any Git-reference -->
       <diffFrom></diffFrom>
       <!-- Same as above -->
       <diffTo></diffTo>
       <!-- INFO, WARN or ERROR -->
       <diffMinSeverity>INFO</diffMinSeverity>
       <!-- PER_FILE_COMPACT, COMPACT or VERBOSE -->
       <diffDetailLevel>VERBOSE</diffDetailLevel>
       <!-- Will fail the build if number of violations, in the diff within from/to, is higher -->
       <diffMaxViolations>99</diffMaxViolations>
       <!-- Will print violations found in diff -->
       <diffPrintViolations>true</diffPrintViolations>
       <!-- Where to look for Git -->
       <gitRepo>.</gitRepo>
     
     
       <!-- This is mandatory regardless of if you want to report violations 
            between revisions or the entire repo. -->
       <violations>
        <violation>
         <!-- Many more formats available, see:
              https://github.com/tomasbjerre/violations-lib
         -->
         <parser>FINDBUGS</parser>
         <reporter>Findbugs</reporter>
         <folder>.</folder>
         <pattern>.*/findbugsXml\.xml$</pattern>
        </violation>
       </violations>
      </configuration>
     </execution>
    </executions>
   </plugin>
  </plugins>