Report static code analysis to Bitbucket Cloud.
npm install violation-comments-to-bitbucket-cloud-command-line
Report static code analysis to Bitbucket Cloud. It uses the Violations Lib.
The runnable can be found in NPM.
| Version | Java Version |
| ------------------| ------------ |
| version < 1.36.0 | 11 |
| 1.36.0 <= version | 17 |
Run it with:
``shell`Using application password
npx violation-comments-to-bitbucket-cloud-command-line \
-u tomasbjerre \
-p MY-APPLICATION-PASSWORD \
-ws tomasbjerre \
-rs violations-test \
-prid 1 \
-v "CHECKSTYLE" "." ".*checkstyle/main\.xml$" "Checkstyle" \
-v "JSHINT" "." ".*jshint/report\.xml$" "JSHint"
Using API token
npx violation-comments-to-bitbucket-cloud-command-line \
-t MY-PROJECT-OR-REPOSITORY-APPLICATION-PASSWORD \
-ws tomasbjerre \
-rs violations-test \
-prid 1 \
-v "CHECKSTYLE" "." ".*checkstyle/main\.xml$" "Checkstyle" \
-v "JSHINT" "." ".*jshint/report\.xml$" "JSHint"
Create application passwords like this: https://confluence.atlassian.com/bitbucket/app-passwords-828781300.html. Pass the username (-u) and the application password (-p) to the command.
Alternatively, the plugin supports api tokens; create them like this: https://support.atlassian.com/bitbucket-cloud/docs/api-tokens/. Pass the api token (-t) to the command.
If using it from Jenkins, you may integrate with Bitbucket Cloud with this plugin: https://github.com/jenkinsci/generic-webhook-trigger-plugin
You must perform the merge before build. If you don't perform the merge, the reported violations will refer to other lines then those in the pull request. The merge can be done with a shell script like this.
`
echo ---
echo --- Merging from $FROM in $FROMREPO to $TO in $TOREPO
echo ---
git clone $TOREPO
cd *
git reset --hard $TO
git status
git remote add from $FROMREPO
git fetch from
git merge $FROM
git --no-pager log --max-count=10 --graph --abbrev-commit
Your build command here!
`
Example of supported reports are available here.
A number of parsers have been implemented. Some parsers can parse output from several reporters.
| Reporter | Parser | Notes
| --- | --- | ---
| _ARM-GCC_ | CLANG | ANDROIDLINT
| _AndroidLint_ | | ANSIBLELATER
| _Ansible-Later_ | | With json formatFLAKE8
| _AnsibleLint_ | | With -p
| _Bandit_ | | With bandit -r examples/ -f custom -o bandit.out --msg-template "{abspath}:{line}: {severity}: {test_id}: {msg}"
| _CLang_ | | CPD
| _CPD_ | | CPPCHECK
| _CPPCheck_ | | With cppcheck test.cpp --output-file=cppcheck.xml --xml
| _CPPLint_ | | CSSLINT
| _CSSLint_ | | CHECKSTYLE
| _Checkstyle_ | | JUNIT
| _CloudFormation Linter_ | | cfn-lint . -f junit --output-file report-junit.xml
| _CodeClimate_ | | CODENARC
| _CodeNarc_ | | COVERITY
| _Coverity_ | | MACHINE
| _Dart_ | | With dart analyze --format=machine
| _Dependency Check_ | | Using --format SARIF
| _Detekt_ | | With --output-format xml.DOCFX
| _DocFX_ | | CLANG
| _Doxygen_ | | CLANG
| _ERB_ | | With erb -P -x -T '-' "${it}" \| ruby -c 2>&1 >/dev/null \| grep '^-' \| sed -E 's/^-([a-zA-Z0-9:]+)/${filename}\1 ERROR:/p' > erbfiles.out.CHECKSTYLE
| _ESLint_ | | With format: 'checkstyle'.FINDBUGS
| _Findbugs_ | | FLAKE8
| _Flake8_ | | FXCOP
| _FxCop_ | | CLANG
| _GCC_ | | GHS
| _GHS_ | | GENDARME
| _Gendarme_ | | GENERIC
| [_Generic reporter_]() | | Will create one single violation with all the content as message.GOLINT
| _GoLint_ | | GOLINT
| _GoVet_ | | Same format as GoLint.CHECKSTYLE
| _GolangCI-Lint_ | | With --out-format=checkstyle.GOOGLEERRORPRONE
| _GoogleErrorProne_ | | CHECKSTYLE
| _HadoLint_ | | With -f checkstyle
| _IAR_ | | With --no_wrap_diagnostics
| _Infer_ | | Facebook Infer. With --pmd-xml.JACOCO
| _JACOCO_ | | JCREPORT
| _JCReport_ | | JSLINT
| _JSHint_ | | With --reporter=jslint or the CHECKSTYLE parser with --reporter=checkstyle
| _JUnit_ | | It only contains the failures.CHECKSTYLE
| _KTLint_ | | KLOCWORK
| _Klocwork_ | | KOTLINGRADLE
| _KotlinGradle_ | | Output from Kotlin Gradle Plugin.KOTLINMAVEN
| _KotlinMaven_ | | Output from Kotlin Maven Plugin.LINT
| [_Lint_]() | | A common XML format, used by different linters.MSBULDLOG
| _MSBuildLog_ | | With -fileLogger use .*msbuild\\.log$ as pattern or -fl -flp:logfile=MyProjectOutput.log;verbosity=diagnostic for a custom output filenameMSCPP
| _MSCpp_ | | FLAKE8
| _Mccabe_ | | MYPY
| _MyPy_ | | GOOGLEERRORPRONE
| _NullAway_ | | Same format as Google Error Prone.PCLINT
| _PCLint_ | | PC-Lint using the same output format as the Jenkins warnings plugin, _details here_CHECKSTYLE
| _PHPCS_ | | With phpcs api.php --report=checkstyle.PMD
| _PHPPMD_ | | With phpmd api.php xml ruleset.xml.PMD
| _PMD_ | | FLAKE8
| _Pep8_ | | PERLCRITIC
| _PerlCritic_ | | PITEST
| _PiTest_ | | PROTOLINT
| _ProtoLint_ | | CLANG
| _Puppet-Lint_ | | With -log-format %{fullpath}:%{line}:%{column}: %{kind}: %{message}
| _PyDocStyle_ | | FLAKE8
| _PyFlakes_ | | PYLINT
| _PyLint_ | | With pylint --output-format=parseable.RESHARPER
| _ReSharper_ | | CLANG
| _RubyCop_ | | With rubycop -f clang file.rb
| _SARIF_ | | v2.x. Microsoft Visual C# can generate it with ErrorLog="BuildErrors.sarif,version=2".SBTSCALAC
| _SbtScalac_ | | CHECKSTYLE
| _Scalastyle_ | | SEMGREP
| _Semgrep_ | | With --json.SIMIAN
| _Simian_ | | SONAR
| _Sonar_ | | With mvn sonar:sonar -Dsonar.analysis.mode=preview -Dsonar.report.export.path=sonar-report.json. Removed in 7.7, see SONAR-11670 but can be retrieved with: curl --silent 'http://sonar-server/api/issues/search?componentKeys=unique-key&resolved=false' \| jq -f sonar-report-builder.jq > sonar-report.json.FINDBUGS
| _Spotbugs_ | | STYLECOP
| _StyleCop_ | | CHECKSTYLE
| _SwiftLint_ | | With --reporter checkstyle.CHECKSTYLE
| _TSLint_ | | With -t checkstyle
| _Valgrind_ | | With --xml=yes.XMLLINT
| _XMLLint_ | | XUNIT
| _XUnit_ | | It only contains the failures.YAMLLINT
| _YAMLLint_ | | With -f parsable
| _ZPTLint_ | |
52 parsers and 79 reporters.
Missing a format? Open an issue here!
`shell-u
-api-token, -t
'api token' in Bitbucket
to use here. See https://support.
atlassian.com/bitbucket-cloud/
docs/api-tokens/
Note: If you pass this argument,
and -p shall be omitted.-u
Default:
-comment-only-changed-content, -cocc
parts of the changed files
should be commented. False if
all findings on the
changed files should be
commented.
Default: true
-comment-only-changed-files, -cocf
files should be commented.
False if all findings should
be commented.
Default: true
-comment-template
com/tomasbjerre/violation-comments-lib
Default:
-create-comment-with-all-single-file-comments, -
ccwasfc
-create-single-file-comments, -csfc
Default: true
-h, --help
Default: If no specific parameter is given the whole usage text is given
-keep-old-comments
Default: false
-max-number-of-violations, -max
Default: 2,147,483,647
-password, -p
'application password' in Bitbucket
to use here. See https:
//confluence.atlassian.
com/bitbucket/app-passwords-828781300.
html
Note: If you pass this argument,
is required, and -t shall -p
be omitted.
Default:
-pull-request-id, -prid
-repository-slug, -rs
-severity, -s
to report.
Default: INFO
-show-debug-info Please run your
command with this parameter
and supply output when
reporting bugs.
Default: disabled
-username, -u
Note: If you pass this argument,
is required, and -t shall ``
be omitted.
Default:
--violations, -v
for.
PARSER is one of:
ANDROIDLINT, CHECKSTYLE, CODENARC,
CLANG, CPD, CPPCHECK,
CPPLINT, CSSLINT, FINDBUGS,
FLAKE8, FXCOP, GENDARME, IAR,
JCREPORT, JSHINT, JUNIT, LINT,
KLOCWORK, KOTLINMAVEN,
KOTLINGRADLE, MSCPP, MYPY, GOLINT,
GOOGLEERRORPRONE, PERLCRITIC, PITEST,
PMD, PYDOCSTYLE, PYLINT,
RESHARPER, SBTSCALAC, SIMIAN,
SONAR, STYLECOP, XMLLINT,
YAMLLINT, ZPTLINT, DOCFX, PCLINT
Example: -v "JSHINT"
"." ".*/jshint.xml$"
"JSHint" [Supports Multiple occurrences]
Default: Empty list
-workspace, -ws
typically same as username. [Required]
Checkout the Violations Lib for more documentation.