Java library for parsing report files from static code analysis.

Overview

Violations Lib

Maven Central

This is a Java library for parsing report files like static code analysis.

Example of supported reports are available here.

A number of parsers have been implemented. Some parsers can parse output from several reporters.

Reporter Parser Notes
ARM-GCC CLANG
AndroidLint ANDROIDLINT
AnsibleLint FLAKE8 With -p
Bandit CLANG With bandit -r examples/ -f custom -o bandit.out --msg-template "{abspath}:{line}: {severity}: {test_id}: {msg}"
CLang CLANG
CPD CPD
CPPCheck CPPCHECK With cppcheck test.cpp --output-file=cppcheck.xml --xml
CPPLint CPPLINT
CSSLint CSSLINT
Checkstyle CHECKSTYLE
CloudFormation Linter JUNIT cfn-lint . -f junit --output-file report-junit.xml
CodeClimate CODECLIMATE
CodeNarc CODENARC
Dart MACHINE With dart analyze --format=machine
Detekt CHECKSTYLE With --output-format xml.
DocFX DOCFX
Doxygen CLANG
ERB CLANG With erb -P -x -T '-' "${it}" | ruby -c 2>&1 >/dev/null | grep '^-' | sed -E 's/^-([a-zA-Z0-9:]+)/${filename}\1 ERROR:/p' > erbfiles.out.
ESLint CHECKSTYLE With format: 'checkstyle'.
Findbugs FINDBUGS
Flake8 FLAKE8
FxCop FXCOP
GCC CLANG
Gendarme GENDARME
Generic reporter GENERIC Will create one single violation with all the content as message.
GoLint GOLINT
GoVet GOLINT Same format as GoLint.
GolangCI-Lint CHECKSTYLE With --out-format=checkstyle.
GoogleErrorProne GOOGLEERRORPRONE
HadoLint CHECKSTYLE With -f checkstyle
IAR IAR With --no_wrap_diagnostics
Infer PMD Facebook Infer. With --pmd-xml.
JACOCO JACOCO
JCReport JCREPORT
JSHint JSLINT With --reporter=jslint or the CHECKSTYLE parser with --reporter=checkstyle
JUnit JUNIT It only contains the failures.
KTLint CHECKSTYLE
Klocwork KLOCWORK
KotlinGradle KOTLINGRADLE Output from Kotlin Gradle Plugin.
KotlinMaven KOTLINMAVEN Output from Kotlin Maven Plugin.
Lint LINT A common XML format, used by different linters.
MSBuildLog MSBULDLOG With -fileLogger use .*msbuild\\.log$ as pattern or -fl -flp:logfile=MyProjectOutput.log;verbosity=diagnostic for a custom output filename
MSCpp MSCPP
Mccabe FLAKE8
MyPy MYPY
NullAway GOOGLEERRORPRONE Same format as Google Error Prone.
PCLint PCLINT PC-Lint using the same output format as the Jenkins warnings plugin, details here
PHPCS CHECKSTYLE With phpcs api.php --report=checkstyle.
PHPPMD PMD With phpmd api.php xml ruleset.xml.
PMD PMD
Pep8 FLAKE8
PerlCritic PERLCRITIC
PiTest PITEST
ProtoLint PROTOLINT
Puppet-Lint CLANG With -log-format %{fullpath}:%{line}:%{column}: %{kind}: %{message}
PyDocStyle PYDOCSTYLE
PyFlakes FLAKE8
PyLint PYLINT With pylint --output-format=parseable.
ReSharper RESHARPER
RubyCop CLANG With rubycop -f clang file.rb
SARIF SARIF
SbtScalac SBTSCALAC
Scalastyle CHECKSTYLE
Simian SIMIAN
Sonar SONAR With mvn sonar:sonar -Dsonar.analysis.mode=preview -Dsonar.report.export.path=sonar-report.json. Removed in 7.7, see SONAR-11670 but can be retrieved with: curl --silent 'http://sonar-server/api/issues/search?componentKeys=unique-key&resolved=false' | jq -f sonar-report-builder.jq > sonar-report.json.
Spotbugs FINDBUGS
StyleCop STYLECOP
SwiftLint CHECKSTYLE With --reporter checkstyle.
TSLint CHECKSTYLE With -t checkstyle
Valgrind VALGRIND With --xml=yes.
XMLLint XMLLINT
XUnit XUNIT It only contains the failures.
YAMLLint YAMLLINT With -f parsable
ZPTLint ZPTLINT

48 parsers and 74 reporters.

Missing a format? Open an issue here!

Usage

Very easy to use with a nice builder pattern

  List<Violation> violations = violationsReporterApi() //
    .withPattern(".*/findbugs/.*\\.xml$") //
    .inFolder(rootFolder) //
    .findAll(FINDBUGS) //
    .violations();

It can also export the violations to the CodeClimate format with:

  List<CodeClimate> violations = violationsReporterApi() //
    .withPattern(".*/findbugs/.*\\.xml$") //
    .inFolder(rootFolder) //
    .findAll(FINDBUGS) //
    .codeClimate();

The library is used in a bunch of other projects, these are some of them.

GitHub Action:

Command line:

Gradle:

Maven:

Jenkins:

And these supporting libraries:

Comments
  • cpplint parser does not recognize any violations from cpplint report

    cpplint parser does not recognize any violations from cpplint report

    Hi,

    I use Violations Comments to GitLab plugin with cpplint. But the plugin find 0 violations.

    cpplint.xml is located directly in the workspace with below content: 17:24:17 src/utility/utility.h:15: Tab found; better to use spaces [whitespace/tab] [1] 17:24:17 src/utility/utility.h:17: Tab found; better to use spaces [whitespace/tab] [1] 17:24:17 src/utility/utility.h:30: Tab found; better to use spaces [whitespace/tab] [1]

    below is the ViolationConfig 17:24:18 gitLabUrl: http://gitlab.xxxx.domain 17:24:18 projectId: 33938 17:24:18 mergeRequestIid: 163 17:24:18 apiToken: true 17:24:18 apiTokenCredentialsId: false 17:24:18 ignoreCertificateErrors: true 17:24:18 apiTokenPrivate: true 17:24:18 authMethodHeader: true 17:24:18 createCommentWithAllSingleFileComments: true 17:24:18 createSingleFileComments: false 17:24:18 commentOnlyChangedContent: true 17:24:18 maxNumberOfViolations:99999 17:24:18 minSeverity: INFO 17:24:18 keepOldComments: true 17:24:18 shouldSetWip: true 17:24:18 commentTemplate: 17:24:18 proxyUri: 17:24:18 proxyUser: no 17:24:18 proxyPassword: no 17:24:18 CPPLINT with pattern .*cpplint.xml$ 17:24:18 Running Violation Comments To GitLab 17:24:18 Merge request: 163 17:24:18 Workspace: F:\Jenkins\workspace\static_check 17:24:18 Found 0 violations from ViolationConfig [pattern=.*cpplint.xml$, parser=CPPLINT, reporter=CPPLint].

    One more thing, I tried Pylint, which can works correctly and can comments successfully to GitLab. So there should be no proxy, connection issue itself.

    I googled from the internet, but cannot find any valuable to fix it. Any idea what the problem might be? Or anything I configured wrong?

    opened by shyingsheng 12
  • Support for Microsoft Visual C++ compiler via msys2 makefile

    Support for Microsoft Visual C++ compiler via msys2 makefile

    Output is like the following:

    ../../source/gui/controls/DebugPrint.cpp(30): warning C4311: "Typumwandlung": Zeigerverkrzung von "void *" zu "long"

    Relative to repo root it would be

    source/gui/controls/DebugPrint.cpp(30): warning C4311: "Typumwandlung": Zeigerverkrzung von "void *" zu "long"

    My proposal:

    (.*)\((\d+)\): (warning.*) (.*)\((\d+)\): ((?:fatal |)error.*)

    enhancement 
    opened by stoesselt 12
  • Ability to parse violations based on a regex

    Ability to parse violations based on a regex

    I would like to be able to parse the output from my own homemade tool. Instead of adding a new parser to the library, the easiest thing would be if there was support for generic regex parsing. This is for example possible in the Jenkins warnings plugin.

    What complicates things is that the regex parser requires a parameter, so it can't use the same interface as the other parsers. I have a suggestion for how to do this, but I'm not sure of it. I'll create a pull request.

    enhancement 
    opened by oyvindlr 12
  • XUnit parser

    XUnit parser

    npx violation-comments-to-bitbucket-cloud-command-line -username *** -password *** -ws ***** -rs jenkins_test -prid 43 -v "JUNIT" "." ".*/reports/mocha-test-results.xml$" "Junit" -keep-old-comm ents true Feb 27, 2020 10:42:00 AM se.bjurr.violations.lib.parsers.JUnitParser parseReportOutput WARNING: Found failure, but failed to find fail line from stacktrace

    enhancement 
    opened by HeidiRechek 11
  • parsing pylint reports

    parsing pylint reports

    Hello Tomas,

    I think there is an issue with the pylint (or flake8?) parser. I'm having the following concerns being raised by pylint,

    legacy_data/interface.py:26: [W0102(dangerous-default-value), get_data] Dangerous default value {} as argument
    legacy_data/fake_models.py:106: [C0330(bad-continuation), ] Wrong hanging indentation (remove 1 space).
    legacy_data/fake_models.py:323: [R0912(too-many-branches), set_flight_partialpayment] Too many branches (13/12)
    

    And, try as I might, I can't seem to get the Violation Comments to GitHub Jenkins Plugin to write comments on my pull requests. Investigating the issue, I think its because the format of my reports does not match what you have on the regex. Specifically here,

    https://github.com/tomasbjerre/violations-lib/blob/master/src/main/java/se/bjurr/violations/lib/parsers/Flake8Parser.java#L30

    Now, I'm not going to ask that you change the regex (though it would be highly appreciated!), I would like some help in figuring it out. With a lot of trial-and-error I kind-of figured out that if I use the following as my msg template in pylint,

    msg-template='{path}:{line}:{column} {msg_id} {msg}'
    

    it should match the regex. Here are some sample messages I got for the above,

    legacy_data/interface.py:54:12 C0103 Invalid variable name "r"
    legacy_data/interface.py:71:0 W0102 Dangerous default value {} as argument
    legacy_data/fake_models.py:323:0 R0912 Too many branches (13/12)
    legacy_data/fake_models.py:475:11 W0703 Catching too general exception Exception
    

    At least, the online java regex testers says that I got it right. But the comments to github plugin does not detect anything. On jenkins log, it says that it found 0 violations. Which should not be the case.

    Can you please help me figure out how to format the lines from pylint?

    opened by abrahamvarricatt 11
  • Generic Parser comments as a Single Line

    Generic Parser comments as a Single Line

    Actual: The violation generated by GenericParser is a POST as a single line whatever might be the source. Excepted: The comments must be multi-lined if the source has them as multi-lined.

    question 
    opened by anirudhbagri 10
  • JUnitParser does not detect failures in xml generated by Ant's Junit task

    JUnitParser does not detect failures in xml generated by Ant's Junit task

    We use Ant as our build tool and orchestrate the overall build-pipeline using scripted pipeline in Jenkins. For the Tests, we call the ant-Junit target out of the Jenkinsfile. The result is a JUnit results file as XML. Unitl today, we always used the Jenkins integrated "junit" pipeline step to parse the build result. Today, I have integrated spotbugs tests using the warings-ng plugin and then tried to use that one also for the junit tests. Unfortunately, the JUnit-Parser of warnings-ng fails to parse the junit-xml result file correctly. While "JUnit" reports 2 failures, warnings-ng reports "success"! The Jenkinsfile code: recordIssues failOnError: true, sourceDirectory: 'src', qualityGates: [[threshold: 1, type: 'TOTAL', unstable: false]], tools: [junitParser(pattern: 'tests/reports/TESTS-TestSuites.xml')]

    The JUnit result file: TESTS-TestSuites.zip

    opened by schlm3 10
  • StyleCop Analyzer not generating an xml anymore

    StyleCop Analyzer not generating an xml anymore

    The new Version of StyleCop is not generating an xml file anymore as mentioned here: https://github.com/DotNetAnalyzers/StyleCopAnalyzers/issues/1178

    Therefore the current StyleCop Parser does not find the report. Is there a way to get it to work again? Or is a new Parser required for this?

    opened by miikeat 9
  • locationChunks in CppCheck are reported as individual violations

    locationChunks in CppCheck are reported as individual violations

    I'm using your CppCheck parser in Jenkins Warnings plugin to read cppcheck files. In your parser you are converting each "location" of the original error structure to a violation. Actually each error should be converted to one violation only. Your violations should also provide a concept of multiple locations per violation (see SonarQube or Warning Plugin for an example).

    See original Jenkins bug report.

    opened by uhafner 9
  • AndroidLintParser doesn't expose rule correctly

    AndroidLintParser doesn't expose rule correctly

    https://github.com/tomasbjerre/violations-lib/blob/master/src/main/java/se/bjurr/violations/lib/parsers/AndroidLintParser.java

    uses

    String id = getAttribute(issueChunk, "id");
    String rule = getAttribute(issueChunk, "category");
    ...
    .setRule(rule)
    .setMessage(id + ": " + summary + "\n" + message + "\n" + explanation)
    

    notice that the category is used for rule, which is wrong. The rule should be the ID as that's what's failed, category is like "Accessibility" which category can have 10 different rules inside it.

    What can we do?

    enhancement 
    opened by TWiStErRob 9
  • SARIF 2.1.0 discard suppressed results

    SARIF 2.1.0 discard suppressed results

    A SARIF 2.1.0 log can include some results that are suppressed. For example, the Roslyn C# compiler can write such a log if the source code includes a #pragma directive that disables a warning that it would otherwise deserve. Because Violation does not support the suppression concept, I think SarifParser should discard the suppressed results rather than translate them to Violation instances. Please see [SARIF-v2.1.0] §3.27.23 for information about the result.suppressions property, and https://github.com/tomasbjerre/violations-lib/issues/155#issuecomment-1193356552 for a sample SARIF log with a suppressed warning.

    opened by KalleOlaviNiemitalo 7
  • CodeClimateTransformer - HTML in FindBugs messages

    CodeClimateTransformer - HTML in FindBugs messages

    This is related to #167.

    The messages from the FindBugs parser contain HTML formatting, but the spec for the CodeClimate description format says "no HTML formatting."

    If the FindBugs details message were removed from the description , this wouldn't be an issue, but if it were to be moved to the CodeClimate contents field, the HTML should be converted to markdown.

    I have no particular suggestion for how to do the conversion, but at first glance, it looks like it's mostly paragraph tags (<p>) and <code> tags. The former could be replaced by two carriage returns, and the later by backticks.

    opened by PaulCormier 1
  • FindbugsParser - Remove bug details from message field

    FindbugsParser - Remove bug details from message field

    In the FindbugsParser, the details of the bug is being included in the Violation's message field. https://github.com/tomasbjerre/violations-lib/blob/e083e670887819141279f2c11fcedc042a50245a/src/main/java/se/bjurr/violations/lib/parsers/FindbugsParser.java#L73

    These messages can be very long, and also include HTML formatting. When viewing the report in GitLab (from a CodeClimate output) the message is difficult to read, and badly formatted.

    Instead of including the details in the message field, the specifics map could be used. Or perhaps a new field added to Violation.

    This would facilitate emitting the details in a more appropriate output field; for instance, in the CodeClimate's content field.

    opened by PaulCormier 1
  • I am unable to parse a report

    I am unable to parse a report

    I am unable to parse a report:

    npx violations-command-line -s INFO -mv 0 -v "PMD" "." ".*pmd/main.xml$" "PMD" INFO Found 0 reports in . with pattern .*pmd(?:/|\)main.xml$

    I didn't get any violations but I know there are a lot of them. I integrated correctly with Bitbucket but that line still appears. I tried some of your examples too.

    INFO Found 0 reports in . with pattern .*pmd(?:/|\)main.xml$

    opened by WoodyAsterisk 1
  • SARIF 2.1.0 messages with placeholders

    SARIF 2.1.0 messages with placeholders

    opened by KalleOlaviNiemitalo 1
  • SARIF 2.1.0 message string lookup

    SARIF 2.1.0 message string lookup

    SarifParser does not yet support message objects that lack the text and markdown properties and instead have an id property. It would have to locate the message string that corresponds to the id, as specified in [SARIF-v2.1.0] §3.11.7 Message string lookup.

    Sample SARIF log that requires message string lookup
    {
      "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json",
      "version": "2.1.0",
      "runs": [
        {
          "results": [
            {
              "ruleId": "SARIF2002",
              "ruleIndex": 0,
              "level": "note",
              "message": {
                "id": "Note_Default",
                "arguments": [
                  "runs[0].results[0].message"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 11,
                      "startColumn": 22
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2002",
              "ruleIndex": 0,
              "level": "note",
              "message": {
                "id": "Note_Default",
                "arguments": [
                  "runs[0].results[1].message"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 22,
                      "startColumn": 22
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2002",
              "ruleIndex": 0,
              "level": "note",
              "message": {
                "id": "Note_Default",
                "arguments": [
                  "runs[0].results[2].message"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 53,
                      "startColumn": 22
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2002",
              "ruleIndex": 0,
              "level": "note",
              "message": {
                "id": "Note_Default",
                "arguments": [
                  "runs[0].results[3].message"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 79,
                      "startColumn": 22
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2002",
              "ruleIndex": 0,
              "level": "note",
              "message": {
                "id": "Note_Default",
                "arguments": [
                  "runs[0].results[4].message"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 105,
                      "startColumn": 22
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2002",
              "ruleIndex": 0,
              "level": "note",
              "message": {
                "id": "Note_Default",
                "arguments": [
                  "runs[0].results[5].message"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 131,
                      "startColumn": 22
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2003",
              "ruleIndex": 1,
              "level": "note",
              "message": {
                "id": "Note_Default",
                "arguments": [
                  "runs[0]"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 5,
                      "startColumn": 5
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2005",
              "ruleIndex": 2,
              "message": {
                "id": "Warning_ProvideConciseToolName",
                "arguments": [
                  "runs[0].tool.driver.name",
                  "Microsoft (R) Visual C# Compiler",
                  "5",
                  "3"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 156,
                      "startColumn": 52
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2005",
              "ruleIndex": 2,
              "message": {
                "id": "Warning_ProvideToolnformationUri",
                "arguments": [
                  "runs[0].tool.driver",
                  "Microsoft (R) Visual C# Compiler"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 155,
                      "startColumn": 19
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2010",
              "ruleIndex": 3,
              "level": "note",
              "message": {
                "id": "Note_Default",
                "arguments": [
                  "runs[0].results[1].locations[0].physicalLocation.region"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 36,
                      "startColumn": 27
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2010",
              "ruleIndex": 3,
              "level": "note",
              "message": {
                "id": "Note_Default",
                "arguments": [
                  "runs[0].results[2].locations[0].physicalLocation.region"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 62,
                      "startColumn": 27
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2010",
              "ruleIndex": 3,
              "level": "note",
              "message": {
                "id": "Note_Default",
                "arguments": [
                  "runs[0].results[3].locations[0].physicalLocation.region"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 88,
                      "startColumn": 27
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2010",
              "ruleIndex": 3,
              "level": "note",
              "message": {
                "id": "Note_Default",
                "arguments": [
                  "runs[0].results[4].locations[0].physicalLocation.region"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 114,
                      "startColumn": 27
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2010",
              "ruleIndex": 3,
              "level": "note",
              "message": {
                "id": "Note_Default",
                "arguments": [
                  "runs[0].results[5].locations[0].physicalLocation.region"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 140,
                      "startColumn": 27
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2011",
              "ruleIndex": 4,
              "level": "note",
              "message": {
                "id": "Note_Default",
                "arguments": [
                  "runs[0].results[1].locations[0].physicalLocation"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 32,
                      "startColumn": 35
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2011",
              "ruleIndex": 4,
              "level": "note",
              "message": {
                "id": "Note_Default",
                "arguments": [
                  "runs[0].results[2].locations[0].physicalLocation"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 58,
                      "startColumn": 35
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2011",
              "ruleIndex": 4,
              "level": "note",
              "message": {
                "id": "Note_Default",
                "arguments": [
                  "runs[0].results[3].locations[0].physicalLocation"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 84,
                      "startColumn": 35
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2011",
              "ruleIndex": 4,
              "level": "note",
              "message": {
                "id": "Note_Default",
                "arguments": [
                  "runs[0].results[4].locations[0].physicalLocation"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 110,
                      "startColumn": 35
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2011",
              "ruleIndex": 4,
              "level": "note",
              "message": {
                "id": "Note_Default",
                "arguments": [
                  "runs[0].results[5].locations[0].physicalLocation"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 136,
                      "startColumn": 35
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2012",
              "ruleIndex": 5,
              "level": "note",
              "message": {
                "id": "Note_ProvideFriendlyName",
                "arguments": [
                  "runs[0].tool.driver.rules[0]",
                  "CA1014"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 162,
                      "startColumn": 13
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2012",
              "ruleIndex": 5,
              "level": "note",
              "message": {
                "id": "Note_ProvideFriendlyName",
                "arguments": [
                  "runs[0].tool.driver.rules[1]",
                  "CA1847"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 184,
                      "startColumn": 13
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2012",
              "ruleIndex": 5,
              "level": "note",
              "message": {
                "id": "Note_ProvideFriendlyName",
                "arguments": [
                  "runs[0].tool.driver.rules[2]",
                  "CA2201"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 204,
                      "startColumn": 13
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2012",
              "ruleIndex": 5,
              "level": "note",
              "message": {
                "id": "Note_ProvideFriendlyName",
                "arguments": [
                  "runs[0].tool.driver.rules[3]",
                  "CA1305"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 222,
                      "startColumn": 13
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2012",
              "ruleIndex": 5,
              "level": "note",
              "message": {
                "id": "Note_ProvideFriendlyName",
                "arguments": [
                  "runs[0].tool.driver.rules[4]",
                  "CA1307"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 240,
                      "startColumn": 13
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2012",
              "ruleIndex": 5,
              "level": "note",
              "message": {
                "id": "Note_ProvideFriendlyName",
                "arguments": [
                  "runs[0].tool.driver.rules[5]",
                  "CA1822"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 261,
                      "startColumn": 13
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2016",
              "ruleIndex": 6,
              "level": "note",
              "message": {
                "id": "Note_Default",
                "arguments": [
                  "runs[0].results[1].locations[0].physicalLocation.artifactLocation.uri",
                  "file:///C:/Projects/SarifCategoryDemo/Class1.cs"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 34,
                      "startColumn": 74
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2016",
              "ruleIndex": 6,
              "level": "note",
              "message": {
                "id": "Note_Default",
                "arguments": [
                  "runs[0].results[2].locations[0].physicalLocation.artifactLocation.uri",
                  "file:///C:/Projects/SarifCategoryDemo/Class1.cs"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 60,
                      "startColumn": 74
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2016",
              "ruleIndex": 6,
              "level": "note",
              "message": {
                "id": "Note_Default",
                "arguments": [
                  "runs[0].results[3].locations[0].physicalLocation.artifactLocation.uri",
                  "file:///C:/Projects/SarifCategoryDemo/Class1.cs"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 86,
                      "startColumn": 74
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2016",
              "ruleIndex": 6,
              "level": "note",
              "message": {
                "id": "Note_Default",
                "arguments": [
                  "runs[0].results[4].locations[0].physicalLocation.artifactLocation.uri",
                  "file:///C:/Projects/SarifCategoryDemo/Class1.cs"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 112,
                      "startColumn": 74
                    }
                  }
                }
              ]
            },
            {
              "ruleId": "SARIF2016",
              "ruleIndex": 6,
              "level": "note",
              "message": {
                "id": "Note_Default",
                "arguments": [
                  "runs[0].results[5].locations[0].physicalLocation.artifactLocation.uri",
                  "file:///C:/Projects/SarifCategoryDemo/Class1.cs"
                ]
              },
              "locations": [
                {
                  "physicalLocation": {
                    "artifactLocation": {
                      "uri": "file:///C:/TEMP/log.sarif",
                      "index": 0
                    },
                    "region": {
                      "startLine": 138,
                      "startColumn": 74
                    }
                  }
                }
              ]
            }
          ],
          "tool": {
            "driver": {
              "name": "Sarif.Multitool",
              "organization": "Microsoft",
              "product": "Microsoft SARIF SDK",
              "fullName": "Sarif.Multitool 2.4.16.0",
              "version": "2.4.16.0",
              "semanticVersion": "2.4.16",
              "rules": [
                {
                  "id": "SARIF2002",
                  "name": "ProvideMessageArguments",
                  "fullDescription": {
                    "text": "In result messages, use the 'message.id' and 'message.arguments' properties rather than 'message.text'. This has several advantages. If 'text' is lengthy, using 'id' and 'arguments' makes the SARIF file smaller. If the rule metadata is stored externally to the SARIF log file, the message text can be improved (for example, by adding more text, clarifying the phrasing, or fixing typos), and the result messages will pick up the improvements the next time it is displayed. Finally, SARIF supports localizing messages into different languages, which is possible if the SARIF file contains 'message.id' and 'message.arguments', but not if it contains 'message.text' directly."
                  },
                  "messageStrings": {
                    "Note_Default": {
                      "text": "{0}: The 'message' property of this result contains a 'text' property. Consider replacing it with 'id' and 'arguments' properties. This potentially reduces the log file size, allows the message text to be improved without modifying the log file, and enables localization."
                    }
                  },
                  "defaultConfiguration": {
                    "level": "note"
                  },
                  "helpUri": "http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html"
                },
                {
                  "id": "SARIF2003",
                  "name": "ProvideVersionControlProvenance",
                  "fullDescription": {
                    "text": "Provide 'versionControlProvenance' to record which version of the code was analyzed, and to enable paths to be expressed relative to the root of the repository."
                  },
                  "messageStrings": {
                    "Note_Default": {
                      "text": "{0}: This run does not provide 'versionControlProvenance'. As a result, it is not possible to determine which version of code was analyzed, nor to map relative paths to their locations within the repository."
                    }
                  },
                  "defaultConfiguration": {
                    "level": "note"
                  },
                  "helpUri": "http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html"
                },
                {
                  "id": "SARIF2005",
                  "name": "ProvideToolProperties",
                  "fullDescription": {
                    "text": "Provide information that makes it easy to identify the name and version of your tool.\r\n\r\nThe tool's 'name' property should be no more than three words long. This makes it easy to remember and allows it to fit into a narrow column when displaying a list of results. If you need to provide more information about your tool, use the 'fullName' property.\r\n\r\nThe tool should provide either or both of the 'version' and 'semanticVersion' properties. This enables the log file consumer to determine whether the file was produced by an up to date version, and to avoid accidentally comparing log files produced by different tool versions.\r\n\r\nIf 'version' is used, facilitate comparison between versions by specifying a version number that starts with an integer, optionally followed by any desired characters."
                  },
                  "messageStrings": {
                    "Warning_ProvideToolVersion": {
                      "text": "{0}: The tool '{1}' does not provide any of the version-related properties {2}. Providing version information enables the log file consumer to determine whether the file was produced by an up to date version, and to avoid accidentally comparing log files produced by different tool versions."
                    },
                    "Warning_ProvideConciseToolName": {
                      "text": "{0}: The tool name '{1}' contains {2} words, which is more than the recommended maximum of {3} words. A short tool name is easy to remember and fits into a narrow column when displaying a list of results. If you need to provide more information about your tool, use the 'fullName' property."
                    },
                    "Warning_UseNumericToolVersions": {
                      "text": "{0}: The tool '{1}' contains the 'version' property '{2}', which is not numeric. To facilitate comparison between versions, specify a 'version' that starts with an integer, optionally followed by any desired characters."
                    },
                    "Warning_ProvideToolnformationUri": {
                      "text": "{0}: The tool '{1}' does not provide 'informationUri'. This property helps the developer responsible for addessing a result by providing a way to learn more about the tool."
                    }
                  },
                  "helpUri": "http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html"
                },
                {
                  "id": "SARIF2010",
                  "name": "ProvideCodeSnippets",
                  "fullDescription": {
                    "text": "Provide code snippets to enable users to see the code that triggered each result, even if they are not enlisted in the code."
                  },
                  "messageStrings": {
                    "Note_Default": {
                      "text": "{0}: The 'region' object in this result location does not provide a 'snippet' property. Providing a code snippet enables users to see the code that triggered the result, even if they are not enlisted in the code."
                    }
                  },
                  "defaultConfiguration": {
                    "level": "note"
                  },
                  "helpUri": "http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html"
                },
                {
                  "id": "SARIF2011",
                  "name": "ProvideContextRegion",
                  "fullDescription": {
                    "text": "Provide context regions to enable users to see a portion of the code that surrounds each result, even if they are not enlisted in the code."
                  },
                  "messageStrings": {
                    "Note_Default": {
                      "text": "{0}: This result location does not provide a 'contextRegion' property. Providing a context region enables users to see a portion of the code that surrounds the result, even if they are not enlisted in the code."
                    }
                  },
                  "defaultConfiguration": {
                    "level": "note"
                  },
                  "helpUri": "http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html"
                },
                {
                  "id": "SARIF2012",
                  "name": "ProvideRuleProperties",
                  "fullDescription": {
                    "text": "Rule metadata should provide information that makes it easy to understand and fix the problem.\r\n\r\nProvide the 'name' property, which contains a \"friendly name\" that helps users see at a glance the purpose of the rule. For uniformity of experience across all tools that produce SARIF, the friendly name should be a single Pascal-case identifier, for example, 'ProvideRuleFriendlyName'.\r\n\r\nProvide the 'helpUri' property, which contains a URI where users can find detailed information about the rule. This information should include a detailed description of the invalid pattern, an explanation of why the pattern is poor practice (particularly in contexts such as security or accessibility where driving considerations might not be readily apparent), guidance for resolving the problem (including describing circumstances in which ignoring the problem altogether might be appropriate), examples of invalid and valid patterns, and special considerations (such as noting when a violation should never be ignored or suppressed, noting when a violation could cause downstream tool noise, and noting when a rule can be configured in some way to refine or alter the analysis)."
                  },
                  "messageStrings": {
                    "Note_FriendlyNameNotAPascalIdentifier": {
                      "text": "{0}: '{1}' is not a Pascal-case identifier. For uniformity of experience across all tools that produce SARIF, the friendly name should be a single Pascal-case identifier, for example, 'ProvideRuleFriendlyName'."
                    },
                    "Note_ProvideFriendlyName": {
                      "text": "{0}: The rule '{1}' does not provide a \"friendly name\" in its 'name' property. The friendly name should be a single Pascal-case identifier, for example, 'ProvideRuleFriendlyName', that helps users see at a glance the purpose of the analysis rule."
                    },
                    "Note_ProvideHelpUri": {
                      "text": "{0}: The rule '{1}' does not provide a help URI. Providing a URI where users can find detailed information about the rule helps users to understand the result and how they can best address it."
                    },
                    "Note_ProvideMetadataForAllViolatedRules": {
                      "text": "'{0}' does not provide a 'rules' property. 'rules' contain information that helps users understand why each rule fires and what the user can do to fix it."
                    },
                    "Note_ProvideRuleMetadata": {
                      "text": "'{0}' does not provide metadata for rule '{1}'. Rule metadata contains information that helps the user understand why each rule fires and what the user can do to fix it."
                    }
                  },
                  "defaultConfiguration": {
                    "level": "note"
                  },
                  "helpUri": "http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html"
                },
                {
                  "id": "SARIF2016",
                  "name": "FileUrisShouldBeRelative",
                  "fullDescription": {
                    "text": "When an artifact location refers to a file on the local file system, specify a relative reference for the uri property and provide a uriBaseId property, rather than specifying an absolute URI.\r\n\r\nThere are several advantages to this approach:\r\n\r\nPortability: A log file that contains relative references together with uriBaseI properties can be interpreted on a machine where the files are located at a different absolute location.\r\n\r\nDeterminism: A log file that uses uriBaseId properties has a better chance of being 'deterministic'; that is, of being identical from run to run if none of its inputs have changed, even if those runs occur on machines where the files are located at different absolute locations.\r\n\r\nSecurity: The use of uriBaseId properties avoids the persistence of absolute path names in the log file. Absolute path names can reveal information that might be sensitive.\r\n\r\nSemantics: Assuming the reader of the log file (an end user or another tool) has the necessary context, they can understand the meaning of the location specified by the uri property, for example, 'this is a source file'."
                  },
                  "messageStrings": {
                    "Note_Default": {
                      "text": "{0}: The file location '{1}' is specified with absolute URI. Prefer a relative reference together with a uriBaseId property."
                    },
                    "Note_ShouldNotContainBackSlash": {
                      "text": "{0}: The relative file URL '{1}' contains one or more backslashes, which will be preserved when concatenating to an absolute URL. This can result in inconsistent representations, compared to URLs created from an absolute file path, which may be regarded as not equivalent. Replace all backslashes with forward slashes."
                    },
                    "Note_ShouldNotStartWithSlash": {
                      "text": "{0}: The relative file URL '{1}' is prefixed with a leading slash, which can lead to unintended behavior when concatenating with absolute URLs. Remove the leading slash."
                    }
                  },
                  "defaultConfiguration": {
                    "level": "note"
                  },
                  "helpUri": "http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html"
                }
              ],
              "properties": {
                "Comments": "Command line tool to manipulate SARIF files."
              }
            }
          },
          "invocations": [
            {
              "startTimeUtc": "2022-07-25T10:02:48.492Z",
              "endTimeUtc": "2022-07-25T10:02:52.300Z",
              "executionSuccessful": true
            }
          ],
          "artifacts": [
            {
              "location": {
                "uri": "file:///C:/TEMP/log.sarif"
              }
            }
          ],
          "columnKind": "utf16CodeUnits"
        }
      ]
    }
    

    (This log was generated by running the https://github.com/microsoft/sarif-sdk/ validator on the SARIF log in https://github.com/tomasbjerre/violations-lib/issues/155#issuecomment-1193356552. The SARIF2002 notes recommend formatting SARIF logs in such a way that they require message string lookup.)

    opened by KalleOlaviNiemitalo 4
  • Use OWASP Java Encoder

    Use OWASP Java Encoder

    The OWASP Java Encoder is a high performance encoding library. While I understand this is adding a dependency - the encoder project itself has not dependencies and is a very stable library.

    opened by jeremylong 2
Owner
Tomas Bjerre
Cowboy Astronaut Millionaire
Tomas Bjerre
SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.

SpotBugs is the spiritual successor of FindBugs, carrying on from the point where it left off with support of its community. SpotBugs is licensed unde

null 2.9k Jan 4, 2023
Inria 1.4k Dec 29, 2022
:coffee: SonarSource Static Analyzer for Java Code Quality and Security

Code Quality and Security for Java This SonarSource project is a code analyzer for Java projects. Information about the analysis of Java features is a

SonarSource 976 Jan 5, 2023
An extensible multilanguage static code analyzer.

PMD About PMD is a source code analyzer. It finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and

PMD 4.1k Jan 2, 2023
A static analyzer for Java, C, C++, and Objective-C

Infer Infer is a static analysis tool for Java, C++, Objective-C, and C. Infer is written in OCaml. Installation Read our Getting Started page for det

Facebook 13.7k Dec 28, 2022
Java bytecode static analyzer

This project is abandoned and unlikely will be supported in future HuntBugs 0.0.11 New Java bytecode static analyzer tool based on Procyon Compiler To

Tagir Valeev 302 Aug 13, 2022
⚡️Lightning-fast linter for .env files. Written in Rust 🦀

⚡️ Lightning-fast linter for .env files. Written in Rust ?? Dotenv-linter can check / fix / compare .env files for problems that may cause the applica

null 1.5k Jan 1, 2023
Astra: a Java tool for analysing and refactoring Java source code

What is Astra? Astra is a Java tool for analysing and refactoring Java source code. For example: "References to type A should instead reference type B

Alfa 51 Dec 26, 2022
Reformats Java source code to comply with Google Java Style.

google-java-format google-java-format is a program that reformats Java source code to comply with Google Java Style. Using the formatter from the comm

Google 4.8k Dec 31, 2022
A tool to help eliminate NullPointerExceptions (NPEs) in your Java code with low build-time overhead

NullAway: Fast Annotation-Based Null Checking for Java NullAway is a tool to help eliminate NullPointerExceptions (NPEs) in your Java code. To use Nul

Uber Open Source 3.2k Dec 29, 2022
OpenGrok is a fast and usable source code search and cross reference engine, written in Java

Copyright (c) 2006, 2020 Oracle and/or its affiliates. All rights reserved. OpenGrok - a wicked fast source browser OpenGrok - a wicked fast source br

Oracle 3.8k Jan 8, 2023
Catch common Java mistakes as compile-time errors

Error Prone Error Prone is a static analysis tool for Java that catches common programming mistakes at compile-time. public class ShortSet { public

Google 6.3k Dec 31, 2022
A free injection hacked client for Minecraft using Java-agents

Swift Swift is a free and open-source injection hacked client base for Minecraft using Java-agents. Issues If you notice any bugs, you can let us know

static final 36 Oct 8, 2022
Code metrics for Java code by means of static analysis

CK CK calculates class-level and method-level code metrics in Java projects by means of static analysis (i.e. no need for compiled code). Currently, i

Maurício Aniche 286 Jan 4, 2023
mobsfscan is a static analysis tool that can find insecure code patterns in your Android and iOS source code.

mobsfscan is a static analysis tool that can find insecure code patterns in your Android and iOS source code. Supports Java, Kotlin, Swift, and Objective C Code. mobsfscan uses MobSF static analysis rules and is powered by semgrep and libsast pattern matcher.

Mobile Security Framework 347 Dec 29, 2022
SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.

SpotBugs is the spiritual successor of FindBugs, carrying on from the point where it left off with support of its community. SpotBugs is licensed unde

null 2.9k Jan 4, 2023
Inria 1.4k Dec 29, 2022
Android Resource Manager application to manage and analysis your app resources with many features like image resize, Color, Dimens and code Analysis

AndroidResourceManager Cross-Platform tools to manage your resources as an Android Developer, AndroidResourceManager - ARM provide five main services

Amr Hesham 26 Nov 16, 2022
Java reporting library for creating dynamic report designs at runtime

Master Development Dynamic Reports DynamicReports is an open source Java reporting library based on JasperReports. It allows to create dynamic report

Dynamic Reports 165 Dec 28, 2022