-
-
Notifications
You must be signed in to change notification settings - Fork 766
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bundle new sarif output format by default #3268
Conversation
Codecov Report
@@ Coverage Diff @@
## master #3268 +/- ##
============================================
- Coverage 80.07% 80.01% -0.07%
- Complexity 2653 2655 +2
============================================
Files 443 443
Lines 8096 8106 +10
Branches 1540 1541 +1
============================================
+ Hits 6483 6486 +3
- Misses 789 795 +6
- Partials 824 825 +1
Continue to review full report at Codecov.
|
The change looks good to me.
@arturbosch has most context on the Sarif front. I'd rather wait for a review from him |
I think that artur added this as a first party plugin and not as a core feature. But I have no idea about the reason. But I agree that we need documentation about this feature in both cases. |
It would also be nice if we can run Github checks to display the detekt violations embedded in the code panel of any PR, don't you agree :) I am doing this for my company since we are recently moving to Github to host our code. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The changes look good! Thank you for trying out and testing the SARIF support of detekt! 🙂
Please let me reply to the questions.
I think that artur added this as a first party plugin and not as a core feature. But I have no idea about the reason. But I agree that we need documentation about this feature in both cases.
The idea behind the feature was that users can try it out with --plugins detekt-report-sarif.jar
. Please consider SARIF support as beta state at the moment.
Please also take a look at issue #3132. Some details have been discussed there.
It would also be nice if we can run Github checks to display the detekt violations embedded in the code panel of any PR, don't you agree :)
Eventually when most analysis tool have adopted SARIF, having SARIF as the core support definitely makes more sense.
I completely agree. This is planned to be part of detekt's core.
Thank you for the response. |
@schalkms To keep it as "beta" or experimental, do you think it is a good idea set to enabled = false by default unless the user turned it on specifically? |
Yep, that's one of the common use cases. 🙂
I don't have a strong preference here. Having it disabled for now is fine, as you have done. |
It looks like this PR is waiting for a review from @arturbosch, is that correct? |
@chao2zhang yes, indeed. |
Code looks good, thx! Yes, @BraisGabin is right, I intentionally did not bundle the plugin in Adding plugins is as easy as specifing |
+1 |
I believe with the future SARIF adoption and popularity, this argument of putting it into core should be stronger. Usually, the app size matters more, and detekt is not bundled into the artifact of an application. But I do agree that we should be mindful of network usage and disk usage. For network with pay-by-usage, or big companies where they have their own clone of the artifactory, this is a good concern. Fun fact: I have been running out of disk space almost once a month on my laptop. I created this PR to softly unblocks me from implementing #3274. This PR is not a hard blocker. |
+1. I don't get why we should sort the output of a json. It goes against the format. If we could ignore that we could use moshi instead of jackson and reduce the bunlde size a lot. |
Image big projects with a lot of issues -> large json files. |
* Hook up SARIF output * Keep SARIF disabled by default
* Hook up SARIF output * Keep SARIF disabled by default
Well technically we don't need to bundle with any json encoding libraries. I just realized that the SARIF reporter by android lint is handcrafted json https://cs.android.com/android-studio/platform/tools/base/+/mirror-goog-studio-master-dev:lint/cli/src/main/java/com/android/tools/lint/SarifReporter.kt |
It is great to see that Detekt is adding support for SARIF #3045. As I was testing sarif with Github code scanning, I found that there is a decent amount of working code but we cannot generate SARIF output yet.
This PR should be the final step to fully integrate with SARIF. I tested locally in this repo and verified that the generated SARIF output passed the validation.
I tried my best to update all places where report types appear but I may still miss a few.
This PR can also wait if we are planning to roll out SARIF in future versions of Detekt.