Skip to content
Maven plugin that will find report files from static code analysis, present and optionally fail the build.
Java Shell
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
src
violations-maven-plugin-example [maven-release-plugin] prepare for next development iteration Sep 7, 2019
.gitignore
.travis.yml JDK11 Jun 12, 2019
CHANGELOG.md
LICENSE Initial Dec 24, 2017
README.md CodeClimate export Sep 7, 2019
_config.yml Initial Dec 24, 2017
build.sh
pom.xml
release.sh Automatically stepping dependencies Sep 23, 2018

README.md

Violations Maven Plugin

Build Status Maven Central Bintray

This is a Maven plugin for Violations Lib. There is also a Gradle plugin for this.

It can parse results from static code analysis and:

  • Report violations in the build log.
  • Optionally fail the build depending on violations found.

You can also do this with a command line tool.

A snippet of the output may look like this:

se/bjurr/violations/lib/example/OtherClass.java
╔══════════╤════════════╤══════════╤══════╤════════════════════════════════════════════════════╗
║ Reporter │ Rule       │ Severity │ Line │ Message                                            ║
╠══════════╪════════════╪══════════╪══════╪════════════════════════════════════════════════════╣
║ Findbugs │ MS_SHOULD_ │ INFO     │ 7    │ Field isn't final but should be                    ║
║          │ BE_FINAL   │          │      │                                                    ║
║          │            │          │      │                                                    ║
║          │            │          │      │    <p>                                             ║
║          │            │          │      │ This static field public but not final, and        ║
║          │            │          │      │ could be changed by malicious code or              ║
║          │            │          │      │         by accident from another package.          ║
║          │            │          │      │         The field could be made final to avoid     ║
║          │            │          │      │         this vulnerability.</p>                    ║
╟──────────┼────────────┼──────────┼──────┼────────────────────────────────────────────────────╢
║ Findbugs │ NM_FIELD_N │ INFO     │ 6    │ Field names should start with a lower case letter  ║
║          │ AMING_CONV │          │      │                                                    ║
║          │ ENTION     │          │      │                                                    ║
║          │            │          │      │   <p>                                              ║
║          │            │          │      │ Names of fields that are not final should be in mi ║
║          │            │          │      │ xed case with a lowercase first letter and the fir ║
║          │            │          │      │ st letters of subsequent words capitalized.        ║
║          │            │          │      │ </p>                                               ║
╚══════════╧════════════╧══════════╧══════╧════════════════════════════════════════════════════╝

Summary of se/bjurr/violations/lib/example/OtherClass.java
╔══════════╤══════╤══════╤═══════╤═══════╗
║ Reporter │ INFO │ WARN │ ERROR │ Total ║
╠══════════╪══════╪══════╪═══════╪═══════╣
║ Findbugs │ 2    │ 0    │ 0     │ 2     ║
╟──────────┼──────┼──────┼───────┼───────╢
║          │ 2    │ 0    │ 0     │ 2     ║
╚══════════╧══════╧══════╧═══════╧═══════╝


Summary
╔════════════╤══════╤══════╤═══════╤═══════╗
║ Reporter   │ INFO │ WARN │ ERROR │ Total ║
╠════════════╪══════╪══════╪═══════╪═══════╣
║ Checkstyle │ 4    │ 1    │ 1     │ 6     ║
╟────────────┼──────┼──────┼───────┼───────╢
║ Findbugs   │ 2    │ 2    │ 5     │ 9     ║
╟────────────┼──────┼──────┼───────┼───────╢
║            │ 6    │ 3    │ 6     │ 15    ║
╚════════════╧══════╧══════╧═══════╧═══════╝

Example of supported reports are available here.

A number of parsers have been implemented. Some parsers can parse output from several reporters.

Reporter Parser Notes
ARM-GCC CLANG
AndroidLint ANDROIDLINT
AnsibleLint FLAKE8 With -p
Bandit CLANG With bandit -r examples/ -f custom -o bandit.out --msg-template "{abspath}:{line}: {severity}: {test_id}: {msg}"
CLang CLANG
CPD CPD
CPPCheck CPPCHECK
CPPLint CPPLINT
CSSLint CSSLINT
Checkstyle CHECKSTYLE
CodeClimate CODECLIMATE
CodeNarc CODENARC
Detekt CHECKSTYLE With --output-format xml.
DocFX DOCFX
Doxygen CLANG
ERB CLANG With erb -P -x -T '-' "${it}" | ruby -c 2>&1 >/dev/null | grep '^-' | sed -E 's/^-([a-zA-Z0-9:]+)/${filename}\1 ERROR:/p' > erbfiles.out.
ESLint CHECKSTYLE With format: 'checkstyle'.
Findbugs FINDBUGS
Flake8 FLAKE8
FxCop FXCOP
GCC CLANG
Gendarme GENDARME
GoLint GOLINT
GoVet GOLINT Same format as GoLint.
GolangCI-Lint CHECKSTYLE With --out-format=checkstyle.
GoogleErrorProne GOOGLEERRORPRONE
IAR IAR With --no_wrap_diagnostics
Infer PMD Facebook Infer. With --pmd-xml.
JCReport JCREPORT
JSHint JSLINT With --reporter=jslint or the CHECKSTYLE parser with --reporter=checkstyle
JUnit JUNIT
KTLint CHECKSTYLE
Klocwork KLOCWORK
KotlinGradle KOTLINGRADLE Output from Kotlin Gradle Plugin.
KotlinMaven KOTLINMAVEN Output from Kotlin Maven Plugin.
Lint LINT A common XML format, used by different linters.
MSCpp MSCPP
Mccabe FLAKE8
MyPy MYPY
NullAway GOOGLEERRORPRONE Same format as Google Error Prone.
PCLint PCLINT PC-Lint using the same output format as the Jenkins warnings plugin, details here
PHPCS CHECKSTYLE With phpcs api.php --report=checkstyle.
PHPPMD PMD With phpmd api.php xml ruleset.xml.
PMD PMD
Pep8 FLAKE8
PerlCritic PERLCRITIC
PiTest PITEST
Puppet-Lint CLANG With -log-format %{fullpath}:%{line}:%{column}: %{kind}: %{message}
PyDocStyle PYDOCSTYLE
PyFlakes FLAKE8
PyLint PYLINT With pylint --output-format=parseable.
ReSharper RESHARPER
RubyCop CLANG With rubycop -f clang file.rb
SbtScalac SBTSCALAC
Scalastyle CHECKSTYLE
Simian SIMIAN
Sonar SONAR With mvn sonar:sonar -Dsonar.analysis.mode=preview -Dsonar.report.export.path=sonar-report.json. Removed in 7.7, see SONAR-11670 but can be retrieved with: curl --silent 'http://sonar-server/api/issues/search?componentKeys=unique-key&resolved=false' | jq -f sonar-report-builder.jq > sonar-report.json.
Spotbugs FINDBUGS
StyleCop STYLECOP
SwiftLint CHECKSTYLE With --reporter checkstyle.
TSLint CHECKSTYLE With -t checkstyle
XMLLint XMLLINT
YAMLLint YAMLLINT With -f parsable
ZPTLint ZPTLINT

Missing a format? Open an issue here!

Usage

There is a running example here.

The plugin needs to run after any static code analysis tools, so put it after them in the pom. Having the following in the pom will make the plugin run with mvn verify:

  <plugins>
   <plugin>
    <groupId>org.codehaus.mojo</groupId>
    <artifactId>findbugs-maven-plugin</artifactId>
    <version>3.0.5</version>
    <executions>
     <execution>
      <goals>
       <goal>check</goal>
      </goals>
     </execution>
    </executions>
   </plugin>
   <plugin>
    <groupId>se.bjurr.violations</groupId>
    <artifactId>violations-maven-plugin</artifactId>
    <version>X</version>
    <executions>
     <execution>
      <phase>verify</phase>
      <goals>
       <goal>violations</goal>
      </goals>
      <configuration>
       <!-- Optional config -->
       <!-- 0 is disabled -->
       <maxReporterColumnWidth>0</maxReporterColumnWidth>
       <maxRuleColumnWidth>10</maxRuleColumnWidth>
       <maxSeverityColumnWidth>0</maxSeverityColumnWidth>
       <maxLineColumnWidth>0</maxLineColumnWidth>
       <maxMessageColumnWidth>50</maxMessageColumnWidth>
     
       <!-- Global configuration, remove if you dont want to report violations 
            for the entire repo. -->
       <!-- INFO, WARN or ERROR -->
       <minSeverity>INFO</minSeverity>
       <!-- PER_FILE_COMPACT, COMPACT or VERBOSE -->
       <detailLevel>VERBOSE</detailLevel>
       <!-- Will fail the build if total number of found violations is higher -->
       <maxViolations>99999999</maxViolations>
       <!-- Will print violations found in diff -->
       <printViolations>true</printViolations>
       <!-- Will create a CodeClimate JSON report. -->
       <codeClimateFile>code-climate-file.json</codeClimateFile>
       <!-- Will create a normalized JSON report. -->
       <violationsFile>violations-file.json</violationsFile>
     
       <!-- Diff configuration, remove if you dont want to report violations 
            for files changed between specific revisions. -->
       <!-- Can be empty (ignored), Git-commit or any Git-reference -->
       <diffFrom></diffFrom>
       <!-- Same as above -->
       <diffTo></diffTo>
       <!-- INFO, WARN or ERROR -->
       <diffMinSeverity>INFO</diffMinSeverity>
       <!-- PER_FILE_COMPACT, COMPACT or VERBOSE -->
       <diffDetailLevel>VERBOSE</diffDetailLevel>
       <!-- Will fail the build if number of violations, in the diff within from/to, is higher -->
       <diffMaxViolations>99</diffMaxViolations>
       <!-- Will print violations found in diff -->
       <diffPrintViolations>true</diffPrintViolations>
       <!-- Where to look for Git -->
       <gitRepo>.</gitRepo>
     
     
       <!-- This is mandatory regardless of if you want to report violations 
            between revisions or the entire repo. -->
       <violations>
        <violation>
         <!-- Many more formats available, see:
              https://github.com/tomasbjerre/violations-lib
         -->
         <parser>FINDBUGS</parser>
         <reporter>Findbugs</reporter>
         <folder>.</folder>
         <pattern>.*/findbugsXml\.xml$</pattern>
        </violation>
       </violations>
      </configuration>
     </execution>
    </executions>
   </plugin>
  </plugins>
You can’t perform that action at this time.