ezienecker/static-code-review-plugin
A plugin which comments the found bugs (by static code analyzer) to your merge request
= Static Code Review Plugin
image::https://img.shields.io/github/license/ezienecker/static-code-review-plugin.svg[License]
image::https://travis-ci.com/ezienecker/static-code-review-plugin.svg?branch=develop["Build Status", link="https://travis-ci.com/ezienecker/static-code-review-plugin"]
image::https://img.shields.io/maven-central/v/de.manuzid/static-code-review-plugin.svg?label=Maven%20Central["Maven Central", link="https://search.maven.org/search?q=g:%22de.manuzid%22%20AND%20a:%22static-code-review-plugin%22"]
![https://img.shields.io/github/license/ezienecker/static-code-review-plugin.svg[License]](https://img.shields.io/github/license/ezienecker/static-code-review-plugin.svg%5BLicense%5D){kind=link}
This plugin asks within a merge request for the changed files and analyzes the code with the help of static code analyzer (currently https://spotbugs.github.io/[SpotBugs] and https://arturbosch.github.io/detekt/[Detekt] but more are planned). The found bugs are then commented to the corresponding code location.
== Usage
Add the following to your pom.xml
[source,xml]
....
de.manuzid
static-code-review-plugin
2.0.0
verify
report
....
Execute the following command to run the plugin
[source,bash]
....
mvn verify -DprojectId=$CI_PROJECT_ID
-DmergeRequestIid=$CI_MERGE_REQUEST_IID
-Dauth.token=$GITLAB_AUTH_TOKEN
....
To exclude analyzer use the exclusion tag
[source,xml]
....
de.manuzid
static-code-review-plugin
2.0.0
spotbugs
verify
report-detekt
....
=== Samples
- https://gitlab.com/manuzid/static-code-review-plugin-sample-java[Java Sample]
- https://gitlab.com/manuzid/static-code-review-plugin-sample-kotlin[Kotlin Sample]
== Configuration
=== Required
|===
|Property |Default |Description
|gitUrl |If GitHub is activated: https://api.github.com, otherwise https://gitlab.com/ |The URL of the GitLab server
3+|One of the two must be given, either the projectId or repository
This depends on whether GitLab or GitHub is selected as the Git server.
GitLab needs the projectId and GitHub the repository name.
|projectId |None |The project in the form of an Integer(ID) or String(path)
|repository |None |Is a combination of owner und repository.
Owner is the account owner of the repository. The name is not case-sensitive.
Repository is the name of the repository. The name is not case-sensitive.
|mergeRequestIid |None |The internal ID of the merge request
|static-code-review.skip |false |If true, execution will be skipped entirely.
|isGitHub |false |If false then GitLab is selected as the Git server, otherwise GitHub is the Git server.
3+|One of the two must be given, either the auth.token or the basic auth (auth.username & auth.password).
Note that none of them must be protected, otherwise they cannot be read by the plugin.
|auth.token |None |The private token to use for access to the GitLab API
|auth.username |None |The username for basic auth with the GitLab server.
|auth.password |None |The password for basic auth with the GitLab server.
|===
=== Optional
|===
|Property |Default |Description
|proxy.serverAddress |None |The URI of the proxy server.
|proxy.username |None |The username for basic auth with the proxy server.
|proxy.password |None |The password for basic auth with the proxy server.
|applicationSources |src/main/java |Application/Library sources.
|exclusions |empty list |A list of strings containing the analyzers to be excluded.
|exclusion |None |Analyzer that should be excluded. Valid values: spotbugs, detekt
3+|SpotBugs Settings
|compiledClasses |classes |Compiled Application/Library sources.
|priorityThresholdLevel |3 |It specifies the confidence/priority threshold for reporting issues. 1 = High, 2 = Normal, 3 = Low, 4 = Ignored, 5 = Experimental.
|===
== Goal
=== Report
Used to run static code review plugin
== Hints
- Configuration Output
To be able to check at runtime how the plugin is configured, you need to run the maven command with debug output (-X).
[source,bash]
....
mvn verify -X -DprojectId=$CI_PROJECT_ID
-DmergeRequestIid=$CI_MERGE_REQUEST_IID
-Dauth.token=$GITLAB_AUTH_TOKEN
....
Then look for the following line [DEBUG] Configuring mojo 'de.manuzid:static-code-review-plugin and
you should see the following output.
[source,bash]
....
[DEBUG] Configuring mojo 'de.manuzid:static-code-review-plugin:1.1.0:report-detekt' with basic configurator -->
[DEBUG] (f) applicationSourcePath = src/main/kotlin
[DEBUG] (f) authToken =
[DEBUG] (f) compiledClassPath = classes
[DEBUG] (f) exclusions = [detekt]
[DEBUG] (f) gitUrl = https://gitlab.com/
[DEBUG] (f) mergeRequestIid = 1
[DEBUG] (f) project = MavenProject: de.manuzid:static-code-review-plugin-sample-kotlin:1.0.0 @ /Users/manuzid/public-projects/static-code-review-plugin-sample/static-code-review-plugin-sample-kotlin/pom.xml
[DEBUG] (f) projectId = 17068115
[DEBUG] (f) skip = false
[DEBUG] -- end configuration --
....
- Detekt Configuration
In order to resolve the path to the file to be commented on correctly, it is mandatory that the applicationSources is
specified when analyzing Kotlin files.
== Releasing
Creating a new release involves the following steps:
. ./mvnw gitflow:release-start gitflow:release-finish
. git push origin master
. git push --tags
. git push origin develop