Merge pull request #348 from h3xstream/spotbugs

SARIF support for Github action : Add the option to transform relative path to complete path

Author: hazendaz

src/it/sarif-2/invoker.properties

@@ -0,0 +1,4 @@
+invoker.goals = clean compile compiler:testCompile site
+
+# The expected result of the build, possible values are "success" (default) and "failure"
+invoker.buildResult = success

src/it/sarif-2/pom.xml

@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Copyright (C) 2006-2020 the original author or authors.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        https://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>spotbugs-maven-plugin.it</groupId>
+    <artifactId>common</artifactId>
+    <version>testing</version>
+    <relativePath>../common.xml</relativePath>
+  </parent>
+  <artifactId>sarif-2</artifactId>
+  <name>sarif-2</name>
+  <packaging>jar</packaging>
+  <reporting>
+    <excludeDefaults>true</excludeDefaults>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-jxr-plugin</artifactId>
+        <version>@jxrPluginVersion@</version>
+      </plugin>
+      <plugin>
+        <groupId>com.github.spotbugs</groupId>
+        <artifactId>spotbugs-maven-plugin</artifactId>
+        <configuration>
+          <sarifOutput>true</sarifOutput> <!-- SARIF is enabled here -->
+          <sarifFullPath>true</sarifFullPath> <!-- Full path expansion enabled -->
+          <includeTests>true</includeTests>
+        </configuration>
+      </plugin>
+    </plugins>
+  </reporting>
+</project>

src/it/sarif-2/verify.groovy

@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2006-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import groovy.json.JsonSlurper
+
+def effortLevel = 'default'
+
+
+File spotbugSarifFile = new File(basedir, 'target/spotbugsSarif.json')
+assert spotbugSarifFile.exists()
+
+
+println '**********************************'
+println "Checking SARIF file"
+println '**********************************'
+
+
+def String normalizePath(String path) {
+	return path.replaceAll("\\\\","/");
+}
+
+def slurpedResult = new JsonSlurper().parse(spotbugSarifFile)
+
+def results = slurpedResult.runs.results[0]
+
+for (result in slurpedResult.runs.results[0]) {
+
+    for (loc in result.locations) {
+        String location = normalizePath(loc.physicalLocation.artifactLocation.uri)
+        //Making sure that the path was expanded
+        assert location.contains("src/it-src/test/java") || location.contains("src/java") : "$location does not contain 'src/it-src/test/java'"
+    }
+}
+
+
+println "BugInstance size is ${results.size()}"
+
+
+assert results.size() > 0

src/main/groovy/org/codehaus/mojo/spotbugs/SourceFileIndexer.groovy

@@ -0,0 +1,148 @@
+package org.codehaus.mojo.spotbugs
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import org.apache.maven.execution.MavenSession
+import org.apache.maven.model.Resource
+import org.apache.maven.project.MavenProject
+
+import java.nio.file.Paths
+
+/**
+ * Utility class used to transform path relative to the <b>source directory</b>
+ * to their path relative to the <b>root directory</b>.
+ */
+class SourceFileIndexer {
+
+    /**
+     * List of source files found in the current Maven project
+     */
+    private List<String> allSourceFiles;
+
+    /**
+     * Initialize the complete list of source files with their
+     *
+     * @param project Reference to the Maven project to get the list of source directories
+     * @param session Reference to the Maven session used to get the location of the root directory
+     */
+    protected void buildListSourceFiles(MavenProject project, MavenSession session) {
+
+        //String basePath = project.basedir.absolutePath
+        String basePath = normalizePath(session.getExecutionRootDirectory())
+
+        def allSourceFiles = new ArrayList<>()
+        //Resource
+        for(Resource r in project.getResources()) {
+            scanDirectory(new File(r.directory), allSourceFiles, basePath)
+        }
+        for(Resource r in project.getTestResources()) {
+            scanDirectory(new File(r.directory), allSourceFiles, basePath)
+        }
+        //Source files
+        for(String sourceRoot in project.getCompileSourceRoots()) {
+            scanDirectory(new File(sourceRoot), allSourceFiles, basePath)
+        }
+        for(String sourceRoot in project.getTestCompileSourceRoots()) {
+            scanDirectory(new File(sourceRoot), allSourceFiles, basePath)
+        }
+
+        for(String sourceRoot in project.getScriptSourceRoots()) {
+            scanDirectory(new File(sourceRoot), allSourceFiles, basePath)
+        }
+
+        //While not perfect, add the following paths will add basic support for Kotlin and Groovy
+        scanDirectory(new File(project.getBasedir(),"src/main/webapp"), allSourceFiles, basePath)
+        scanDirectory(new File(project.getBasedir(),"src/main/groovy"), allSourceFiles, basePath)
+        scanDirectory(new File(project.getBasedir(),"src/main/kotlin"), allSourceFiles, basePath)
+
+        this.allSourceFiles = allSourceFiles
+    }
+
+    /**
+     * Recursively scan the directory given and add all files found to the files array list.
+     * The base directory will be truncated from the path stored.
+     *
+     * @param directory Directory to scan
+     * @param files ArrayList where files found will be stored
+     * @param baseDirectory This part will be truncated from path stored
+     * @throws IOException
+     */
+    private void scanDirectory(File directory,List<String> files,String baseDirectory) throws IOException {
+
+        if(directory.exists()) {
+            for(File child : directory.listFiles()) {
+                if(child.isDirectory()) {
+                    scanDirectory(child,files,baseDirectory);
+                }
+                else {
+                    String newSourceFile = normalizePath(child.canonicalPath)
+                    if(newSourceFile.startsWith(baseDirectory)) {
+                        //The project will not be at the root of our file system.
+                        //It will most likely be stored in a work directory.
+                        // /work/project-code-to-scan/src/main/java/File.java => src/main/java/File.java
+                        // (Here baseDirectory is /work/project-code-to-scan/)
+                        String relativePath = Paths.get(baseDirectory).relativize(Paths.get(newSourceFile))
+                        files.add(normalizePath(relativePath))
+                    }
+                    else {
+                        //Use the full path instead:
+                        //This will occurs in many cases including when the pom.xml is
+                        // not in the same directory tree as the sources.
+                        files.add(newSourceFile)
+                    }
+                }
+            }
+        }
+    }
+
+    /**
+     * Normalize path to use forward slash.
+     * This will facilitate searches.
+     *
+     * @param path Path to clean up
+     * @return Path safe to use for comparison
+     */
+    private String normalizePath(String path) {
+        return path.replaceAll("\\\\","/");
+    }
+
+    /**
+     * Transform partial path to complete path
+     *
+     * @param filename Partial name to search
+     * @return Complete path found. Null is not found!
+     */
+    protected String searchActualFilesLocation(String filename) {
+
+        if(allSourceFiles == null) {
+            throw new RuntimeException("Source files cache must be built prior to searches.")
+        }
+
+        for(String fileFound in allSourceFiles) {
+
+            if(fileFound.endsWith(filename)) {
+                return fileFound
+            }
+
+        }
+
+        return null //Not found
+    }
+}

src/main/groovy/org/codehaus/mojo/spotbugs/SpotBugsMojo.groovy

@@ -19,6 +19,8 @@ package org.codehaus.mojo.spotbugs
  * under the License.
  */
 
+import groovy.json.JsonBuilder
+
 import groovy.json.JsonSlurper
 import groovy.xml.XmlSlurper
 import groovy.xml.StreamingMarkupBuilder
@@ -28,7 +30,6 @@ import org.apache.maven.doxia.siterenderer.Renderer
 import org.apache.maven.doxia.tools.SiteTool
 
 import org.apache.maven.execution.MavenSession
-
 import org.apache.maven.plugin.MojoExecutionException
 
 import org.apache.maven.plugins.annotations.Component
@@ -78,6 +79,9 @@ class SpotBugsMojo extends AbstractMavenReport implements SpotBugsPluginsTrait {
     @Parameter(defaultValue = "false", property = "spotbugs.sarifOutput", required = true)
     boolean sarifOutput
 
+    @Parameter(defaultValue = "false", property = "spotbugs.sarifFullPath", required = true)
+    boolean sarifFullPath
+
     /**
      * Specifies the directory where the xml output will be generated.
      *
@@ -1040,13 +1044,14 @@ class SpotBugsMojo extends AbstractMavenReport implements SpotBugsPluginsTrait {
         long startTime, duration
 
         File xmlTempFile = new File("${project.build.directory}/spotbugsTemp.xml")
-        File sarifFile = new File("${project.build.directory}/spotbugsSarif.json")
+        File sarifTempFile = new File("${project.build.directory}/spotbugsTempSarif.json")
+        File sarifFinalFile = new File("${project.build.directory}/spotbugsSarif.json")
 
         if (xmlOutput || !sarifOutput) {
             forceFileCreation(xmlTempFile)
         }
         else {
-            forceFileCreation(sarifFile)
+            forceFileCreation(sarifTempFile)
         }
 
 
@@ -1064,7 +1069,7 @@ class SpotBugsMojo extends AbstractMavenReport implements SpotBugsPluginsTrait {
             log.debug("Plugin Artifacts to be added -> ${pluginArtifacts.toString()}")
             log.debug("outputFile is ${outputFile.getCanonicalPath()}")
             log.debug("output Directory is ${spotbugsXmlOutputDirectory.getAbsolutePath()}")
-            log.debug("TempFile is ${(sarifOutput ? sarifFile : xmlTempFile).getCanonicalPath()}");
+            log.debug("TempFile is ${(sarifOutput ? sarifTempFile : xmlTempFile).getCanonicalPath()}");
         }
 
         def ant = new AntBuilder()
@@ -1075,7 +1080,7 @@ class SpotBugsMojo extends AbstractMavenReport implements SpotBugsPluginsTrait {
             startTime = System.nanoTime()
         }
 
-        def spotbugsArgs = !sarifOutput ? getSpotbugsArgs(xmlTempFile) : getSpotbugsArgs(sarifFile)
+        def spotbugsArgs = !sarifOutput ? getSpotbugsArgs(xmlTempFile) : getSpotbugsArgs(sarifTempFile)
 
         def effectiveEncoding = System.getProperty("file.encoding", "UTF-8")
 
@@ -1193,19 +1198,50 @@ class SpotBugsMojo extends AbstractMavenReport implements SpotBugsPluginsTrait {
 
         }
 
-        if(sarifFile && sarifOutput) {
-            if (sarifFile.size() > 0) {
-                def path = new JsonSlurper().parse(sarifFile)
+        if(sarifTempFile && sarifOutput && sarifTempFile.size() > 0) {
 
-                try {
+            def slurpedResult = new JsonSlurper().parse(sarifTempFile)
+            def builder = new JsonBuilder(slurpedResult)
+
+            // With -Dspotbugs.sarifFullPath=true
+            // The location uri will be replace by path relative to the root of project
+            // SomeFile.java => src/main/java/SomeFile.java
+            //This change is required for some tool including Github code scanning API
+            if (sarifFullPath) {
+
+                def indexer = new SourceFileIndexer()
+
+                indexer.buildListSourceFiles(getProject(),getSession())
+
+                for (result in slurpedResult.runs.results[0]) {
+
+                    for (loc in result.locations) {
+                        def originalFullPath = loc.physicalLocation.artifactLocation.uri
+
+                        //We replace relative path to the complete path
+                        String newFileName = indexer.searchActualFilesLocation(originalFullPath)
+
+                        if (newFileName != null) {
+                            if(getLog().isDebugEnabled()) {
+                                getLog().info("$originalFullPath modified to $newFileName")
+                            }
+                            loc.physicalLocation.artifactLocation.uri = newFileName
+                        } else {
+                            getLog().warn("No source file found for $originalFullPath. " +
+                                    "The path include in the SARIF report could be incomplete.")
+                        }
+                    }
 
-                    def results = path.runs.results[0]
-                    log.debug("BugInstance size is ${results.size()}")
-                }
-                catch (Exception e) {
-                    log.error("Unexpected format for the file $sarifFile",e)
                 }
             }
+
+            sarifFinalFile.withWriter {
+                builder.writeTo(it)
+            }
+
+            if (!log.isDebugEnabled()) {
+                sarifTempFile.delete()
+            }
         }
 
     }