code-scanning-rubocop 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 739a88bd1b19ec2ee128962c43c90c7c3680e2e04ad8cfb98feb9773aa7419d8
-  data.tar.gz: f7f7aaa9fc8607ffe535494dcbfcd9ea1ac17620bba8073a9a67859064c45e28
+  metadata.gz: f4e32fd700366fde1538d35a360bb632a31ad42a1199653c3f4ec2a00ae94ae6
+  data.tar.gz: 99f87d64f5287e712b0375f4e9d7fa840aeddf8fb619a0600f3aa1b5442f4d66
 SHA512:
-  metadata.gz: 8c48865aedc4968ed50c8d6dfb1ae3e42b8b44fde53a82219e0b47bafcc0b51b84cb29642d7e29db5759caec0345a953a7940928bc85396aacbee393deb35ffe
-  data.tar.gz: 33a344112b71cba3ab3a77411173cff7bc96a88fb4d2df3db9536edbb86aa6ececf57052950cf4098daf6df5e18bf15c41af1d4e8635102ec300948768f6003c
+  metadata.gz: ee4a2b0bdac90ecd2720874c9f5e55d2cef7763f3613a0ea4653f2533e7b065ea4763d0d6e347d602434ff377d7cbaa90ea9d429830ea0d964b5e23031fb9c59
+  data.tar.gz: e723dea9868724bd0bdcd50a05dce61fe1a9d6fcc9b7912618fd81b2aedf99045164dc25bc2f01b33f0630025ff3325b099cc9ba17ac19ea545bc6586084b3aa

data/.github/workflows/rubocop-analysis.yml

@@ -0,0 +1,34 @@
+name: "Rubocop"
+
+on: [push]
+
+jobs:
+  rubocop_job:
+    runs-on: ubuntu-latest
+    name: Code Scanning job run
+    strategy:
+      fail-fast: false
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.6
+
+    - name: Install dependencies
+      run: bundle install
+
+    - name: Rubocop run
+      run: |
+        bash -c "
+          bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
+          [[ $? -ne 2 ]]
+        "
+
+    - name: Upload Sarif output
+      uses: github/codeql-action/upload-sarif@v1
+      with:
+        sarif_file: rubocop.sarif

data/.github/workflows/ruby.yml

@@ -0,0 +1,23 @@
+name: Ruby
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  test:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.6
+    - name: Install dependencies
+      run: bundle install
+    - name: Run tests
+      run: bundle exec rake

data/.rubocop.yml

@@ -0,0 +1,46 @@
+inherit_from: .rubocop_todo.yml
+
+# The behavior of RuboCop can be controlled via the .rubocop.yml
+# configuration file. It makes it possible to enable/disable
+# certain cops (checks) and to alter their behavior if they accept
+# any parameters. The file can be placed either in your home
+# directory or in some project directory.
+#
+# RuboCop will start looking for the configuration file in the directory
+# where the inspected file is and continue its way up to the root directory.
+#
+# See https://github.com/rubocop-hq/rubocop/blob/master/manual/configuration.md
+
+Layout/LineLength:
+  Exclude:
+    - 'code-scanning-rubocop.gemspec'
+Layout/SpaceAroundMethodCallOperator:
+  Enabled: true
+
+Lint/RaiseException:
+  Enabled: true
+Lint/StructNewOverride:
+  Enabled: true
+
+Style/HashSyntax:
+  EnforcedStyle: ruby19
+Style/StringLiterals:
+  EnforcedStyle: double_quotes
+Style/ExponentialNotation:
+  Enabled: true
+Style/HashEachMethods:
+  Enabled: true
+Style/HashTransformKeys:
+  Enabled: true
+Style/HashTransformValues:
+  Enabled: true
+Style/ClassAndModuleChildren:
+  Exclude:
+    - 'test/**/*'
+
+Metrics/MethodLength:
+  Enabled: false
+Metrics/BlockLength:
+  Enabled: false
+Metrics/AbcSize:
+  Enabled: false

data/.rubocop_todo.yml

@@ -0,0 +1,14 @@
+# This configuration was generated by
+# `rubocop --auto-gen-config`
+# on 2020-05-05 14:10:36 -0400 using RuboCop version 0.82.0.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+Style/Documentation:
+  Exclude:
+    - 'spec/**/*'
+    - 'test/**/*'
+    - 'lib/code_scanning.rb'
+    - 'lib/code_scanning/**/*'

data/Dockerfile

@@ -1,10 +1,5 @@
 FROM ruby:2.7.1
 
-# throw errors if Gemfile has been modified since Gemfile.lock
-RUN bundle config --global frozen 1
-
-RUN gem install code-scanning-rubocop -v0.2.0
-
 ARG GITHUB_WORKSPACE
 
 COPY entrypoint.sh /entrypoint.sh

data/Gemfile

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 source "https://rubygems.org"
 
 # Specify your gem's dependencies in code-scanning-rubocop.gemspec
 gemspec
 
-gem "rake", "~> 12.0"
 gem "minitest", "~> 5.0"
+gem "rake", "~> 12.0"

data/README.md

@@ -1,34 +1,82 @@
-# Code::Scanning::Rubocop
+# CodeScanning::Rubocop
 
-Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/code/scanning/rubocop`. To experiment with that code, run `bin/console` for an interactive prompt.
+'code-scanning-rubocop' is a gem to integrate Rubocop and the GitHub's code scanning feature.
+The repository is composed by two components. The gem which can be installed in any ruby application and a default GitHub action to ease the usage of it. 
 
-TODO: Delete this and the text above, and describe your gem
+The rubygem adds a SARIF exporter to the rubocop runner. GitHub's code scanning feature accepts a SARIF file with the 'results' (alerts) generated by the tool.
+The action, is what will run rubocop with the exporter. Note: you can only run the gem within your application, and have our own action that calls rubocop. See more in the Installation and Usage sections.
 
-## Installation
+This is how it would look in your Security tab:
+![preview](preview.png)
 
-Add this line to your application's Gemfile:
+## Action Installation 
 
-```ruby
-gem 'code-scanning-rubocop'
-```
+The easiest way to install the integration, is this action template bellow. It will install the gem in your app and run it for you within the GitHub's action enviroment. To install the action create a file `.github/workflows/rubocop-analysis.yml` like the following:
+
+```yaml
+# .github/workflows/rubocop-analysis.yml
+name: "Rubocop"
 
-And then execute:
+on: [push]
 
-    $ bundle install
+jobs:
+  rubocop:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
 
-Or install it yourself as:
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
 
-    $ gem install code-scanning-rubocop
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.6
 
-## Usage
+    # This step is not necessary if you add the gem to your Gemfile
+    - name: Install Code Scanning integration
+      run: bundle add code-scanning-rubocop --skip-install
+
+    - name: Install dependencies
+      run: bundle install
+
+    - name: Rubocop run
+      run: |
+        bash -c "
+          bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
+          [[ $? -ne 2 ]]
+        "
+
+    - name: Upload Sarif output
+      uses: github/codeql-action/upload-sarif@v1
+      with:
+        sarif_file: rubocop.sarif
+```
 
-TODO: Write usage instructions here
+## Gem installation & usage in a custom action
+Note: this is not necessary if you use the action above.
 
-## Development
+To install the gem add this line to your application's Gemfile:
 
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+```ruby
+gem 'code-scanning-rubocop'
+```
+
+Then, in your custom GitHub's action, you need to run rubocop and make sure you give it the SarifFormatter:
+```bash
+bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
+```
+
+As a last step, make sure you upload the `rubocop.sarif` file to the code-scan integration. That will create the Code Scanning alerts.
+Thus, add this step to your custom rubocop workflow:
+```yaml
+    - name: Upload Sarif output
+      uses: github/codeql-action/upload-sarif@v1
+      with:
+        sarif_file: rubocop.sarif
+```
 
-To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 
 ## Contributing
 

data/Rakefile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "bundler/gem_tasks"
 require "rake/testtask"
 
@@ -7,4 +9,27 @@ Rake::TestTask.new(:test) do |t|
   t.test_files = FileList["test/**/*_test.rb"]
 end
 
-task :default => :test
+task :generate_rules do
+  require_relative "lib/code_scanning/rules_generator"
+
+  begin
+    output_file = "#{Time.now.strftime('%Y%m%d')}.sarif"
+    puts "Cloning rubocop repository to read manuals"
+    puts
+
+    sh "git clone git@github.com:rubocop-hq/rubocop.git _tmp"
+
+    gen = QHelpGenerator.new
+    Dir["_tmp/manual/cops_*.md"].each do |f|
+      gen.parse_file(f)
+    end
+    puts
+    puts "Writing rules help sarif to '#{output_file}' file"
+    puts
+    File.write(output_file, gen.sarif_json)
+  ensure
+    sh "rm -rf _tmp"
+  end
+end
+
+task default: :test

data/bin/console

@@ -1,7 +1,8 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 require "bundler/setup"
-require "code/scanning/rubocop"
+require "code_scanning"
 
 # You can add fixtures and/or initialization code here to make experimenting
 # with your gem easier. You can also use a different console, if you like.

data/code-scanning-rubocop.gemspec

@@ -1,7 +1,9 @@
-lib = File.expand_path("../lib", __FILE__)
+# frozen_string_literal: true
+
+lib = File.expand_path("lib", __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
-require_relative 'lib/code_scanning/rubocop/version'
+require_relative "lib/code_scanning/rubocop/version"
 
 Gem::Specification.new do |spec|
   spec.name          = "code-scanning-rubocop"
@@ -9,25 +11,24 @@ Gem::Specification.new do |spec|
   spec.authors       = ["Arthur Neves"]
   spec.email         = ["arthurnn@gmail.com"]
 
-  spec.summary       = %q{Extra formater to make rubocop compatible with GitHub's code-scanning feature.}
-  spec.description   = %q{This gem adds a SARIF formatter to rubocop, so we can export alerts to code-scanning inside GitHub.}
+  spec.summary       = "Extra formater to make rubocop compatible with GitHub's code-scanning feature."
+  spec.description   = "This gem adds a SARIF formatter to rubocop, so we can export alerts to code-scanning inside GitHub."
   spec.homepage      = "https://github.com/arthurnn/code-scanning-rubocop"
   spec.license       = "MIT"
   spec.required_ruby_version = Gem::Requirement.new(">= 2.3.0")
 
-
   spec.metadata["homepage_uri"] = spec.homepage
   spec.metadata["source_code_uri"] = "https://github.com/arthurnn/code-scanning-rubocop"
-  #spec.metadata["changelog_uri"] = "TODO: Put your gem's CHANGELOG.md URL here."
+  # spec.metadata["changelog_uri"] = "TODO: Put your gem's CHANGELOG.md URL here."
 
   # Specify which files should be added to the gem when it is released.
   # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
-  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
     `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   end
   spec.bindir        = "exe"
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.add_dependency 'rubocop', '~> 0.82.0'
+  spec.add_dependency "rubocop", "~> 0.82.0"
 end

data/entrypoint.sh

@@ -7,10 +7,9 @@ cd $GITHUB_WORKSPACE
 # Install correct bundler version
 gem install bundler -v "$(grep -A 1 "BUNDLED WITH" Gemfile.lock | tail -n 1)"
 
-bundle install
-
-bundle inject code-scanning-rubocop "$(gem list | grep code-scanning-rubocop | tr -cd '0-9.')"
+bundle add code-scanning-rubocop --version 0.2.0  --skip-install
 
+bundle install
 bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
 
 if [ ! -f rubocop.sarif ]; then

data/lib/code_scanning.rb

@@ -1,4 +1,8 @@
+# frozen_string_literal: true
+
+require "rubocop"
+
 module CodeScanning
 end
 
-require 'code_scanning/rubocop/sarif_formatter'
+require_relative "code_scanning/rubocop/sarif_formatter"

data/lib/code_scanning/rubocop/rule.rb

@@ -0,0 +1,99 @@
+# frozen_string_literal: true
+
+require "pathname"
+
+module CodeScanning
+  class Rule
+    def initialize(cop_name, severity = nil)
+      @cop_name = cop_name
+      @severity = severity.to_s
+      @cop = RuboCop::Cop::Cop.registry.find_by_cop_name(cop_name)
+      @help = StringIO.new
+    end
+
+    def id
+      @cop_name
+    end
+
+    def append_help(line)
+      @help.print(line)
+    end
+
+    def help_empty?
+      @help.size.zero?
+    end
+
+    def ==(other)
+      badge.match?(other.badge)
+    end
+    alias eql? ==
+
+    def badge
+      @cop.badge
+    end
+
+    def sarif_severity
+      cop_severity = @cop.new.send(:find_severity, nil, @severity)
+      return cop_severity if %w[warning error].include?(cop_severity)
+      return "note" if %w[refactor convention].include?(cop_severity)
+      return "error" if cop_severity == "fatal"
+
+      "none"
+    end
+
+    # The URL for the docs are in this format:
+    # https://docs.rubocop.org/en/stable/cops_layout/#layoutblockendnewline
+    def query_uri
+      kind = badge.department.to_s.downcase
+      full_name = "#{kind}#{badge.cop_name.downcase}"
+      "https://docs.rubocop.org/en/stable/cops_#{kind}/##{full_name}"
+    end
+
+    def to_json(opts = {})
+      to_h.to_json(opts)
+    end
+
+    def cop_config
+      @config ||= RuboCop::ConfigStore.new.for(Pathname.new(Dir.pwd))
+      @cop_config ||= @config.for_cop(@cop.department.to_s)
+                             .merge(@config.for_cop(@cop))
+    end
+
+    def to_h
+      properties = {
+        "precision" => "very-high"
+      }
+
+      h = {
+        "id" => @cop_name,
+        "name" => @cop_name,
+        "defaultConfiguration" => {
+          "level" => sarif_severity
+        },
+        "properties" => properties
+      }
+
+      desc = cop_config["Description"]
+      unless desc.nil?
+        h["shortDescription"] = { "text" => desc }
+        h["fullDescription"] = { "text" => desc }
+        properties["description"] = desc
+      end
+
+      unless help_empty?
+        help = @help.string
+        h["help"] = {
+          "text" => help,
+          "markdown" => help
+        }
+        properties["queryURI"] = query_uri if badge.qualified?
+      end
+
+      if badge.qualified?
+        kind = badge.department.to_s
+        properties["tags"] = [kind.downcase]
+      end
+      h
+    end
+  end
+end

data/lib/code_scanning/rubocop/sarif_formatter.rb

@@ -1,91 +1,70 @@
 # frozen_string_literal: true
-require 'rubocop/formatter/base_formatter'
-require 'json'
-require 'pathname'
 
-module CodeScanning
+require "json"
+require_relative "rule"
 
+module CodeScanning
   class SarifFormatter < RuboCop::Formatter::BaseFormatter
     def initialize(output, options = {})
       super
-      @sarif = {}
-    end
-
-    def started(_target_files)
-      @sarif['$schema'] = 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json'
-      @sarif['version'] = '2.1.0'
+      # rubocop:disable Layout/LineLength
+      @sarif = {
+        "$schema" => "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+        "version" => "2.1.0"
+      }
+      # rubocop:enable Layout/LineLength
       @rules_map = {}
-      @results = []
       @rules = []
-      @sarif['runs'] = [
-        { 'tool' => {
-            'driver' => { 'name' => 'Rubocop', 'rules' => @rules }
+      @results = []
+      @sarif["runs"] = [
+        {
+          "tool" => {
+            "driver" => { "name" => "Rubocop", "rules" => @rules }
           },
-          'results' => @results }
+          "results" => @results
+        }
       ]
     end
 
-    Rule = Struct.new(:name, :index)
-
-    def set_rule(cop_name, severity)
-      if r = @rules_map[cop_name]
-        return r
+    def get_rule(cop_name, severity)
+      r = @rules_map[cop_name]
+      if r.nil?
+        rule = Rule.new(cop_name, severity&.name)
+        r = @rules_map[cop_name] = [rule, @rules.size]
+        @rules << rule
       end
 
-      desc = RuboCop::ConfigLoader.default_configuration[cop_name]['Description']
-      h = {
-        'id' => cop_name, 'name' => cop_name,
-        'shortDescription' => {
-          'text' => desc
-        },
-        'fullDescription' => {
-          'text' => desc
-        },
-        'defaultConfiguration' => {
-          'level' => sarif_severity(severity)
-        },
-        'properties' => {}
-      }
-      @rules << h
-      @rules_map[cop_name] = Rule.new(cop_name, @rules.size - 1)
-    end
-
-    def sarif_severity(cop_severity)
-      return cop_severity if %w[warning error].include?(cop_severity)
-      return 'note' if %w[refactor convention].include?(cop_severity)
-      return 'error' if cop_severity == 'fatal'
-      'none'
+      r
     end
 
     def file_finished(file, offenses)
       relative_path = RuboCop::PathUtil.relative_path(file)
 
       offenses.each do |o|
-        rule = set_rule(o.cop_name, o.severity.name.to_s)
-
+        rule, rule_index = get_rule(o.cop_name, o.severity)
         @results << {
-          "ruleId" => rule.name,
-          'ruleIndex' => rule.index,
-          'message' => {
-            'text' => o.message
+          "ruleId" => rule.id,
+          "ruleIndex" => rule_index,
+          "message" => {
+            "text" => o.message
           },
-          'locations' => [
+          "locations" => [
             {
-              'physicalLocation' => {
-                'artifactLocation' => {
-                  'uri' => relative_path,
-                  'uriBaseId' => '%SRCROOT%',
-                  'index' => 0
+              "physicalLocation" => {
+                "artifactLocation" => {
+                  "uri" => relative_path,
+                  "uriBaseId" => "%SRCROOT%",
+                  "index" => 0
                 },
-                'region' => {
-                  'startLine' => o.first_line,
-                  'startColumn' => o.column,
-                  'endColumn' => o.last_column
+                "region" => {
+                  "startLine" => o.line,
+                  "startColumn" => o.real_column,
+                  "endColumn" => o.last_column
                 }
               }
             }
           ],
-          'partialFingerprints' => {
+          "partialFingerprints" => {
             # This will be computed by the upload action for now
           }
         }
@@ -93,8 +72,11 @@ module CodeScanning
     end
 
     def finished(_inspected_files)
-      json = JSON.pretty_generate(@sarif)
-      output.print(json)
+      output.print(sarif_json)
+    end
+
+    def sarif_json
+      JSON.pretty_generate(@sarif)
     end
   end
 end

data/lib/code_scanning/rubocop/version.rb

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
+
 module CodeScanning
   module Rubocop
-    VERSION = "0.2.0"
+    VERSION = "0.3.0"
   end
 end

data/lib/code_scanning/rules_generator.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require_relative "../code_scanning"
+
+class QHelpGenerator
+  def initialize
+    @formatter = CodeScanning::SarifFormatter.new(nil)
+  end
+
+  def parse_file(path_to_file)
+    file = File.open(path_to_file)
+    current_rule = nil
+    file.each_with_index do |line, index|
+      # title: skip
+      next if index.zero?
+
+      if line[0..2] == "## "
+        current_cop = line[3..-2]
+        current_rule, _index = @formatter.get_rule(current_cop, nil)
+        next
+      end
+
+      next if current_rule.nil?
+      if line == "\n" && current_rule.help_empty?
+        # Don't start the help text with new lines
+        next
+      end
+
+      current_rule.append_help(line)
+    end
+  end
+
+  def sarif_json
+    @formatter.sarif_json
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: code-scanning-rubocop
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Arthur Neves
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-05-05 00:00:00.000000000 Z
+date: 2020-05-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rubocop
@@ -32,7 +32,11 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/rubocop-analysis.yml"
+- ".github/workflows/ruby.yml"
 - ".gitignore"
+- ".rubocop.yml"
+- ".rubocop_todo.yml"
 - CODE_OF_CONDUCT.md
 - Dockerfile
 - Gemfile
@@ -45,8 +49,11 @@ files:
 - code-scanning-rubocop.gemspec
 - entrypoint.sh
 - lib/code_scanning.rb
+- lib/code_scanning/rubocop/rule.rb
 - lib/code_scanning/rubocop/sarif_formatter.rb
 - lib/code_scanning/rubocop/version.rb
+- lib/code_scanning/rules_generator.rb
+- preview.png
 - rubocop-action/action.yml
 homepage: https://github.com/arthurnn/code-scanning-rubocop
 licenses: