mitchspano/sfdx-scan-pull-request

PDM results not populating

raghu-madireddy opened this issue · 4 comments

for some reason not able to see pmd results and always scanning coming as success. I can see errors on my local.

    - name: Run SF scanner
         id: sf_code_scanner
         uses: mitchspano/sfdx-scan-pull-request@v0.1.14
         with:
           pmdconfig: 'pmd/deployRules.xml'
           target: 'packge/package.xml'
           severity-threshold: 1
           engine: 'pmd'  

Beginning sfdx-scan-pull-request run...
Validating that this action was invoked from an acceptable context...
Getting difference within the pull request ... { baseRef: 'develop', headRef: 'feature/release-test' }
From https://github.com/raghu-madireddy/salesforce-metadata-test
 * [new branch]        develop              -> destination/develop
 * [new branch]        feature/release-test -> destination/feature/release-test
 * [new branch]        main                 -> destination/main
(node:2683) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
Performing static code analysis on all of the files in the difference...
npx sfdx scanner:run --engine pmd --pmdconfig pmd/deployRules.xml --target ".github/workflows/ci.yml,.github/workflows/initial-checks.yml,.github/workflows/validate-develop.yml,.gitignore,force-app/main/default/classes/TestingReleasePMDTest.cls" --json
Filtering the findings to just the lines which are part of the pull request...
Creating Check Runs using GitHub REST API...

There are a few issues here:

  1. The latest version of the action is 0.1.15 - please upgrade to that
  2. The scan only produces a finding if the entire scope of the PMD finding is present in the git diff, so not all findings will be reported on
  3. Your target is limited to packge/package.xml, so it should only scan that XML file unless ran from a pull request - in which case it will scan the files in the PR.
  4. Your report mode is check runs instead of comments, so those might render in a different spot than you are looking - here is an example of how they are rendered.
  5. your severity-threshold is set to 1, so all 2s, 3s, 4s, and 5s will be treated as warnings, not errors and will not result in the job being halted.

Thanks @mitchspano ! Appreciate the quick help! I tested with the latest version, varying severity and different targets, but #2 was the issue in my case. I managed to see the results with the new class in the PR. Can we scan the entire class in case of class modifications?

Unfortunately, the Github REST API prevents us from creating a comment on lines which are outside the scope of the git diff, hence the check for total inclusion.

ok, that make sense. Thanks for building this.