This project is a fork of pylint-sonarjson, which is not maintained anymore.
With authorization of the original owners, we are now pushing updates on PyPI begining at pylint-sonarjson 2.0.0.
A PyLint plugin that can output to SonarQube-importable JSON with configurable issue severity, effort, and type.
This is useful because when importing PyLint's parsable output via SonarQube mechanism for third-party issues all the severities are set to MAJOR. With pylint-sonarjson-catlab you can configure the issue severity per PyLint message ID, and import that as generic JSON in SonarQube.
pylint \
--load-plugins=pylint_sonarjson \
--output-format=sonarjson \
--sonar-rules=<msg_id>:<severity>[:<effort>[:<type>]],... \
--sonar-default-severity=<severity> \
--sonar-default-effort=<effort> \
--sonar-default-type=<type> \
--only-enable-sonar-rules=<y or n> \
--halt-on-invalid-sonar-rules=<y or n> \
[...]
The plugin provides a new option sonar-rules that can configure the severity, effort, and type of the issue as it would appear in SonarQube. The option takes a comma-separated list whose items are of the form <msg_id>:<severity>:<effort>:<type>.
The effort and type are optional and may be omitted.
In addition, the default severity, effort, and type for messages that are not listed in sonar-rules can respectively be set with sonar-default-severity, sonar-default-effort, sonar-default-type. They default to MINOR, 5, and CODE_SMELL respectively.
Setting the option only-enable-sonar-rules to y disables all messages except for those specified in sonar-rules. It is equivalent to --disable=all --enable=<msg_id>,... where <msg_id>,... are the message IDs specified in sonar-rules. The default value of only-enable-sonar-rules is n.
Lastly, enabling the option halt-on-invalid-sonar-rules will cause the plugin to raise an exception when a rule given in sonar-rules does not exist in Pylint and halt. Disabling this option will instead only report the invalid rule on stderr but will otherwise ignore the invalid rule. The default value of halt-on-invalid-sonar-rules is y.`
For example:
pylint \
--load-plugins=pylint_sonarjson \
--output-format=sonarjson \
--sonar-rules=C0114:INFO:10,C0328:MINOR:1 \
my_file.py
Output:
{
"issues": [
{
"engineId": "PYLINT",
"ruleId": "C0114",
"type": "CODE_SMELL",
"primaryLocation": {
"message": "Missing module docstring",
"filePath": "my_file.py",
"textRange": {
"startLine": 1,
"startColumn": 0
}
},
"severity": "INFO",
"effortMinutes": 10
}
]
}
This output, when saved to a file, can be imported into SonarQube as follows:
sonar-scanner -Dsonar.externalIssuesReportPaths=<path_to_pylint_sonarjson_catlab_log>
pip install pylint-sonarjson-catlab
Instead of via the command line, the plugin can be configured via a pylintrc file or via pyproject.toml,
as described in the Pylint documentation.
Here is an exampe pylintrc file, generated with the --generate-rcfile command line option:
[MAIN]
load-plugins=pylint_sonarjson
[REPORTS]
output-format=sonarjson
[SONARQUBE JSON OUTPUT]
# If enabled, an exception will be raised if a non-existing rule is given in
# --sonar-rules and the plugin will halt. When disabled, non-existing rules
# will be reported on stderr but are otherwise ignored.
halt-on-invalid-sonar-rules=yes
# Only enable messages specified in --sonar-rules.
only-enable-sonar-rules=no
# Number of effort minutes for rules not specified in --sonar-rules.
sonar-default-effort=5
# Issue severity for rules not specified in --sonar-rules.
sonar-default-severity=MINOR
# Type of SonarQube issue for rules not specified in --sonar-rules.
sonar-default-type=CODE_SMELL
# Comma-separated list of rules, their severity, and the minutes of efforts to
# fix the issues. The syntax is <message id>:<severity>[:<effort
# minutes>[:<type>]].
sonar-rules=C0114:INFO:10,C0328:MINOR:1
Similar output for pyproject.toml can be generated with the --generate-toml-config command line option.
FAQs
A PyLint plugin that can output to SonarQube-importable JSON
We found that pylint-sonarjson demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.