[MCHECKSTYLE-449] Add support for SARIF output format

[exiahuang]

Following this checklist to help us incorporate your
contribution quickly and easily:

• Make sure there is a JIRA issue filed
  for the change (usually before you start working on it). Trivial changes like typos do not
  require a JIRA issue. Your pull request should address just this issue, without
  pulling in other changes.
• Each commit in the pull request should have a meaningful subject line and body.
• Format the pull request title like [MCHECKSTYLE-XXX] - Fixes bug in ApproximateQuantiles,
  where you replace MCHECKSTYLE-XXX with the appropriate JIRA issue. Best practice
  is to use the JIRA issue title in the pull request title and in the first line of the
  commit message.
• Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
• Run mvn clean verify to make sure basic checks pass. A more thorough check will
  be performed on your pull request automatically.
• You have run the integration tests successfully (mvn -Prun-its clean verify).

If your pull request is about ~20 lines of code you don't need to sign an
Individual Contributor License Agreement if you are unsure
please ask on the developers list.

To make clear that you license your contribution under
the Apache License Version 2.0, January 2004
you have to acknowledge this by using the following check-box.

• I hereby declare this contribution to be licenced under the Apache License Version 2.0, January 2004

• In any other case, please file an Apache Individual Contributor License Agreement.

[exiahuang]

Add outputFileFormat support sarif.

[motlin]

I'm trying to use this and running into:

Caused by: java.lang.NoSuchMethodError: 'void com.puppycrawl.tools.checkstyle.SarifLogger.<init>(java.io.OutputStream, com.puppycrawl.tools.checkstyle.api.AutomaticBean$OutputStreamOptions)'
    at org.apache.maven.plugins.checkstyle.CheckstyleViolationCheckMojo.getListener (CheckstyleViolationCheckMojo.java:816)
    at org.apache.maven.plugins.checkstyle.CheckstyleViolationCheckMojo.execute (CheckstyleViolationCheckMojo.java:539)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:126)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:328)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:316)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:212)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:174)
    at org.apache.maven.lifecycle.internal.MojoExecutor.access$000 (MojoExecutor.java:75)
    at org.apache.maven.lifecycle.internal.MojoExecutor$1.run (MojoExecutor.java:162)
    at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute (DefaultMojosExecutionStrategy.java:39)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:159)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:105)
    at org.apache.maven.lifecycle.internal.builder.multithreaded.MultiThreadedBuilder$1.call (MultiThreadedBuilder.java:193)
    at org.apache.maven.lifecycle.internal.builder.multithreaded.MultiThreadedBuilder$1.call (MultiThreadedBuilder.java:180)
    at java.util.concurrent.FutureTask.run (FutureTask.java:264)
    at java.util.concurrent.Executors$RunnableAdapter.call (Executors.java:539)
    at java.util.concurrent.FutureTask.run (FutureTask.java:264)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1136)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:635)
    at java.lang.Thread.run (Thread.java:842)

My command is:

mvn checkstyle:check --activate-profiles 'checkstyle-semantics' -Dcheckstyle.output.format=sarif

My versions are:

        <profile>
            <id>checkstyle-semantics</id>

            <build>
                <plugins>
                    <plugin>
                        <artifactId>maven-checkstyle-plugin</artifactId>
                        <version>3.4.0</version>
                        <dependencies>
                            <dependency>
                                <groupId>com.puppycrawl.tools</groupId>
                                <artifactId>checkstyle</artifactId>
                                <version>10.17.0</version>
                            </dependency>
                        </dependencies>
                        <configuration>
                            <configLocation>checkstyle-configuration-semantics.xml</configLocation>
                            <outputFileFormat>sarif</outputFileFormat>
                        </configuration>
                        <executions>
                            <execution>
                                <id>checkstyle:check semantics</id>
                                <goals>
                                    <goal>check</goal>
                                </goals>
                                <phase>prepare-package</phase>
                            </execution>
                        </executions>
                    </plugin>
                </plugins>
            </build>
        </profile>

[michael-o]

@motlin, can you provide mvn -X of the plugin execution. I'd like to see the dep tree. This output confuses me.

[michael-o]

Hold on, 10.17.0 is a major version. Signatures might have changed from 9. You should check that first. If it runs with the stock one, then the issue is clear.

[motlin]

Downgrading to Checkstyle 9.3 seemed to work. It's not ideal since I use some newer checks.

[michael-o]

Downgrading to Checkstyle 9.3 seemed to work. It's not ideal since I use some newer checks.

This is something we cannot fix because Checkstyle raised to Java 11 some time ago.

[motlin]

Would it make sense to release versions of maven-checkstyle-plugin that are separately compatible with 9.x and 10.x?

[michael-o]

Would it make sense to release versions of maven-checkstyle-plugin that are separately compatible with 9.x and 10.x?

Technically yes, but not before the Doxia 2.0.0 stack has been integrated. That would force me to maintain four versions which I am not going to do.

[motlin]

Does anyone have an example of SARIF support working, all the way to adding annotations on a PR, using maven-checkstyle-plugin?

I've spent a few hours on this and I have the SARIF report being created and uploaded to GitHub but cannot get annotations to appear. One potential problem is that artifactLocation is an absolute path like this:

                "artifactLocation": {
                  "uri": "/home/runner/work/myproject/src/main/java/mypackage/MyClass.java"
                },

It looks like the Ant task accepts a basedir to configure the common prefix to strip. I'm concerned that this might not be the only issue, because I can't find any examples in GitHub OSS projects of this feature working.

[jira-importer]

Resolve #360