upgrade code analyzer to v5 #6386
Conversation
abdeslamads
requested review from
Kurt-von-Laven,
bdovaz,
echoix and
nvuillam
as code owners
|
I think there's more to change. The tool is completely different, different name, etc. It doesn't seem published as There would be also maybe some keys to change, some links, docs, etc. @nvuillam I think you know more about salesforce than me. How are we supposed to install it if it is not on npm like the others? and the lwc workaround, how do we handle that? |
|
@echoix yes, you're absolutely right! I know this is a big change, and I'd love to have @nvuillam guidance on making the required changes. also I tried changing the old reference and syntax of sfdx-scanner to code-analyzer. I'll try building docker image and testing it with the changes (I'm relatively new to this) |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
| - "scanner:run" | ||
| - "--engine" | ||
| - "eslint-lwc" | ||
| - "code-analyzer run" |
There was a problem hiding this comment.
@abdeslamads it's one line by argument, so in that can you'll need
- code-analyzer
- run
|
thanks for the PR :) It seems you are going the right path :) Tip: you can locally run the test classes so it might help ^^ -> https://megalinter.io/latest/contributing/#41-visual-studio-code-dev-containers + Python VsCode extensions, i'll try to document exactly how ASAP ! |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
| cli_lint_mode: project | ||
| cli_help_extra_args: | ||
| - "scanner:run" | ||
| - "code-analyzer run" |
There was a problem hiding this comment.
Maybe (I'm not sure though) that the two args can be together. I may depend by platform, but the container only runs on Linux, so only one OS to make it work
|
@abdeslamads the CI was broken, i just fixed it, let's see what the tests say :) |
…nerability' into renovate/actions-checkout-6.x
…rce-code-analyzer-version
There was a problem hiding this comment.
This PR is being reviewed by Cursor Bugbot
Details
Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| # Linter install | ||
| # renovate: datasource=npm depName=@salesforce/sfdx-scanner | ||
| ARG SALESFORCE_SFDX_SCANNER_VERSION=4.12.0 | ||
| ARG SALESFORCE_SFDX_SCANNER_VERSION=5.5.0 |
There was a problem hiding this comment.
Bug: Version mismatch between Dockerfile and documentation
The documentation files show SALESFORCE_SFDX_SCANNER_VERSION=5.5.0 for the sfdx-scanner linters, but the actual Dockerfile at line 346 retains version 4.12.0. This creates an inconsistency where documentation claims version 5.5.0 is installed while the Docker build actually installs 4.12.0. Either the Dockerfile needs to be updated to version 5.5.0 or the documentation should reflect 4.12.0 to maintain consistency between code and docs.
Additional Locations (2)
| | SALESFORCE_CODE_ANALYZER_AURA_PRE_COMMANDS | List of bash commands to run before the linter | None | | ||
| | SALESFORCE_CODE_ANALYZER_AURA_POST_COMMANDS | List of bash commands to run after the linter | None | | ||
| | SALESFORCE_CODE_ANALYZER_AURA_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling SALESFORCE_CODE_ANALYZER_AURA and its pre/post commands | None | | ||
| | SALESFORCE_CODE_ANALYZER_AURA_CONFIG_FILE | code-analyzer-aura configuration file name</br>Use `LINTER_DEFAULT` to let the linter find it | `--eslintconfig` | |
There was a problem hiding this comment.
Bug: Config file set to command flag
The default value for SALESFORCE_CODE_ANALYZER_AURA_CONFIG_FILE and SALESFORCE_CODE_ANALYZER_LWC_CONFIG_FILE is set to --eslintconfig, which appears to be a command-line flag rather than a configuration filename. This is inconsistent with the APEX linter which correctly uses apex.yml as its config file. Configuration file variables should contain filenames, not command-line flags. This will likely cause the linters to fail when attempting to locate the configuration file.
Additional Locations (1)
…e-code-analyzer-version
| cli_version_arg_name: "" | ||
| version_extract_regex: "(?<=code-analyzer )\\d+(\\.\\d+)+" | ||
| cli_lint_errors_count: regex_number | ||
| cli_lint_errors_regex: "Found ([1-9]+) violation\\(s\\)" |
There was a problem hiding this comment.
Bug: Regex won't match zero violations for code-analyzer
The regex pattern Found ([1-9]+) violation\(s\) uses [1-9]+ which excludes zero, preventing the linter from matching "Found 0 violation(s)" messages. This causes the error count logic to fail when no violations exist. The pattern needs [0-9]+ or \d+ to correctly handle all cases including successful runs with zero violations.
Additional Locations (1)
| | SALESFORCE_CODE_ANALYZER_AURA_PRE_COMMANDS | List of bash commands to run before the linter | None | | ||
| | SALESFORCE_CODE_ANALYZER_AURA_POST_COMMANDS | List of bash commands to run after the linter | None | | ||
| | SALESFORCE_CODE_ANALYZER_AURA_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling SALESFORCE_CODE_ANALYZER_AURA and its pre/post commands | None | | ||
| | SALESFORCE_CODE_ANALYZER_AURA_CONFIG_FILE | code-analyzer-aura configuration file name</br>Use `LINTER_DEFAULT` to let the linter find it | `--eslintconfig` | |
There was a problem hiding this comment.
Bug: Incorrect config file names for code-analyzer linters
The new code-analyzer linters for Aura and LWC incorrectly use --eslintconfig as their config file name default value, copied from the deprecated sfdx-scanner linters. Based on the code-analyzer-apex configuration which correctly uses code-analyzer.yml, both AURA and LWC variants should also use code-analyzer.yml as their config file name since they all share the same code-analyzer tool. The value --eslintconfig appears to be a CLI argument name rather than an actual config file name.
Additional Locations (1)
| | SALESFORCE_CODE_ANALYZER_AURA_PRE_COMMANDS | List of bash commands to run before the linter | None | | ||
| | SALESFORCE_CODE_ANALYZER_AURA_POST_COMMANDS | List of bash commands to run after the linter | None | | ||
| | SALESFORCE_CODE_ANALYZER_AURA_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling SALESFORCE_CODE_ANALYZER_AURA and its pre/post commands | None | | ||
| | SALESFORCE_CODE_ANALYZER_AURA_CONFIG_FILE | code-analyzer-aura configuration file name</br>Use `LINTER_DEFAULT` to let the linter find it | `--eslintconfig` | |
There was a problem hiding this comment.
Bug: Config file set to CLI flag instead of filename
The default value for SALESFORCE_CODE_ANALYZER_AURA_CONFIG_FILE and SALESFORCE_CODE_ANALYZER_LWC_CONFIG_FILE is incorrectly set to --eslintconfig, which is a command-line flag rather than an actual configuration filename. This will cause the linters to fail when attempting to locate the configuration file, as they'll be looking for a file literally named --eslintconfig instead of a valid config file like .eslintrc.json or similar.
Additional Locations (1)
Updates the Salesforce Code Analyzer to version 5.6.1 in all relevant files. This ensures that the latest rules and improvements are used during code analysis. It also updates the sfdx-hardis version.
3 participants
Note
Integrates Salesforce Code Analyzer v5 for Apex, Aura, and LWC (with config, docs, tests, standalone images), deprecates SFDX Scanner, and updates Docker builds, schemas, site/docs, and security ignores.
code-analyzer-apex,code-analyzer-aura,code-analyzer-lwc(v5.6.1) with descriptor configs, tests, licenses, docs, mkdocs nav, and standalone Dockerfiles.sfdx-scanner-*linters as deprecated; refresh docs (some versions to 5.5.0) and examples.TEMPLATES/code-analyzer.yml.code-analyzerplugin in main and Salesforce flavor Dockerfiles; include new linters inflavor.jsonandlinters_matrix.json.linter-versions.json, e.g., add Code Analyzer entries, adjustgit_diff)..trivyignorewith new CVEs; add Salesforce test fixtures (Aura/LWC) illustrating rule hits.Written by Cursor Bugbot for commit 1bfba77. This will update automatically on new commits. Configure here.