Repository files navigation

Scapegoat is a Scala static code analyzer, which is more colloquially known as a code lint tool or linter. Scapegoat works in a similar vein to Java'sFindBugs orcheckstyle, or Scala'sScalastyle.

A static code analyzer is a tool that flags suspicious language usage in code. This can include behavior likely to lead to bugs, non-idiomatic usage of a language, or just code that doesn't conform to specified style guidelines.

What's the difference between this project and Scalastyle (or others)?

Scalastyle is a similar linting tool which focuses mostly on enforcing style/code standards. There are no problems in running multiple analysis tools on the same codebase. In fact, it could be beneficial as the total set of possible warnings is the union of the inspections of all the enabled tools. The worst case is that the same warnings might get generated by multiple tools.

Scapegoat is developed as a scala compiler plugin, which can then be used inside your build tool.

See:sbt-scapegoat for SBT integration.

Firstly you need to add scapegoat plugin as a dependency:

<dependency>    <groupId>com.sksamuel.scapegoat</groupId>    <artifactId>scalac-scapegoat-plugin_${scala.version}</artifactId>    <version>1.3.12</version></dependency>

Then configurescala-maven-plugin by addingcompilerPlugin

<plugin>    <groupId>net.alchim31.maven</groupId>    <artifactId>scala-maven-plugin</artifactId>    <configuration>        <args>            <arg>-P:scapegoat:dataDir:./target/scapegoat</arg>        </args>        <compilerPlugins>            <compilerPlugin>                <groupId>com.sksamuel.scapegoat</groupId>                <artifactId>scalac-scapegoat-plugin_${scala.binary.version}</artifactId>                <version>1.4.6</version>            </compilerPlugin>        </compilerPlugins>    </configuration></plugin>

The only required parameter isdataDir (where report will be generated):

<arg>-P:scapegoat:dataDir:./target/scapegoat</arg>

You can pass other configuration flags same way, e.g.

<arg>-P:scapegoat:disabledInspections:FinalModifierOnCaseClass</arg>

Note: You may use a separate maven profile, so that the dependency doesn't go to you runtime classpath.

Usegradle-scapegoat-plugin by @eugene-sy

Firstly you need to add scapegoat plugin as a dependency:

dependencies {  compile'com.sksamuel.scapegoat:scalac-scapegoat-plugin_2.12.21:1.4.6'  scalaCompilerPlugin"com.sksamuel.scapegoat:scalac-scapegoat-plugin_2.12.21:1.4.6"}

Then configurescala-compiler-plugin

configurations {  scalaCompilerPlugin}tasks.withType(ScalaCompile) {  scalaCompileOptions.additionalParameters= ["-Xplugin:"+ configurations.scalaCompilerPlugin.asPath,"-P:scapegoat:dataDir:"+ buildDir+"/scapegoat"  ]}

The only required parameter isdataDir (where report will be generated):

"-P:scapegoat:dataDir:" + buildDir + "/scapegoat",

You can pass other configuration flags adding it to theadditionalParameters list, e.g.

"-P:scapegoat:disabledInspections:FinalModifierOnCaseClass"

Here is sample output from the console during the build for a project with warnings/errors:

[warning] [scapegoat] Unused method parameter - org.ensime.util.ClassIterator.scala:46[warning] [scapegoat] Unused method parameter - org.ensime.util.ClassIterator.scala:137[warning] [scapegoat] Use of var - org.ensime.util.ClassIterator.scala:22[warning] [scapegoat] Use of var - org.ensime.util.ClassIterator.scala:157[   info] [scapegoat]: Inspecting compilation unit [FileUtil.scala][warning] [scapegoat] Empty if statement - org.ensime.util.FileUtil.scala:157[warning] [scapegoat] Expression as statement - org.ensime.util.FileUtil.scala:180

And if you prefer a prettier report, here is a screen shot of the type of HTML report scapegoat generates:

For instructions on suppressing warnings by file, by inspection or by line seethe sbt-scapegoat README.

To suppress warnings globally for the project, usedisabledInspections oroverrideLevels flags:

-P:scapegoat:disabledInspections:FinalModifierOnCaseClass-P:scapegoat:overrideLevels:PreferSeqEmpty=ignore:AsInstanceOf=ignore

There are currently 123 inspections for Scala 2, and 5 for Scala 3.An overview list is given, followed by a more detailed description of each inspection after the list (todo: finish rest of detailed descriptions)

Checks for explicit toString calls on arrays. Since toString on an array does not perform a deep toString, like say scala's List, this is usually a mistake.

Checks for calls of.apply(idx) on aSeq where the index is not a literal and theSeq is not anIndexedSeq.

Rationale If code which expects O(1) positional access to a Seq is given a non-IndexedSeq (such as a List, where indexing is O(n)) then this may cause poor performance.

Checks for equality comparisons that cannot succeed because the types are unrelated. Eg"string" == BigDecimal(1.0). The scala compiler has a less strict version of this inspection.

Checks for if statements where the condition is always true or false. Not only checks for the boolean literals, but also any expression that the compiler is able to turn into a constant value. Eg,if (0 < 1) then else that

Checks for a format string that is not invalid, such as invalid conversions, invalid flags, etc. Eg,"% s","%qs",%.-4f"

Checks for an incorrect number of arguments to String.format. Eg,"%s %s %f".format("need", "three") flags an error because the format string specifies 3 parameters but the call only provides 2.

Checks for invalid regex literals that would fail at compile time. Either dangling metacharacters, or unclosed escape characters, etc that kind of thing.

Checks for .size on an instance of List. Eg,val a = List(1,2,3); a.size

Rationale: List.size is O(n) so for performance reasons if .size is needed on a list that could be large, consider using an alternative with O(1), eg Array, Vector or ListBuffer.

Checks for empty finalizers. This is redundant code and should be removed. Eg,override def finalize : Unit = { }

Indicates where code using Set() could be replaced with Set.empty. Set() instantiates a new instance each time it is invoked, whereas Set.empty returns a pre-instantiated instance.

Checks for use of return in a function or method. Since the final expression of a block is always the return value, using return is unnecessary. Eg,def foo = { println("hello"); return 12; }

Checks for catch clauses that cannot be reached. This means the exception is dead and if you want that exception to take precedence you should move up further up the case list.

Checks forList.contains(value) for invalid types. The method for contains accepts any types. This inspection finds situations when you have a list of type A and you are checking for contains on type B which cannot hold.

Checks for code that uses awhile(true) ordo { } while(true) block.

Rationale: This type of code is usually not meant for production as it will not return normally. If you need to loop until interrupted, then consider using a flag.

You can suppress a specific warning by method or by class using the java.lang.SuppressWarnings annotation.

Use the simple name of the inspection to be ignored as the argument, or use "all" to suppress all scapegoat warnings in the specified scope.

Some examples:

@SuppressWarnings(Array("all"))classTest {defhello:Unit= {vals:Any="sammy"    println(s.asInstanceOf[String])  }}classTest2 {@SuppressWarnings(Array("AsInstanceOf"))defhello:Unit= {vals:Any="sammy"    println(s.asInstanceOf[String])  }}

• ScalaStyle (Scala) -https://github.com/scalastyle/scalastyle/wiki
• Linter (Scala) -https://github.com/HairyFotr/linter
• WartRemover (Scala) -https://github.com/puffnfresh/wartremover
• Findbugs (JVM) -http://findbugs.sourceforge.net/bugDescriptions.html
• Fb-contrib (JVM) -http://fb-contrib.sourceforge.net/
• CheckStyle (Java) -http://checkstyle.sourceforge.net/availablechecks.html
• PMD (Java) -http://pmd.sourceforge.net/pmd-5.0.3/rules/index.html
• Error-prone (Java) -https://github.com/google/error-prone
• CodeNarc (Groovy) -http://codenarc.sourceforge.net/codenarc-rule-index.html
• PVS-Studio (C++) -http://www.viva64.com/en/d/
• Coverity (C++) -http://www.slideshare.net/Coverity/static-analysis-primer-22874326 (6,7)
• CppCheck (C++) -http://cppcheck.sourceforge.net/
• OCLint (C++/ObjC) -http://docs.oclint.org/en/dev/rules/index.html
• JSHint (Javascript) -http://jshint.com/
• JavascriptLint (Javascript) -http://www.javascriptlint.com/
• ClosureLinter (Javascript) -https://developers.google.com/closure/utilities/