[PLUTO-1412] test init

.github/workflows/it-test.yml

@@ -7,11 +7,32 @@ on:
   push:
 
 jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Needed for git history
+      - name: Set up Go
+        uses: actions/setup-go@v4
+      - name: Build CLI for all platforms
+        run: make build-all
+      - name: Upload CLI binaries
+        uses: actions/upload-artifact@v4
+        with:
+          name: cli-binaries
+          path: |
+            cli-v2-linux
+            cli-v2.exe
+            cli-v2-macos
+
   test:
+    needs: build
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [ubuntu-latest, macos-latest] # [windows-latest] removed for now
+        os: [ubuntu-latest, macos-latest, windows-latest]
       fail-fast: false  
     steps:
       - name: Checkout code
@@ -25,10 +46,9 @@ jobs:
           go-version: '1.21'
           cache: true
 
-      - name: Download CLI binaries from go workflow
-        uses: dawidd6/action-download-artifact@v2
+      - name: Download CLI binaries
+        uses: actions/download-artifact@v4
         with:
-          workflow: go.yml
           name: cli-binaries
           path: .
 
@@ -48,6 +68,38 @@ jobs:
         if: matrix.os != 'windows-latest'
         run: chmod +x cli-v2
 
+      - name: Install yq on Windows
+        if: matrix.os == 'windows-latest'
+        shell: pwsh
+        run: |
+          choco install yq -y
+          Import-Module $env:ChocolateyInstall\helpers\chocolateyProfile.psm1
+          refreshenv
+
+      - name: Run init tests on Windows
+        if: matrix.os == 'windows-latest'
+        shell: pwsh
+        run: |
+          $ErrorActionPreference = "Stop"
+          & ./integration-tests/run.ps1
+          if ($LASTEXITCODE -ne 0) {
+            Write-Error "Integration tests failed with exit code $LASTEXITCODE"
+            exit $LASTEXITCODE
+          }
+        env:
+          CODACY_API_TOKEN: ${{ secrets.CODACY_API_TOKEN }}
+
+      - name: Run init tests on Unix
+        if: matrix.os != 'windows-latest'
+        id: run_init_tests_unix
+        continue-on-error: true
+        shell: bash
+        env:
+          CODACY_API_TOKEN: ${{ secrets.CODACY_API_TOKEN }}
+        run: |
+          chmod +x integration-tests/run.sh
+          ./integration-tests/run.sh
+
       - name: Run tool tests
         if: matrix.os != 'windows-latest'
         id: run_tests
@@ -84,7 +136,7 @@ jobs:
           fi
 
       - name: Check test results
-        if: steps.run_tests.outcome == 'failure'
+        if: failure()
         run: |
-          echo "Job failed because some tool tests failed. Please check the logs above for details."
+          echo "Job failed because some tests failed. Please check the logs above for details."
           exit 1

cmd/init.go

@@ -75,8 +75,8 @@ var initCmd = &cobra.Command{
 			if err != nil {
 				log.Fatal(err)
 			}
-			createGitIgnoreFile()
 		}
+		createGitIgnoreFile()
 		fmt.Println()
 		fmt.Println("✅ Successfully initialized Codacy configuration!")
 		fmt.Println()
@@ -95,12 +95,7 @@ func createGitIgnoreFile() error {
 	}
 	defer gitIgnoreFile.Close()
 
-	content := `# Codacy CLI 
-tools-configs/
-.gitignore
-cli-config.yaml
-logs/
-`
+	content := "# Codacy CLI\ntools-configs/\n.gitignore\ncli-config.yaml\nlogs/\n"
 	if _, err := gitIgnoreFile.WriteString(content); err != nil {
 		return fmt.Errorf("failed to write to .gitignore file: %w", err)
 	}
@@ -275,6 +270,8 @@ func buildRepositoryConfigurationFiles(token string) error {
 		PyLint:       "pylint",
 		PMD:          "pmd",
 		DartAnalyzer: "dartanalyzer",
+		Lizard:       "lizard",
+		Semgrep:      "semgrep",
 	}
 
 	// Generate languages configuration based on API tools response
@@ -384,52 +381,56 @@ func createToolFileConfigurations(tool tools.Tool, patternConfiguration []domain
 			if err != nil {
 				return fmt.Errorf("failed to create Trivy config: %v", err)
 			}
+			fmt.Println("Trivy configuration created based on Codacy settings")
 		} else {
 			err := createDefaultTrivyConfigFile(toolsConfigDir)
 			if err != nil {
 				return fmt.Errorf("failed to create default Trivy config: %v", err)
 			}
 		}
-		fmt.Println("Trivy configuration created based on Codacy settings")
 	case PMD:
 		if len(patternConfiguration) > 0 {
 			err := createPMDConfigFile(patternConfiguration, toolsConfigDir)
 			if err != nil {
 				return fmt.Errorf("failed to create PMD config: %v", err)
 			}
+
+			fmt.Println("PMD configuration created based on Codacy settings")
 		} else {
 			err := createDefaultPMDConfigFile(toolsConfigDir)
 			if err != nil {
 				return fmt.Errorf("failed to create default PMD config: %v", err)
 			}
 		}
-		fmt.Println("PMD configuration created based on Codacy settings")
+
 	case PyLint:
 		if len(patternConfiguration) > 0 {
 			err := createPylintConfigFile(patternConfiguration, toolsConfigDir)
 			if err != nil {
 				return fmt.Errorf("failed to create Pylint config: %v", err)
 			}
+			fmt.Println("Pylint configuration created based on Codacy settings")
 		} else {
 			err := createDefaultPylintConfigFile(toolsConfigDir)
 			if err != nil {
 				return fmt.Errorf("failed to create default Pylint config: %v", err)
 			}
 		}
-		fmt.Println("Pylint configuration created based on Codacy settings")
 	case DartAnalyzer:
 		if len(patternConfiguration) > 0 {
 			err := createDartAnalyzerConfigFile(patternConfiguration, toolsConfigDir)
 			if err != nil {
 				return fmt.Errorf("failed to create Dart Analyzer config: %v", err)
 			}
+			fmt.Println("Dart configuration created based on Codacy settings")
 		}
 	case Semgrep:
 		if len(patternConfiguration) > 0 {
 			err := createSemgrepConfigFile(patternConfiguration, toolsConfigDir)
 			if err != nil {
 				return fmt.Errorf("failed to create Semgrep config: %v", err)
 			}
+			fmt.Println("Semgrep configuration created based on Codacy settings")
 		}
 	case Lizard:
 		createLizardConfigFile(toolsConfigDir, patternConfiguration)
@@ -541,7 +542,6 @@ func createLizardConfigFile(toolsConfigDir string, patternConfiguration []domain
 	var patterns []domain.PatternDefinition
 
 	if len(patternConfiguration) == 0 {
-		fmt.Println("Using default Lizard configuration")
 		var err error
 		patterns, err = tools.FetchDefaultEnabledPatterns(Lizard)
 		if err != nil {

integration-tests/init-with-token/expected/.codacy/codacy.yaml

@@ -0,0 +1,10 @@
+runtimes:
+    - node@22.2.0
+    - python@3.11.11
+tools:
+    - semgrep@1.78.0
+    - lizard@1.17.19
+    - eslint@8.57.0
+    - trivy@0.59.1
+    - pylint@3.3.6
+    - pmd@6.55.0

integration-tests/init-with-token/expected/.gitignore

@@ -0,0 +1,5 @@
+# Codacy CLI
+tools-configs/
+.gitignore
+cli-config.yaml
+logs/

integration-tests/init-with-token/expected/cli-config.yaml

@@ -0,0 +1 @@
+mode: remote

integration-tests/init-with-token/expected/codacy.yaml

@@ -0,0 +1,10 @@
+runtimes:
+    - node@22.2.0
+    - python@3.11.11
+tools:
+    - eslint@8.57.0
+    - trivy@0.59.1
+    - pylint@3.3.6
+    - pmd@6.55.0
+    - semgrep@1.78.0
+    - lizard@1.17.19

integration-tests/init-with-token/expected/tools-configs/eslint.config.mjs

@@ -0,0 +1,6 @@
+export default [
+    {
+        rules: {
+        }
+    }
+];

integration-tests/init-with-token/expected/tools-configs/languages-config.yaml

@@ -0,0 +1,19 @@
+tools:
+    - name: pylint
+      languages: [Python]
+      extensions: [.py]
+    - name: lizard
+      languages: [Java, JavaScript, Python]
+      extensions: [.java, .js, .jsm, .jsx, .mjs, .py, .vue]
+    - name: pmd
+      languages: [Java, JavaScript]
+      extensions: [.java, .js, .jsm, .jsx, .mjs, .vue]
+    - name: eslint
+      languages: [JavaScript]
+      extensions: [.js, .jsm, .jsx, .mjs, .vue]
+    - name: trivy
+      languages: [Multiple]
+      extensions: []
+    - name: semgrep
+      languages: [Java, JavaScript, JSON, Python]
+      extensions: [.java, .js, .jsm, .json, .jsx, .mjs, .py, .vue]

integration-tests/init-with-token/expected/tools-configs/lizard.yaml

@@ -0,0 +1,40 @@
+patterns:
+    Lizard_ccn-minor:
+        category: Complexity
+        description: Check the Cyclomatic Complexity value of a function or logic block. If the threshold is not met, raise a Minor issue. The default threshold is 5.
+        explanation: |-
+            # Minor Cyclomatic Complexity control
+
+            Check the Cyclomatic Complexity value of a function or logic block. If the threshold is not met, raise a Minor issue. The default threshold is 4.
+        id: Lizard_ccn-minor
+        level: Info
+        severityLevel: Info
+        threshold: 5
+        timeToFix: 5
+        title: Minor Cyclomatic Complexity control
+    Lizard_nloc-critical:
+        category: Complexity
+        description: Check the number of lines of code (without comments) in a function or logic block. If the threshold is not met, raise a Critical issue. The default threshold is 100.
+        explanation: |-
+            # Critical NLOC control - Number of Lines of Code (without comments)
+
+            Check the number of lines of code (without comments) in a function or logic block. If the threshold is not met, raise a Critical issue. The default threshold is 100.
+        id: Lizard_nloc-critical
+        level: Error
+        severityLevel: Error
+        threshold: 100
+        timeToFix: 5
+        title: Critical NLOC control - Number of Lines of Code (without comments)
+    Lizard_nloc-medium:
+        category: Complexity
+        description: Check the number of lines of code (without comments) in a function. If the threshold is not met, raise a Medium issue. The default threshold is 50.
+        explanation: |-
+            # Medium NLOC control - Number of Lines of Code (without comments)
+
+            Check the number of lines of code (without comments) in a function. If the threshold is not met, raise a Medium issue. The default threshold is 50.
+        id: Lizard_nloc-medium
+        level: Warning
+        severityLevel: Warning
+        threshold: 50
+        timeToFix: 5
+        title: Medium NLOC control - Number of Lines of Code (without comments)

integration-tests/init-with-token/expected/tools-configs/pylint.rc

@@ -0,0 +1,9 @@
+[MASTER]
+ignore=CVS
+persistent=yes
+load-plugins=
+
+[MESSAGES CONTROL]
+disable=all
+enable=E1124,E1130,E1133
+

integration-tests/init-with-token/expected/tools-configs/ruleset.xml

@@ -0,0 +1,12 @@
+<?xml version="1.0"?>
+<ruleset name="Codacy PMD Ruleset"
+    xmlns="http://pmd.sourceforge.net/ruleset/2.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 https://pmd.sourceforge.io/ruleset_2_0_0.xsd">
+    <description>Codacy PMD Ruleset</description>
+
+    <rule ref="category/apex/design.xml/ExcessivePublicCount"/>
+    <rule ref="category/java/bestpractices.xml/JUnitTestsShouldIncludeAssert"/>
+    <rule ref="category/java/codestyle.xml/ShortMethodName"/>
+    <rule ref="category/java/errorprone.xml/AssignmentToNonFinalStatic"/>
+</ruleset>

integration-tests/init-with-token/expected/tools-configs/semgrep.yaml

@@ -0,0 +1,69 @@
+rules:
+    - id: apex.lang.security.ncino.endpoints.namedcredentialsconstantmatch.named-credentials-constant-match
+      languages:
+        - apex
+      message: Named Credentials (and callout endpoints) should be used instead of hard-coding credentials. 1. Hard-coded credentials are hard to maintain when mixed in with application code. 2. It is particularly hard to update hard-coded credentials when they are used amongst different classes. 3. Granting a developer access to the codebase means granting knowledge of credentials, and thus keeping a two-level access is not possible. 4. Using different credentials for different environments is troublesome and error-prone.
+      metadata:
+        category: security
+        confidence: HIGH
+        cwe:
+            - 'CWE-540: Inclusion of Sensitive Information in Source Code'
+        impact: HIGH
+        likelihood: LOW
+        references:
+            - https://cwe.mitre.org/data/definitions/540.html
+        subcategory:
+            - vuln
+        technology:
+            - salesforce
+      min-version: 1.44.0
+      mode: taint
+      pattern-sinks:
+        - patterns:
+            - pattern: req.setHeader($X, ...);
+            - focus-metavariable: $X
+      pattern-sources:
+        - pattern: '...String $X = ''Authorization'';'
+      severity: ERROR
+    - id: clojure.lang.security.use-of-md5.use-of-md5
+      languages:
+        - clojure
+      message: MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.
+      metadata:
+        author: Gabriel Marquet <gab.marquet@gmail.com>
+        category: security
+        confidence: HIGH
+        cwe:
+            - 'CWE-328: Use of Weak Hash'
+        impact: HIGH
+        likelihood: MEDIUM
+        owasp:
+            - A03:2017 - Sensitive Data Exposure
+            - A02:2021 - Cryptographic Failures
+        references:
+            - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+            - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
+        source-rule-url: https://github.com/clj-holmes/clj-holmes-rules/blob/main/security/weak-hash-function-md5.yml
+        subcategory:
+            - vuln
+        technology:
+            - clojure
+      pattern-either:
+        - pattern: (MessageDigest/getInstance "MD5")
+        - pattern: (MessageDigest/getInstance MessageDigestAlgorithms/MD5)
+        - pattern: (MessageDigest/getInstance org.apache.commons.codec.digest.MessageDigestAlgorithms/MD5)
+        - pattern: (java.security.MessageDigest/getInstance "MD5")
+        - pattern: (java.security.MessageDigest/getInstance MessageDigestAlgorithms/MD5)
+        - pattern: (java.security.MessageDigest/getInstance org.apache.commons.codec.digest.MessageDigestAlgorithms/MD5)
+      severity: WARNING
+    - id: codacy.generic.plsql.empty-strings
+      languages:
+        - generic
+      message: Empty strings can lead to unexpected behavior and should be handled carefully.
+      metadata:
+        category: security
+        confidence: MEDIUM
+        description: Detects empty strings in the code which might cause issues or bugs.
+        impact: MEDIUM
+      pattern: $VAR VARCHAR2($LENGTH) := '';
+      severity: WARNING