Code Analysis

Configuration - .deepsource.toml

This section covers configuration specific to the Kotlin analyzer. Please make sure to read the general configuration guide first.

name

  • Type: String
  • Presence: mandatory
  • Description: Shortcode of the analyzer.
  • Example:
name = "kotlin"

enabled

  • Type: Boolean
  • Presence: optional
  • Description: Toggle whether this analyzer should be run.
  • Example:
enabled = true

meta

  • Type: Table
  • Presence: optional
  • Description: Any supported metadata to pass to the analyzer.
  • Example:
[analyzers.meta]
  language_version = "1.9"
  runtime_version = "18"

language_version

  • Type: String
  • Presence: optional
  • Description: The version of Kotlin that is being used by your project. This information is used to fine-tune the analysis and report issues that are more relevant to the mentioned version of Kotlin.
  • Available Values: 1.0, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9
  • Default Value: “1.7”
  • Example:
[analyzers.meta]
  language_version = "1.2"

runtime_version

  • Type: String
  • Presence: optional
  • Description: The version of Java runtime to use. This information is used to fine-tune the analysis and report issues that are more relevant to the Java runtime being used.
  • Available Values: 1.8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19
  • Default Value: “1.8”
  • Example:
[analyzers.meta]
  runtime_version = "13"

cyclomatic_complexity_threshold

  • Type: String
  • Presence: optional
  • Description: Specify the acceptable risk category for your project as the threshold. All functions with complexity beyond this threshold will raise an issue. For example, setting the threshold to low will flag all functions that have a cyclomatic complexity of more than 5, while setting the threshold to critical will not flag any function.
  • Available Values: low, medium, high, very-high and critical
Risk categoryCyclomatic complexity rangeRecommended action
low1-5No action is needed.
medium6-15Review and monitor.
high16-25Review and refactor. Recommended to add detailed comments if the function absolutely needs to be kept as it is.
very-high26-50Refactor to reduce the complexity.
critical>50Must refactor this. This can make the code untestable and very difficult to understand.
  • Default Value: medium
  • Example:
[analyzers.meta]
cyclomatic_complexity_threshold = "high"

Sample config

version = 1

test_patterns = [
  "**/test/**"
]

exclude_patterns = [
  "build/**"
]

[[analyzers]]
name = "kotlin"
enabled = true

  [analyzers.meta]
  language_version = "1.9"
  runtime_version = "16"

Code Coverage

The test coverage analyzer supports test coverage metrics for Jacoco and Kover XML reports.

Jacoco

Setting up test coverage differs with each type of build system (Maven, Gradle, etc.). Here’s an example of the configuration needed to run Jacoco on a maven repo:

<!-- Within pom.xml -->
...
    <plugin>
        <groupId>org.jacoco</groupId>
        <artifactId>jacoco-maven-plugin</artifactId>
        <version>0.8.2</version>
        <executions>
            <execution>
                <goals>
                    <goal>prepare-agent</goal>
                </goals>
            </execution>
            <!-- attached to Maven test phase -->
            <execution>
                <id>report</id>
                <phase>test</phase>
                <goals>
                    <goal>report</goal>
                </goals>
            </execution>
        </executions>
    </plugin>
...

Once you’ve added Jacoco to your project’s pom.xml file, you should be able to run tests and generate the coverage report. The default location of the coverage report is target/site/jacoco/jacoco.xml.

mvn test

After you have the XML test report, you can upload it to DeepSource using the cli:

# Install deepsource CLI
curl https://deepsource.io/cli | sh

# Set the DEEPSOURCE_DSN env variable from the reporting tab of
# your repository's DeepSource settings page.
export DEEPSOURCE_DSN=https://sampledsn@deepsource.io

# From the project's root directory, run the report coverage command
./bin/deepsource report --analyzer test-coverage --key kotlin --value-file target/site/jacoco/jacoco.xml

In case your project has multiple modules, you will need to use the jacoco:report-aggregate goal to merge all reports together.

Kover

If you have a gradle project, you can set up kover for report generation as well.

Add the following in your top-level build file:

plugins {
     id("org.jetbrains.kotlinx.kover") version "0.7.2"
}

Once you’ve applied the Kover Gradle plugin, Kover tasks for report generation and verification will be created. To generate XML reports, you can use the following command:

./gradlew koverXmlReport

koverXmlReport will build, execute tests and then write out an XML report in the specified report location. The default location for Kover reports is:build/reports/kover/xml/report.xml.

Note that kover will automatically run your full test suite by default. If you instead want to execute tests separately, make sure to include -x test in gradle’s arguments.

You can then use the DeepSource CLI to upload this report:

# Install deepsource CLI
curl https://deepsource.io/cli | sh

# Set the DEEPSOURCE_DSN env variable from the reporting tab of
# your repository's DeepSource settings page.
export DEEPSOURCE_DSN=https://sampledsn@deepsource.io

# From the project's root directory, run the report coverage command
./bin/deepsource report --analyzer test-coverage --key kotlin --value-file build/reports/kover/xml/report.xml

Code Formatter (Transformer)

Ktlint

Transform all incoming Kotlin code with Ktlint. Documentation for Ktlint’s .editorconfig configuration can be found here.

This section covers .deepsource.toml configuration specific to the ktlint transformer. Please make sure to read the general configuration guide first.

name

  • Type: String
  • Presence: mandatory
  • Description: Shortcode of this transformer.
  • Example:
name = "ktlint"

enabled

  • Type: Boolean
  • Presence: optional
  • Description: Toggle whether this transformer should be run.
  • Example:
enabled = true

Vulnerability Scanning

Supported target files:

  • pom.xml