feat(pipeline): implement SAST and linting executors with configuration handling

Signed-off-by: 孙振宇 <>
2025-02-05 16:29:52 +08:00 · 2025-02-05 16:29:52 +08:00 · 69eaed1c6a
commit 69eaed1c6a
parent 425b7014fa
13 changed files with 1078 additions and 11 deletions
--- a/first-class-pipeline/resources/com/freeleaps/devops/builtins/lint/eslint/eslintrc.js
+++ b/first-class-pipeline/resources/com/freeleaps/devops/builtins/lint/eslint/eslintrc.js
@ -0,0 +1,69 @@
 // @ts-check
 const { defineConfig } = require("eslint-define-config");
 module.exports = defineConfig({
  root: true,
  env: {
    browser: true,
    node: true,
    es6: true,
  },
  parser: "vue-eslint-parser",
  parserOptions: {
    parser: "@typescript-eslint/parser",
    ecmaVersion: 2020,
    sourceType: "module",
    jsxPragma: "React",
    ecmaFeatures: {
      jsx: true,
    },
  },
  extends: [
    "plugin:vue/vue3-recommended",
    "plugin:@typescript-eslint/recommended",
    "prettier",
    "plugin:prettier/recommended",
    "./.eslintrc-auto-import.json",
  ],
  rules: {
    "vue/script-setup-uses-vars": "error",
    "vue/no-reserved-component-names": "off",
    "@typescript-eslint/ban-ts-ignore": "off",
    "@typescript-eslint/explicit-function-return-type": "off",
    "@typescript-eslint/no-explicit-any": "off",
    "@typescript-eslint/no-var-requires": "off",
    "@typescript-eslint/no-empty-function": "off",
    "vue/custom-event-name-casing": "off",
    "no-use-before-define": "off",
    "@typescript-eslint/no-use-before-define": "off",
    "@typescript-eslint/ban-ts-comment": "off",
    "@typescript-eslint/ban-types": "off",
    "@typescript-eslint/no-non-null-assertion": "off",
    "@typescript-eslint/explicit-module-boundary-types": "off",
    "@typescript-eslint/no-unused-vars": "error",
    "no-unused-vars": "error",
    "space-before-function-paren": "off",
    "vue/attributes-order": "off",
    "vue/one-component-per-file": "off",
    "vue/html-closing-bracket-newline": "off",
    "vue/max-attributes-per-line": "off",
    "vue/multiline-html-element-content-newline": "off",
    "vue/singleline-html-element-content-newline": "off",
    "vue/attribute-hyphenation": "off",
    "vue/require-default-prop": "off",
    "vue/require-explicit-emits": "off",
    "vue/html-self-closing": [
      "error",
      {
        html: {
          void: "always",
          normal: "never",
          component: "always",
        },
        svg: "always",
        math: "always",
      },
    ],
    "vue/multi-word-component-names": "off",
  },
 });
--- a/first-class-pipeline/resources/com/freeleaps/devops/builtins/lint/pylint/pylintrc
+++ b/first-class-pipeline/resources/com/freeleaps/devops/builtins/lint/pylint/pylintrc
@ -0,0 +1,647 @@
 [MAIN]
 # Analyse import fallback blocks. This can be used to support both Python 2 and
 # 3 compatible code, which means that the block might have code that exists
 # only in one or another interpreter, leading to false positives when analysed.
 analyse-fallback-blocks=no
 # Clear in-memory caches upon conclusion of linting. Useful if running pylint
 # in a server-like mode.
 clear-cache-post-run=no
 # Load and enable all available extensions. Use --list-extensions to see a list
 # all available extensions.
 #enable-all-extensions=
 # In error mode, messages with a category besides ERROR or FATAL are
 # suppressed, and no reports are done by default. Error mode is compatible with
 # disabling specific errors.
 #errors-only=
 # Always return a 0 (non-error) status code, even if lint errors are found.
 # This is primarily useful in continuous integration scripts.
 #exit-zero=
 # A comma-separated list of package or module names from where C extensions may
 # be loaded. Extensions are loading into the active Python interpreter and may
 # run arbitrary code.
 extension-pkg-allow-list=
 # A comma-separated list of package or module names from where C extensions may
 # be loaded. Extensions are loading into the active Python interpreter and may
 # run arbitrary code. (This is an alternative name to extension-pkg-allow-list
 # for backward compatibility.)
 extension-pkg-whitelist=
 # Return non-zero exit code if any of these messages/categories are detected,
 # even if score is above --fail-under value. Syntax same as enable. Messages
 # specified are enabled, while categories only check already-enabled messages.
 fail-on=
 # Specify a score threshold under which the program will exit with error.
 fail-under=10
 # Interpret the stdin as a python script, whose filename needs to be passed as
 # the module_or_package argument.
 #from-stdin=
 # Files or directories to be skipped. They should be base names, not paths.
 ignore=CVS
 # Add files or directories matching the regular expressions patterns to the
 # ignore-list. The regex matches against paths and can be in Posix or Windows
 # format. Because '\\' represents the directory delimiter on Windows systems,
 # it can't be used as an escape character.
 ignore-paths=
 # Files or directories matching the regular expression patterns are skipped.
 # The regex matches against base names, not paths. The default value ignores
 # Emacs file locks
 ignore-patterns=^\.#
 # List of module names for which member attributes should not be checked and
 # will not be imported (useful for modules/projects where namespaces are
 # manipulated during runtime and thus existing member attributes cannot be
 # deduced by static analysis). It supports qualified module names, as well as
 # Unix pattern matching.
 ignored-modules=
 # Python code to execute, usually for sys.path manipulation such as
 # pygtk.require().
 #init-hook=
 # Use multiple processes to speed up Pylint. Specifying 0 will auto-detect the
 # number of processors available to use, and will cap the count on Windows to
 # avoid hangs.
 jobs=1
 # Control the amount of potential inferred values when inferring a single
 # object. This can help the performance when dealing with large functions or
 # complex, nested conditions.
 limit-inference-results=100
 # List of plugins (as comma separated values of python module names) to load,
 # usually to register additional checkers.
 load-plugins=
 # Pickle collected data for later comparisons.
 persistent=yes
 # Resolve imports to .pyi stubs if available. May reduce no-member messages and
 # increase not-an-iterable messages.
 prefer-stubs=no
 # Minimum Python version to use for version dependent checks. Will default to
 # the version used to run pylint.
 py-version=3.13
 # Discover python modules and packages in the file system subtree.
 recursive=no
 # Add paths to the list of the source roots. Supports globbing patterns. The
 # source root is an absolute path or a path relative to the current working
 # directory used to determine a package namespace for modules located under the
 # source root.
 source-roots=
 # When enabled, pylint would attempt to guess common misconfiguration and emit
 # user-friendly hints instead of false-positive error messages.
 suggestion-mode=yes
 # Allow loading of arbitrary C extensions. Extensions are imported into the
 # active Python interpreter and may run arbitrary code.
 unsafe-load-any-extension=no
 # In verbose mode, extra non-checker-related info will be displayed.
 #verbose=
 [BASIC]
 # Naming style matching correct argument names.
 argument-naming-style=snake_case
 # Regular expression matching correct argument names. Overrides argument-
 # naming-style. If left empty, argument names will be checked with the set
 # naming style.
 #argument-rgx=
 # Naming style matching correct attribute names.
 attr-naming-style=snake_case
 # Regular expression matching correct attribute names. Overrides attr-naming-
 # style. If left empty, attribute names will be checked with the set naming
 # style.
 #attr-rgx=
 # Bad variable names which should always be refused, separated by a comma.
 bad-names=foo,
          bar,
          baz,
          toto,
          tutu,
          tata
 # Bad variable names regexes, separated by a comma. If names match any regex,
 # they will always be refused
 bad-names-rgxs=
 # Naming style matching correct class attribute names.
 class-attribute-naming-style=any
 # Regular expression matching correct class attribute names. Overrides class-
 # attribute-naming-style. If left empty, class attribute names will be checked
 # with the set naming style.
 #class-attribute-rgx=
 # Naming style matching correct class constant names.
 class-const-naming-style=UPPER_CASE
 # Regular expression matching correct class constant names. Overrides class-
 # const-naming-style. If left empty, class constant names will be checked with
 # the set naming style.
 #class-const-rgx=
 # Naming style matching correct class names.
 class-naming-style=PascalCase
 # Regular expression matching correct class names. Overrides class-naming-
 # style. If left empty, class names will be checked with the set naming style.
 #class-rgx=
 # Naming style matching correct constant names.
 const-naming-style=UPPER_CASE
 # Regular expression matching correct constant names. Overrides const-naming-
 # style. If left empty, constant names will be checked with the set naming
 # style.
 #const-rgx=
 # Minimum line length for functions/classes that require docstrings, shorter
 # ones are exempt.
 docstring-min-length=-1
 # Naming style matching correct function names.
 function-naming-style=snake_case
 # Regular expression matching correct function names. Overrides function-
 # naming-style. If left empty, function names will be checked with the set
 # naming style.
 #function-rgx=
 # Good variable names which should always be accepted, separated by a comma.
 good-names=i,
           j,
           k,
           ex,
           Run,
           _
 # Good variable names regexes, separated by a comma. If names match any regex,
 # they will always be accepted
 good-names-rgxs=
 # Include a hint for the correct naming format with invalid-name.
 include-naming-hint=no
 # Naming style matching correct inline iteration names.
 inlinevar-naming-style=any
 # Regular expression matching correct inline iteration names. Overrides
 # inlinevar-naming-style. If left empty, inline iteration names will be checked
 # with the set naming style.
 #inlinevar-rgx=
 # Naming style matching correct method names.
 method-naming-style=snake_case
 # Regular expression matching correct method names. Overrides method-naming-
 # style. If left empty, method names will be checked with the set naming style.
 #method-rgx=
 # Naming style matching correct module names.
 module-naming-style=snake_case
 # Regular expression matching correct module names. Overrides module-naming-
 # style. If left empty, module names will be checked with the set naming style.
 #module-rgx=
 # Colon-delimited sets of names that determine each other's naming style when
 # the name regexes allow several styles.
 name-group=
 # Regular expression which should only match function or class names that do
 # not require a docstring.
 no-docstring-rgx=^_
 # List of decorators that produce properties, such as abc.abstractproperty. Add
 # to this list to register other decorators that produce valid properties.
 # These decorators are taken in consideration only for invalid-name.
 property-classes=abc.abstractproperty
 # Regular expression matching correct type alias names. If left empty, type
 # alias names will be checked with the set naming style.
 #typealias-rgx=
 # Regular expression matching correct type variable names. If left empty, type
 # variable names will be checked with the set naming style.
 #typevar-rgx=
 # Naming style matching correct variable names.
 variable-naming-style=snake_case
 # Regular expression matching correct variable names. Overrides variable-
 # naming-style. If left empty, variable names will be checked with the set
 # naming style.
 #variable-rgx=
 [CLASSES]
 # Warn about protected attribute access inside special methods
 check-protected-access-in-special-methods=no
 # List of method names used to declare (i.e. assign) instance attributes.
 defining-attr-methods=__init__,
                      __new__,
                      setUp,
                      asyncSetUp,
                      __post_init__
 # List of member names, which should be excluded from the protected access
 # warning.
 exclude-protected=_asdict,_fields,_replace,_source,_make,os._exit
 # List of valid names for the first argument in a class method.
 valid-classmethod-first-arg=cls
 # List of valid names for the first argument in a metaclass class method.
 valid-metaclass-classmethod-first-arg=mcs
 [DESIGN]
 # List of regular expressions of class ancestor names to ignore when counting
 # public methods (see R0903)
 exclude-too-few-public-methods=
 # List of qualified class names to ignore when counting class parents (see
 # R0901)
 ignored-parents=
 # Maximum number of arguments for function / method.
 max-args=5
 # Maximum number of attributes for a class (see R0902).
 max-attributes=7
 # Maximum number of boolean expressions in an if statement (see R0916).
 max-bool-expr=5
 # Maximum number of branch for function / method body.
 max-branches=12
 # Maximum number of locals for function / method body.
 max-locals=15
 # Maximum number of parents for a class (see R0901).
 max-parents=7
 # Maximum number of positional arguments for function / method.
 max-positional-arguments=5
 # Maximum number of public methods for a class (see R0904).
 max-public-methods=20
 # Maximum number of return / yield for function / method body.
 max-returns=6
 # Maximum number of statements in function / method body.
 max-statements=50
 # Minimum number of public methods for a class (see R0903).
 min-public-methods=2
 [EXCEPTIONS]
 # Exceptions that will emit a warning when caught.
 overgeneral-exceptions=builtins.BaseException,builtins.Exception
 [FORMAT]
 # Expected format of line ending, e.g. empty (any line ending), LF or CRLF.
 expected-line-ending-format=
 # Regexp for a line that is allowed to be longer than the limit.
 ignore-long-lines=^\s*(# )?<?https?://\S+>?$
 # Number of spaces of indent required inside a hanging or continued line.
 indent-after-paren=4
 # String used as indentation unit. This is usually "    " (4 spaces) or "\t" (1
 # tab).
 indent-string='    '
 # Maximum number of characters on a single line.
 max-line-length=100
 # Maximum number of lines in a module.
 max-module-lines=1000
 # Allow the body of a class to be on the same line as the declaration if body
 # contains single statement.
 single-line-class-stmt=no
 # Allow the body of an if to be on the same line as the test if there is no
 # else.
 single-line-if-stmt=no
 [IMPORTS]
 # List of modules that can be imported at any level, not just the top level
 # one.
 allow-any-import-level=
 # Allow explicit reexports by alias from a package __init__.
 allow-reexport-from-package=no
 # Allow wildcard imports from modules that define __all__.
 allow-wildcard-with-all=no
 # Deprecated modules which should not be used, separated by a comma.
 deprecated-modules=
 # Output a graph (.gv or any supported image format) of external dependencies
 # to the given file (report RP0402 must not be disabled).
 ext-import-graph=
 # Output a graph (.gv or any supported image format) of all (i.e. internal and
 # external) dependencies to the given file (report RP0402 must not be
 # disabled).
 import-graph=
 # Output a graph (.gv or any supported image format) of internal dependencies
 # to the given file (report RP0402 must not be disabled).
 int-import-graph=
 # Force import order to recognize a module as part of the standard
 # compatibility libraries.
 known-standard-library=
 # Force import order to recognize a module as part of a third party library.
 known-third-party=enchant
 # Couples of modules and preferred modules, separated by a comma.
 preferred-modules=
 [LOGGING]
 # The type of string formatting that logging methods do. `old` means using %
 # formatting, `new` is for `{}` formatting.
 logging-format-style=old
 # Logging modules to check that the string format arguments are in logging
 # function parameter format.
 logging-modules=logging
 [MESSAGES CONTROL]
 # Only show warnings with the listed confidence levels. Leave empty to show
 # all. Valid levels: HIGH, CONTROL_FLOW, INFERENCE, INFERENCE_FAILURE,
 # UNDEFINED.
 confidence=HIGH,
           CONTROL_FLOW,
           INFERENCE,
           INFERENCE_FAILURE,
           UNDEFINED
 # Disable the message, report, category or checker with the given id(s). You
 # can either give multiple identifiers separated by comma (,) or put this
 # option multiple times (only on the command line, not in the configuration
 # file where it should appear only once). You can also use "--disable=all" to
 # disable everything first and then re-enable specific checks. For example, if
 # you want to run only the similarities checker, you can use "--disable=all
 # --enable=similarities". If you want to run only the classes checker, but have
 # no Warning level messages displayed, use "--disable=all --enable=classes
 # --disable=W".
 disable=raw-checker-failed,
        bad-inline-option,
        locally-disabled,
        file-ignored,
        suppressed-message,
        useless-suppression,
        deprecated-pragma,
        use-implicit-booleaness-not-comparison-to-string,
        use-implicit-booleaness-not-comparison-to-zero,
        use-symbolic-message-instead
 # Enable the message, report, category or checker with the given id(s). You can
 # either give multiple identifier separated by comma (,) or put this option
 # multiple time (only on the command line, not in the configuration file where
 # it should appear only once). See also the "--disable" option for examples.
 enable=
 [METHOD_ARGS]
 # List of qualified names (i.e., library.method) which require a timeout
 # parameter e.g. 'requests.api.get,requests.api.post'
 timeout-methods=requests.api.delete,requests.api.get,requests.api.head,requests.api.options,requests.api.patch,requests.api.post,requests.api.put,requests.api.request
 [MISCELLANEOUS]
 # List of note tags to take in consideration, separated by a comma.
 notes=FIXME,
      XXX,
      TODO
 # Regular expression of note tags to take in consideration.
 notes-rgx=
 [REFACTORING]
 # Maximum number of nested blocks for function / method body
 max-nested-blocks=5
 # Complete name of functions that never returns. When checking for
 # inconsistent-return-statements if a never returning function is called then
 # it will be considered as an explicit return statement and no message will be
 # printed.
 never-returning-functions=sys.exit,argparse.parse_error
 # Let 'consider-using-join' be raised when the separator to join on would be
 # non-empty (resulting in expected fixes of the type: ``"- " + " -
 # ".join(items)``)
 suggest-join-with-non-empty-separator=yes
 [REPORTS]
 # Python expression which should return a score less than or equal to 10. You
 # have access to the variables 'fatal', 'error', 'warning', 'refactor',
 # 'convention', and 'info' which contain the number of messages in each
 # category, as well as 'statement' which is the total number of statements
 # analyzed. This score is used by the global evaluation report (RP0004).
 evaluation=max(0, 0 if fatal else 10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10))
 # Template used to display messages. This is a python new-style format string
 # used to format the message information. See doc for all details.
 msg-template=
 # Set the output format. Available formats are: text, parseable, colorized,
 # json2 (improved json format), json (old json format) and msvs (visual
 # studio). You can also give a reporter class, e.g.
 # mypackage.mymodule.MyReporterClass.
 #output-format=
 # Tells whether to display a full report or only the messages.
 reports=no
 # Activate the evaluation score.
 score=yes
 [SIMILARITIES]
 # Comments are removed from the similarity computation
 ignore-comments=yes
 # Docstrings are removed from the similarity computation
 ignore-docstrings=yes
 # Imports are removed from the similarity computation
 ignore-imports=yes
 # Signatures are removed from the similarity computation
 ignore-signatures=yes
 # Minimum lines number of a similarity.
 min-similarity-lines=4
 [SPELLING]
 # Limits count of emitted suggestions for spelling mistakes.
 max-spelling-suggestions=4
 # Spelling dictionary name. Available dictionaries: en (aspell), en_AU
 # (aspell), en_CA (aspell), en_GB (aspell), en_US (aspell).
 spelling-dict=
 # List of comma separated words that should be considered directives if they
 # appear at the beginning of a comment and should not be checked.
 spelling-ignore-comment-directives=fmt: on,fmt: off,noqa:,noqa,nosec,isort:skip,mypy:
 # List of comma separated words that should not be checked.
 spelling-ignore-words=
 # A path to a file that contains the private dictionary; one word per line.
 spelling-private-dict-file=
 # Tells whether to store unknown words to the private dictionary (see the
 # --spelling-private-dict-file option) instead of raising a message.
 spelling-store-unknown-words=no
 [STRING]
 # This flag controls whether inconsistent-quotes generates a warning when the
 # character used as a quote delimiter is used inconsistently within a module.
 check-quote-consistency=no
 # This flag controls whether the implicit-str-concat should generate a warning
 # on implicit string concatenation in sequences defined over several lines.
 check-str-concat-over-line-jumps=no
 [TYPECHECK]
 # List of decorators that produce context managers, such as
 # contextlib.contextmanager. Add to this list to register other decorators that
 # produce valid context managers.
 contextmanager-decorators=contextlib.contextmanager
 # List of members which are set dynamically and missed by pylint inference
 # system, and so shouldn't trigger E1101 when accessed. Python regular
 # expressions are accepted.
 generated-members=
 # Tells whether to warn about missing members when the owner of the attribute
 # is inferred to be None.
 ignore-none=yes
 # This flag controls whether pylint should warn about no-member and similar
 # checks whenever an opaque object is returned when inferring. The inference
 # can return multiple potential results while evaluating a Python object, but
 # some branches might not be evaluated, which results in partial inference. In
 # that case, it might be useful to still emit no-member and other checks for
 # the rest of the inferred objects.
 ignore-on-opaque-inference=yes
 # List of symbolic message names to ignore for Mixin members.
 ignored-checks-for-mixins=no-member,
                          not-async-context-manager,
                          not-context-manager,
                          attribute-defined-outside-init
 # List of class names for which member attributes should not be checked (useful
 # for classes with dynamically set attributes). This supports the use of
 # qualified names.
 ignored-classes=optparse.Values,thread._local,_thread._local,argparse.Namespace
 # Show a hint with possible names when a member name was not found. The aspect
 # of finding the hint is based on edit distance.
 missing-member-hint=yes
 # The minimum edit distance a name should have in order to be considered a
 # similar match for a missing member name.
 missing-member-hint-distance=1
 # The total number of similar names that should be taken in consideration when
 # showing a hint for a missing member.
 missing-member-max-choices=1
 # Regex pattern to define which classes are considered mixins.
 mixin-class-rgx=.*[Mm]ixin
 # List of decorators that change the signature of a decorated function.
 signature-mutators=
 [VARIABLES]
 # List of additional names supposed to be defined in builtins. Remember that
 # you should avoid defining new builtins when possible.
 additional-builtins=
 # Tells whether unused global variables should be treated as a violation.
 allow-global-unused-variables=yes
 # List of names allowed to shadow builtins
 allowed-redefined-builtins=
 # List of strings which can identify a callback function by name. A callback
 # name must start or end with one of those strings.
 callbacks=cb_,
          _cb
 # A regular expression matching the name of dummy variables (i.e. expected to
 # not be used).
 dummy-variables-rgx=_+$|(_[a-zA-Z0-9_]*[a-zA-Z0-9]+?$)|dummy|^ignored_|^unused_
 # Argument names that match this expression will be ignored.
 ignored-argument-names=_.*|^ignored_|^unused_
 # Tells whether we should check for unused import in __init__ files.
 init-import=no
 # List of qualified module names which can have objects that can redefine
 # builtins.
 redefining-builtins-modules=six.moves,past.builtins,future.builtins,builtins,io
--- a/first-class-pipeline/src/com/freeleaps/devops/CodeLintExecutor.groovy
+++ b/first-class-pipeline/src/com/freeleaps/devops/CodeLintExecutor.groovy
@ -0,0 +1,54 @@
 package com.freeleaps.devops
 import com.freeleaps.devops.enums.CodeLinterTypes
 import com.freeleaps.devops.lint.Linter
 import com.freeleaps.devops.lint.PyLint
 import com.freeleaps.devops.lint.ESLint
 class CodeLintExecutor {
  def steps
  def workspace
  def configs
  def linterType
  CodeLintExecutor(steps, workspace, configs, linterType) {
    this.steps = steps
    this.workspace = workspace
    this.configs = configs
    this.linterType = linterType
  }
  def execute() {
    if (configs == null || configs.isEmpty()) {
      steps.log.warn("CodeLintExecutor", "Not set configurations file, using default configurations as fallback")
      def configFilePath
      switch (linterType) {
        case CodeLinterTypes.PYLINT:
          configFilePath = "com/freeleaps/devops/builtins/lint/pylint/pylintrc"
          break
        case CodeLinterTypes.ESLINT:
          configFilePath = "com/freeleaps/devops/builtins/lint/eslint/eslintrc.js"
          break
        default:
          steps.log.error("CodeLintExecutor", "Unknown linter type")
          return
      }
      steps.writeFile file: "${workspace}/.lintconfig", text: steps.libraryResource(configFilePath)
      configs = "${workspace}/.lintconfig"
    }
    Linter linter
    switch (linterType) {
      case CodeLinterTypes.PYLINT:
        linter = new PyLint(steps, workspace, configs)
        break
      case CodeLinterTypes.ESLINT:
        linter = new ESLint(steps, workspace, configs)
        break
      default:
        steps.log.error("CodeLintExecutor", "Unknown linter type")
        return
    }
    linter.lint()
  }
 }
--- a/first-class-pipeline/src/com/freeleaps/devops/DependenciesResolver.groovy
+++ b/first-class-pipeline/src/com/freeleaps/devops/DependenciesResolver.groovy
@ -39,7 +39,6 @@ class DependenciesResolver {
    if (mgr == null) {
      steps.error("Dependencies manager is not set")
    }
    steps.sh "env"
    steps.log.info("Dependencies Resolver","Ready to resolve dependencies for ${language}...")
--- a/first-class-pipeline/src/com/freeleaps/devops/SASTExecutor.groovy
+++ b/first-class-pipeline/src/com/freeleaps/devops/SASTExecutor.groovy
@ -0,0 +1,10 @@
 package com.freeleaps.devops
 import com.freeleaps.devops.enums.SASTScannerTypes
 class SASTExecutor {
  def steps
  def workspace
  def configs
  def scannerType
 }
--- a/first-class-pipeline/src/com/freeleaps/devops/enums/CodeLinterTypes.groovy
+++ b/first-class-pipeline/src/com/freeleaps/devops/enums/CodeLinterTypes.groovy
@ -0,0 +1,29 @@
 package com.freeleaps.devops.enums
 import com.freeleaps.devops.enums.ServiceLanguage
 enum CodeLinterTypes {
  PYLINT(ServiceLanguage.PYTHON, "pylint", "docker.io/pipelinecomponents/pylint:latest"),
  ESLINT(ServiceLanguage.JS, "eslint", "docker.io/pipelinecomponents/eslint:latest")
  final ServiceLanguage language
  final String linter
  final String containerImage
  CodeLinterTypes(ServiceLanguage language, String linter, String containerImage) {
    this.language = language
    this.linter = linter
    this.containerImage = containerImage
  }
  static CodeLinterTypes parse(String linter) {
    switch (linter) {
      case 'pylint':
        return CodeLinterTypes.PYLINT
      case 'eslint':
        return CodeLinterTypes.ESLINT
      default:
        return null
    }
  }
 }
--- a/first-class-pipeline/src/com/freeleaps/devops/enums/SASTScannerTypes.groovy
+++ b/first-class-pipeline/src/com/freeleaps/devops/enums/SASTScannerTypes.groovy
@ -0,0 +1,26 @@
 package com.freeleaps.devops.enums
 import com.freeleaps.devops.enums.ServiceLanguage
 enum SASTScannerTypes {
  BANDIT(ServiceLanguage.PYTHON, "bandit", "ghcr.io/pycqa/bandit/bandit:latest"),
  final ServiceLanguage language
  final String scanner
  final String containerImage
  SASTScannerTypes(ServiceLanguage language, String scanner, String containerImage) {
    this.language = language
    this.scanner = scanner
    this.containerImage = containerImage
  }
  static SASTScannerTypes parse(String scanner) {
    switch (scanner) {
      case 'bandit':
        return SASTScannerTypes.BANDIT
      default:
        return null
    }
  }
 }
--- a/first-class-pipeline/src/com/freeleaps/devops/lint/ESLint.groovy
+++ b/first-class-pipeline/src/com/freeleaps/devops/lint/ESLint.groovy
@ -0,0 +1,14 @@
 package com.freeleaps.devops.lint
 import com.freeleaps.devops.enums.CodeLinterTypes
 import com.freeleaps.devops.lint.LinterBase
 class ESLint extends LinterBase {
  ESLint(steps, workspace, configs) {
    super(steps, workspace, configs, CodeLinterTypes.ESLINT)
  }
  def doLint() {
    steps.sh("eslint --config ${configs} ${workspace}")
  }
 }
--- a/first-class-pipeline/src/com/freeleaps/devops/lint/Linter.groovy
+++ b/first-class-pipeline/src/com/freeleaps/devops/lint/Linter.groovy
@ -0,0 +1,34 @@
 package com.freeleaps.devops.lint
 interface Linter {
  def lint()
 }
 abstract class LinterBase implements Linter {
  def steps
  def workspace
  def configs
  def linterType
  LinterBase(steps, workspace, configs, linterType) {
    this.steps = steps
    this.workspace = workspace
    this.configs = configs
    this.linterType = linterType
  }
  def lint() {
    steps.log.info("${linterType.linter}", "Linting ${linterType.language.language} code")
    steps.log.info("${linterType.linter}", "Workspace sets to: ${workspace}")
    if (configs == null || configs.isEmpty()) {
      steps.log.error("${linterType.linter}", "Not set configurations file, linter configuration file is required")
    }
    steps.log.info("${linterType.linter}", "Using ${configs} as configurations file")
    doLint()
    steps.log.info("${linterType.linter}", "Code linting has been completed")
  }
  abstract def doLint()
 }
--- a/first-class-pipeline/src/com/freeleaps/devops/lint/PyLint.groovy
+++ b/first-class-pipeline/src/com/freeleaps/devops/lint/PyLint.groovy
@ -0,0 +1,14 @@
 package com.freeleaps.devops.lint
 import com.freeleaps.devops.enums.CodeLinterTypes
 import com.freeleaps.devops.lint.LinterBase
 class PyLint extends LinterBase {
  PyLint(steps, workspace, configs) {
    super(steps, workspace, configs, CodeLinterTypes.PYLINT)
  }
  def doLint() {
    steps.sh("pylint --rcfile=${configs} ${workspace}")
  }
 }
--- a/first-class-pipeline/tests/Jenkinsfile
+++ b/first-class-pipeline/tests/Jenkinsfile
@ -1,56 +1,118 @@
 library 'first-class-pipeline'
 executeFreeleapsPipeline {
  // serviceName is the name of the service, which is used to identify the service
  serviceName = 'magicleaps'
  // serviceSlug used to identify the service environment
  environmentSlug = 'alpha'
  // serviceGitBranch used to specify the git repo branch of the service codes
  serviceGitBranch = 'master'
  // serviceGitRepo used to specify the git repo of the service codes
  serviceGitRepo = "https://freeleaps@dev.azure.com/freeleaps/magicleaps/_git/magicleaps"
  // serviceGitRepoType used to specify the git repo type of the service codes
  // monorepo: all services codes are in the same repo and using sub-folders to separate them
  // separated: each service has its own repo
  serviceGitRepoType = 'monorepo' // monorepo, separated
  // executeMode used to specify the pipeline execution mode
  // on-demand: the pipeline will be triggered with code changes, only changed components will be executed
  // fully: the pipeline will be triggered without code changes, all components will be executed
  executeMode = 'fully' // on-demand, fully
  // commitMessageLintEnabled used to specify whether to enable commit message lint
  commitMessageLintEnabled = false
  // components used to specify the service components
  components = [
    [
      // name is the name of the component, which is used to identify the component
      name: 'frontend',
      // root is the root folder of the component codes
      root: 'frontend',
      // language is the programming language of the component codes
      language: 'javascript',
      // dependenciesManager used to specify which dependencies manager to use
      dependenciesManager: 'npm',
      // npmPackageJsonFile used to specify the npm package.json file path when dependenciesManager set to npm
      npmPackageJsonFile: 'package.json',
      // buildCacheEnabled used to specify whether to enable build dependencies cache
      buildCacheEnabled: true,
      // buildCommand used to specify the build command of the component
      buildCommand: 'npm run build',
      // lintEnabled used to specify whether to enable code lint
      lintEnabled: true,
      // linter used to specify the code linter
      linter: 'eslint',
-      sastEnabled: true,
+      // linterConfig used to specify the code linter configuration file path, if not set, will use the default configuration
-      sastProvider: 'NodeJsScan',
+      // linterConfig: '.eslintrc.js',
      // sastEnabled used to specify whether to enable SAST scan
      sastEnabled: false,
      // sastScanner used to specify the SAST scanner
      // FIXME: JS has no production-ready SAST scanner yet
      // sastScanner: '',
      // imageRegistry used to specify the which registry to push the image
      imageRegistry: 'docker.io',
      // imageRepository used to specify the image repository
      imageRepository: 'sunzhenyucn',
      // imageName used to specify the image name
      imageName: 'magicleaps-frontend',
      // imageBuilder used to specify the image builder
      // dind: using docker-in-docker to build the image
      // kaniko: using Kaniko to build the image
      imageBuilder: 'dind',
      // dockerfilePath used to specify the Dockerfile path
      dockerfilePath: 'Dockerfile',
      // imageBuildRoot used to specify the image build context root
      imageBuildRoot: '.',
      // imageReleaseArchitectures used to specify the released image architectures
      imageReleaseArchitectures: ['amd64', 'arm64'],
      // registryCredentialName used to specify the registry credential that stored in Freeleaps Kubernetes Cluster
      registryCredentialName: 'first-class-pipeline-dev-secret',
      // semanticReleaseEnabled used to specify whether to enable semantic release
      semanticReleaseEnabled: true,
      // semanticReleaseBranch used to specify the which branch to publish release notes
      semanticReleaseBranch: 'master'
    ],
    [
      // name is the name of the component, which is used to identify the component
      name: 'backend',
      // root is the root folder of the component codes
      root: 'backend',
      // language is the programming language of the component codes
      language: 'python',
      // dependenciesManager used to specify which dependencies manager to use
      dependenciesManager: 'pip',
      // buildCacheEnabled used to specify whether to enable build dependencies cache
      buildCacheEnabled: true,
      // buildCommand used to specify the build command of the component
      lintEnabled: true,
-      linter: 'PyLint',
+      // linter used to specify the code linter
      linter: 'pylint',
      // linterConfig used to specify the code linter configuration file path, if not set, will use the default configuration
      // linterConfig: '.pylintrc',
      // sastEnabled used to specify whether to enable SAST scan
      sastEnabled: true,
-      sastProvider: 'Bandit',
+      // sastScanner used to specify the SAST scanner
      // FIXME: Python has no production-ready SAST scanner yet
      sastScanner: 'bandit',
      // imageRegistry used to specify the which registry to push the image
      imageRegistry: 'docker.io',
      // imageRepository used to specify the image repository
      imageRepository: 'sunzhenyucn',
      // imageName used to specify the image name
      imageName: 'magicleaps-backend',
      // imageBuilder used to specify the image builder
      // dind: using docker-in-docker to build the image
      // kaniko: using Kaniko to build the image
      imageBuilder: 'dind',
      // dockerfilePath used to specify the Dockerfile path
      dockerfilePath: 'Dockerfile',
      // imageBuildRoot used to specify the image build context root
      imageBuildRoot: '.',
      // imageReleaseArchitectures used to specify the released image architectures
      imageReleaseArchitectures: ['amd64', 'arm64'],
      // registryCredentialName used to specify the registry credential that stored in Freeleaps Kubernetes Cluster
      registryCredentialName: 'first-class-pipeline-dev-secret',
      // semanticReleaseEnabled used to specify whether to enable semantic release
      semanticReleaseEnabled: true,
      // semanticReleaseBranch used to specify the which branch to publish release notes
      semanticReleaseBranch: 'master'
    ]
  ]
--- a/first-class-pipeline/vars/executeFreeleapsPipeline.groovy
+++ b/first-class-pipeline/vars/executeFreeleapsPipeline.groovy
@ -2,10 +2,13 @@
 import com.freeleaps.devops.SourceFetcher
 import com.freeleaps.devops.DependenciesResolver
 import com.freeleaps.devops.enums.DependenciesManager
 import com.freeleaps.devops.enums.ServiceLanguage
 import com.freeleaps.devops.CommitMessageLinter
 import com.freeleaps.devops.ChangedComponentsDetector
 import com.freeleaps.devops.CodeLintExecutor
 import com.freeleaps.devops.enums.DependenciesManager
 import com.freeleaps.devops.enums.ServiceLanguage
 import com.freeleaps.devops.enums.CodeLinterTypes
 def generateComponentStages(component, configurations) {
    return [
@ -73,6 +76,114 @@ def generateComponentStages(component, configurations) {
          }
        }
      }
    },
    stage("${component.name} :: Code Linter Preparation") {
      script {
        if (env.executeMode == "fully" || env.changedComponents.contains(component.name)) {
          if (component.lintEnabled != null && component.lintEnabled) {
            log.info("Pipeline", "Code linting has enabled, preparing linter...")
            if (linter == null || linter.isEmpty()) {
              log.error("Pipeline", "Not set linter for ${component.name}, using default linter settings as fallback")
            }
            def linter = CodeLinterTypes.parse(component.linter)
            if (linter == null) {
              log.error("Pipeline", "Unknown linter for ${component.name}, skipping code linting")
            }
            if (linter.language != ServiceLanguage.parse(component.language)) {
              log.error("Pipeline", "Linter ${linter.linter} is not supported for ${component.language}, skipping code linting")
            }
            log.info("Pipeline", "Using ${linter.linter} with image ${linter.containerImage} as linter for ${component.name}")
            env.linterContainerImage = linter.containerImage
          }
          log.info("Pipeline", "Code linting is not enabled for ${component.name}, skipping...")
        }
      }
    },
    stage("${component.name} :: Code Linting If Enabled") {
      podTemplate(
        label: "code-linter-${component.name}",
        containers: [
          containerTemplate(
            name: 'code-linter',
            image: env.linterContainerImage,
            ttyEnabled: true,
            command: 'sleep',
            args: 'infinity'
          )
        ]
      ) {
        node("code-linter-${component.name}") {
          container('code-linter') {
            script {
              if (env.executeMode == "fully" || env.changedComponents.contains(component.name)) {
                if (component.lintEnabled != null && component.lintEnabled) {
                  log.info("Pipeline", "Code linting has enabled, linting code...")
                  def sourceFetcher = new SourceFetcher(this)
                  sourceFetcher.fetch(configurations)
                  def linterType = CodeLinterTypes.parse(component.linter)
                  def codeLintExecutor = new CodeLintExecutor(this, env.workspace + "/" + component.root + "/", component.linterConfig, linterType)
                  codeLintExecutor.execute()
                }
              }
            }
          }
        }
      }
    },
    stage("${component.name} :: SAST Scanner Preparation") {
      script {
        if (env.executeMode == "fully" || env.changedComponents.contains(component.name)) {
          if (component.sastEnabled != null && component.sastEnabled) {
            log.info("Pipeline", "SAST scanning has enabled, preparing scanner...")
            if (sastScanner == null || sastScanner.isEmpty()) {
              log.error("Pipeline", "Not set sastScanner for ${component.name}")
            }
            log.info("Pipeline", "Using ${sastScanner} as SAST scanner for ${component.name}")
            env.sastScanner = sastScanner
          }
        }
      }
    },
    stage("${component.name} :: SAST Scanning If Enabled") {
    },
    stage("${component.name} :: Semantic Release Preparation") {
    },
    stage("${component.name} :: Semantic Releasing If Enabled") {
    },
    stage("${component.name} :: Compilation & Packaging") {
    },
    stage("${component.name} :: Image Builder Setup") {
    },
    stage("${component.name} :: Image Building & Publishing") {
    },
    stage("${component.name} :: Argo Application Version Updating (Deploying)") {
    }
  ]
 }
@ -182,10 +293,7 @@ spec:
        steps {
          script {
            configurations.components.each { component ->
-              def generatedStages = generateComponentStages(component, configurations)
+              generateComponentStages(component, configurations)
              generatedStages.each { stage ->
                stage(stage)
              }
            }
          }
        }
--- a/first-class-pipeline/vars/log.groovy
+++ b/first-class-pipeline/vars/log.groovy
@ -18,4 +18,5 @@ def warn(plugin, message) {
 def error(plugin, message) {
  echo "[${getTimestamp()}] [ERROR] ${plugin} - ${message}"
  error(message)
 }