reviewdog: add fickling support

brave · Nov 9, 2024 · ea3bf74 · ea3bf74
1 parent 9a88980
commit ea3bf74
Show file tree

Hide file tree

Showing 7 changed files with 61 additions and 6 deletions.
diff --git a/actions/main/action.cjs b/actions/main/action.cjs
@@ -91,7 +91,7 @@ module.exports = async ({ github, context, inputs, actionPath, core, debug = fal
 
   // Install semgrep & pip-audit
   await runCommand(`pip install --disable-pip-version-check -r ${actionPath}/requirements.txt`, { shell: true })
-  debugLog('Installed semgrep & pip-audit')
+  debugLog('Installed semgrep & pip-audit & fickling')
   // Install xmllint for safesvg
   await runCommand('sudo apt-get install -y libxml2-utils', { shell: true })
   debugLog('Installed xmllint')

diff --git a/assets/fickling-audit.py b/assets/fickling-audit.py
@@ -0,0 +1,26 @@
+import fickling
+from fickling.fickle import PickleDecodeError, EmptyPickleError
+
+from os import environ, path
+import sys
+
+def is_pickle_unsafe(file_path):
+    try:
+        return not fickling.is_likely_safe(file_path)
+    except (NotImplementedError, PickleDecodeError, EmptyPickleError):
+        return False
+    except Exception as e:
+        # print exception on stderr
+        print("%s: (%s) %s" % (e.__class__.__qualname__, file_path, e), file=sys.stderr)
+        return False
+
+def main():
+    with open(path.join(environ["SCRIPTPATH"], "all_changed_files.txt")) as all_changed_files:
+        all_changed_files = [f for f in all_changed_files.read().split("\x00")]
+
+        for f in all_changed_files:
+            if is_pickle_unsafe(f):
+                print("""M:%s:0 This pickle might contain unsafe contructs\n""" % (f))
+
+if __name__ == "__main__":
+    main()
diff --git a/assets/reviewdog.sh b/assets/reviewdog.sh
@@ -7,19 +7,37 @@ export GOPATH=$HOME/go
 export PATH=$PATH:$GOROOT/bin:$GOPATH/bin
 export SEC_ACTION_DEBUG=$SEC_ACTION_DEBUG
 export ASSIGNEES=$(echo "$ASSIGNEES" | sed 's|\([^ ]\)|@\1|' | tr -s '\n' ' ')
+export GITHUB_REPORTER=github-pr-review
+
+RUNNERS="safesvg tfsec semgrep sveltegrep npm-audit pip-audit fickling" # disabled: brakeman
+# redefine RUNNERS with $1 if it is set
+if [ -n "$1" ]; then
+    RUNNERS=$1
+fi
+# if GITHUB_OUTPUT is not set, set it to /dev/stdout
+if [ -z "$GITHUB_OUTPUT" ]; then
+    GITHUB_OUTPUT=/dev/stdout
+    GITHUB_REPORTER=local
+fi
 
-RUNNERS="safesvg tfsec semgrep sveltegrep npm-audit pip-audit" # disabled: brakeman
 
 if [ -n "${GITHUB_BASE_REF+set}" ]; then
     for runner in $RUNNERS; do
-        reviewdog -reporter=local -runners=$runner -conf="$SCRIPTPATH/reviewdog/reviewdog.yml" -diff="git diff origin/$GITHUB_BASE_REF" > $runner.log 2>> reviewdog.log || true
+        SCRIPTPATH=$SCRIPTPATH reviewdog -reporter=local -runners=$runner -conf="$SCRIPTPATH/reviewdog/reviewdog.yml" -filter-mode=nofilter > $runner.log 2>> reviewdog.log || true
         grep -H "" reviewdog.$runner.stderr.log >> reviewdog.fail.log || true
         [[ ${SEC_ACTION_DEBUG:-false} == 'true' ]] && grep -H "" reviewdog.$runner.stderr.log || true
     done
 
     for runner in $RUNNERS; do
-        cat $runner.log | reviewdog -reporter=github-pr-review -efm='%f:%l: %m' \
-          || cat $runner.log >> reviewdog.fail.log
+        # replace anything that has not the number in the beginning of the line with zero
+        cat $runner.log | grep -E '[^:]+: ' > $runner.log.noline || true
+        cat $runner.log | grep -v -E '[^:]+: ' > $runner.log.line || true
+
+        cat $runner.log.line | reviewdog -reporter=$GITHUB_REPORTER -efm='%f:%l: %m' \
+          || cat $runner.log.line >> reviewdog.fail.log
+        cat $runner.log.noline | reviewdog -reporter=$GITHUB_REPORTER -efm='%f: %m' -filter-mode=nofilter \
+          || cat $runner.log.noline >> reviewdog.fail.log
+
         grep -H "" $runner.log >> reviewdog.log || true
         echo -n "$runner: "
         echo "${runner//-/_}_count=$(grep -c "^" $runner.log)" >> $GITHUB_OUTPUT || true

diff --git a/assets/reviewdog/reviewdog.yml b/assets/reviewdog/reviewdog.yml
@@ -85,3 +85,8 @@ runner:
     cmd: "set -e\n(python3 $SCRIPTPATH/pip-audit.py \\\n| $SCRIPTPATH/cleaner.rb) 2> /dev/null # reviewdog.pip-audit.stderr.log \n"
     errorformat:
       - "%t:%f:%l %m"
+  fickling:
+    name: fickling
+    cmd: "set -e\npython $SCRIPTPATH/fickling-audit.py | $SCRIPTPATH/cleaner.rb 2> reviewdog.fickling.stderr.log"
+    errorformat:
+      - "%t:%f:%l %m"
diff --git a/requirements.txt b/requirements.txt
@@ -1,3 +1,4 @@
 # Also alter semgrep self test yml
 semgrep~=1.95.0
-pip-audit~=2.7.0
+pip-audit~=2.7.0
+fickling~=0.1.3
diff --git a/scripttagextractor.pkl b/scripttagextractor.pkl
diff --git a/src/pullRequestChangedFiles.js b/src/pullRequestChangedFiles.js
@@ -23,6 +23,7 @@ export default async function pullRequestChangedFIles ({ github, githubToken, ow
             path
             additions
             deletions
+            changeType
           }
         }
       }
@@ -49,6 +50,10 @@ export default async function pullRequestChangedFIles ({ github, githubToken, ow
     // check for additions only, deletions are not relevant, in this case
     paths = paths.concat(
       files.nodes.filter(file => file.additions /* + file.deletions */ > 0).map(file => file.path))
+
+    // add binary files too
+    paths = paths.concat(
+      files.nodes.filter(file => file.additions === 0 && file.deletions === 0 && file.changeType === 'ADDED').map(file => file.path))
   }
 
   return paths