Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support ShellCheck SARIF rule metadata #68

Merged
merged 1 commit into from
Feb 9, 2023
Merged

Support ShellCheck SARIF rule metadata #68

merged 1 commit into from
Feb 9, 2023

Conversation

lzaoral
Copy link
Member

@lzaoral lzaoral commented Aug 1, 2022

This is a proof-of-concept at the moment.

Fixes #54.

@lzaoral lzaoral self-assigned this Aug 1, 2022
@lzaoral
Copy link
Member Author

lzaoral commented Aug 1, 2022

@jamacku, Can you please check that the version of csgrep from this branch creates correct help links for ShellCheck reports on GitHub? You can get the RPM from Packit. Thank you!

@jamacku
Copy link
Member

jamacku commented Aug 1, 2022

@lzaoral sure, I'll have a look. Thanks

@jamacku jamacku mentioned this pull request Aug 15, 2022
Closed
jamacku
jamacku reviewed Aug 15, 2022
View reviewed changes
Copy link
Member

@jamacku jamacku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, from what I saw help paragraphs are still missing. I'm not sure where could be a problem.

image

@lzaoral
Copy link
Member Author

lzaoral commented Aug 16, 2022

@jamacku, Could please try it again with the latest changes? Note that this PR is just a proof-of-concept. I'm not really happy with the current implementation.

@jamacku
Copy link
Member

jamacku commented Aug 16, 2022

@lzaoral It's unfortunate, but it still doesn't show a hint message in GitHub UI.

Screenshot from 2022-08-16 14-41-42

@jamacku jamacku mentioned this pull request Aug 17, 2022
Open
@jamacku
Copy link
Member

jamacku commented Aug 17, 2022

@lzaoral I came across this repo with SARIF examples: https://github.com/microsoft/sarif-tutorials

It seems like a good source of information if it's not outdated.

https://github.com/microsoft/sarif-tutorials/blob/main/docs/2-Basics.md#rule-metadata

@lzaoral
Copy link
Member Author

lzaoral commented Aug 18, 2022
edited
Loading

@jamacku, could you try it once again, please?

I've added the fullDescription key to the rule objects. This key is mandatory accroding to the SARIF 2.1 standard. [1] Note, that I've just copied an event message to this key for testing purposes, it will contain description that's not really general, e.g. "COMMIT_TO_IM appears unused. Verify it or export it.".

[1] https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317838

@jamacku
Copy link
Member

jamacku commented Aug 22, 2022

@lzaoral It WORKS 🥳
Screenshot from 2022-08-22 16-29-50

But I'm not sure if it displays a correct message.

@lzaoral lzaoral force-pushed the sarif-rule-metadata branch 2 times, most recently from ae7a6ac to a59cc00 Compare August 23, 2022 08:06
@lzaoral
Copy link
Member Author

lzaoral commented Aug 23, 2022

@jamacku, Could you try it once more, please? This time with much cleaner and simpler code. Thanks in advance!

@jamacku
Copy link
Member

jamacku commented Aug 24, 2022

@lzaoral Please see:

Screenshot from 2022-08-24 09-05-55

It works great! 🥳 I'm thinking if it would make sense to say something like:

Defect reference: https://github.com/koalaman/shellcheck/wiki/SC2086

Or maybe even try to take advantage of supported markdown templating and generate something like:

Defect reference: [SC2086](https://github.com/koalaman/shellcheck/wiki/SC2086)

@lzaoral lzaoral force-pushed the sarif-rule-metadata branch from a59cc00 to 6a160d8 Compare August 24, 2022 08:02
@jamacku
Copy link
Member

jamacku commented Aug 26, 2022

@lzaoral Works great 💯

Markdown templating:

Screenshot from 2022-08-26 14-45-58

Defect searching by rule:

Screenshot from 2022-08-26 14-46-50

@lzaoral lzaoral changed the title WIP: Support SARIF rule metadata Support ShellCheck SARIF rule metadata Sep 14, 2022
@lzaoral lzaoral force-pushed the sarif-rule-metadata branch from 0d4dcdc to b432be6 Compare September 14, 2022 14:31
@lzaoral lzaoral marked this pull request as ready for review September 14, 2022 14:31
@lzaoral
Copy link
Member Author

lzaoral commented Sep 14, 2022

This PR should be finally ready for a proper review. 🥳

@lzaoral lzaoral requested review from jamacku and kdudka September 14, 2022 14:32
@lzaoral lzaoral mentioned this pull request Sep 14, 2022
Closed
jamacku
jamacku approved these changes Sep 16, 2022
View reviewed changes
Copy link
Member

@jamacku jamacku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It works like a charm! LGTM 👍

kdudka
kdudka requested changes Sep 16, 2022
View reviewed changes
Copy link
Member

@kdudka kdudka left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for moving it forward! Could we please extend the SARIF writer such that CWE IDs are preserved when available even for ShellCheck? We have our own mapping of SCNNNN to CWE-NNN in csmock: https://github.com/csutils/csmock/blob/0d96eeabbc064f828c35fbea95ebd3616295b8b7/cwe-map.csv#L425 I would like to avoid losing this data when we convert csmock's output to SARIF.

@lzaoral
Copy link
Member Author

lzaoral commented Sep 19, 2022

Unfortunately, SARIF allows at most one rule per defect. Will be something like this enough?

"properties": {
    "cwe": [
        "CWE-248"
    ]
    "tags": [
        "ShellCheck"
    ]
}

@kdudka
Copy link
Member

kdudka commented Sep 19, 2022

SARIF's rule is def.checker + ": " + keyEvt.event in the current output of csgrep --mode=sarif. So assigning at most one rule to each defect is fine and we do not need to change it. On the other hand, we can assign many properties to each rule. I am not sure about the help text. If there is just one help text field for each rule, we can probably concatenate the text and provide both the links?

@lzaoral
Copy link
Member Author

lzaoral commented Sep 19, 2022

Yes, concatenating the help texts is possible.

@jamacku jamacku mentioned this pull request Jan 31, 2023
Open
@lzaoral lzaoral force-pushed the sarif-rule-metadata branch 3 times, most recently from 9b7a74d to 6e21e20 Compare February 7, 2023 12:55
@lzaoral
Copy link
Member Author

lzaoral commented Feb 7, 2023

I've updated the PR with changes addressing concerns raised in #68 (review).

@lzaoral lzaoral requested a review from kdudka February 7, 2023 12:57
@lzaoral lzaoral force-pushed the sarif-rule-metadata branch from 6e21e20 to 410a3d1 Compare February 7, 2023 14:08
kdudka
kdudka approved these changes Feb 9, 2023
View reviewed changes
Copy link
Member

@kdudka kdudka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the update! I think it works as expected now.

The implementation could be optimized for future extensions. I would create a structure RuleProps and a single map from ruleId to RuleProps, in order to make adding new properties in the future more straightforward. But this can be refactored later on when we actually need it.

jamacku added a commit to jamacku/differential-shellcheck that referenced this pull request Feb 9, 2023
@jamacku
test: csdiff PR redhat-plumbers-in-action#68
1231c1a 
csutils/csdiff#68
@jamacku jamacku mentioned this pull request Feb 9, 2023
Closed
jamacku
jamacku requested changes Feb 9, 2023
View reviewed changes
Copy link
Member

@jamacku jamacku left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, it doesn't seem to work 😿

Tested in:

Reported defect is missing metadata:

Screenshot from 2023-02-09 13-04-07

jamacku
jamacku approved these changes Feb 9, 2023
View reviewed changes
Copy link
Member

@jamacku jamacku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When the defect was already detected before it won't have new metadata assigned to it, but when it is a fresh defect, it works as expected. It seems like a bug or implementation detail on the GitHub side.

Screenshot from 2023-02-09 13-14-07

LGTM 💪

@lzaoral lzaoral force-pushed the sarif-rule-metadata branch from 410a3d1 to 2ea18ad Compare February 9, 2023 13:00
@lzaoral
Copy link
Member Author

lzaoral commented Feb 9, 2023

Thanks for the reviews!

@lzaoral lzaoral closed this in 2ea18ad Feb 9, 2023
@lzaoral lzaoral merged commit 2ea18ad into csutils:main Feb 9, 2023
@lzaoral lzaoral deleted the sarif-rule-metadata branch February 9, 2023 13:01
@jamacku jamacku mentioned this pull request Mar 3, 2023
Merged
@jamacku jamacku mentioned this pull request Apr 3, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kdudka kdudka kdudka approved these changes

@jamacku jamacku jamacku approved these changes

Assignees

@lzaoral lzaoral

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support advanced ShellCheck rule descriptions for the SARIF format
3 participants
@lzaoral @jamacku @kdudka