Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SARIF support #40

Merged
merged 31 commits into from
Jun 14, 2022
Merged

Add SARIF support #40

merged 31 commits into from
Jun 14, 2022

Conversation

shaopeng-gh
Copy link

@shaopeng-gh shaopeng-gh commented Mar 23, 2022

Add support for output in SARIF format.

Hello! We are interested in adding support for output in the open-standard SARIF format to puppet-lint. SARIF support is required to integrate it in GitHub code scanning. Doing so would make it available to every repo in GitHub and could result in increase in user base.

More about SARIF here:
What is SARIF?
Why SARIF?

After the support for SARIF output is added to the tool and published a new version, we will work on creating a starter workflow to make it available as a GitHub code scanner.

@shaopeng-gh shaopeng-gh requested a review from a team as a code owner March 23, 2022 04:21
@CLAassistant
Copy link

CLAassistant commented Mar 23, 2022

CLA assistant check
All committers have signed the CLA.

@shaopeng-gh
Copy link
Author

@yongyan-gh
@eddynaka

Copy link

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've been wondering if puppet-lint shouldn't properly implement a --format option. In #34 I already added a start with this.

lib/puppet-lint/bin.rb Outdated Show resolved Hide resolved
lib/puppet-lint/bin.rb Outdated Show resolved Hide resolved
lib/puppet-lint/bin.rb Outdated Show resolved Hide resolved
lib/puppet-lint/bin.rb Outdated Show resolved Hide resolved
@shaopeng-gh
Copy link
Author

shaopeng-gh commented Mar 24, 2022

@ekohl

SARIF format need to have a description of the rule (beside the message that is very specific the the error found which we already have now),
and a help uri if it is available.

I can see in each rule it do have this info but in the comments.
I will go ahead and modify each rule and also expose them in the object properties so I can get in the code,

let me know if that sounds good?

image

the above example is not a good example, the message do not have any extra data so it looks like it can be directly used as description as well, but we have rules like this:
:message => "indentation of => is not properly aligned (expected in column #{arrow_column[level_idx]}, but found it in column #{arrow_tok.column})",

the rule description we are looking for, is static for a rule.


In reply to: 1078242810

@shaopeng-gh
Copy link
Author

shaopeng-gh commented Mar 30, 2022

@ekohl

SARIF format need to have a description of the rule (beside the message that is very specific the the error found which we already have now), and a help uri if it is available.

I can see in each rule it do have this info but in the comments. I will go ahead and modify each rule and also expose them in the object properties so I can get in the code,

let me know if that sounds good?

image

the above example is not a good example, the message do not have any extra data so it looks like it can be directly used as description as well, but we have rules like this: :message => "indentation of => is not properly aligned (expected in column #{arrow_column[level_idx]}, but found it in column #{arrow_tok.column})",

the rule description we are looking for, is static for a rule.

I have done making this change and updated the PR.

fyi the new data will be visible in SARIF viewer UI like below:
image


In reply to: 1082556441

Copy link

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about plugins which haven't added a description yet? Will that work well? Should it also document something for plugin writers?

@@ -180,9 +180,8 @@ def report(problems)
print_github_annotation(message) if configuration.github_actions
end
end
puts JSON.pretty_generate(json) if configuration.json
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could affect usage via Rake. I don't know if people do this, but there are effectively 2 entry points: the bin file which you already found and Rake:
https://github.com/puppetlabs/puppet-lint/blob/020143b705b023946739eb44e7c7d99fcd087527/lib/puppet-lint/tasks/puppet-lint.rb#L88-L107=

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for all the inputs! I will set the PR as draft for now and look into them.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have followed this instruction:
https://github.com/puppetlabs/puppet-lint/blob/master/README.md#testing-with-puppet-lint-as-a-rake-task

then running rake lint seems not having issue and output result normally.
I think running in rake currently only have normal
output does not support json option in the configuration, so the line highlighted will not be run in rake lint command, so should be good.

Comment on lines 96 to 98
report_sarif(all_problems, full_base_path, full_base_path_uri) if PuppetLint.configuration.sarif

if PuppetLint.configuration.json
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should these 2 be mutually exclusive? Either JSON or sarif?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

they should be mutually exclusive, added the if else.

Comment on lines 100 to 102
problems.each do |problem|
[:description, :help_uri].each { |key| problem.delete(key) }
end
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's also delete_if which is probably cleaner. Or you could be explicit and use Hash.slice and select the entries that are relevant.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, changed to use delete_if

@shaopeng-gh shaopeng-gh marked this pull request as draft April 4, 2022 23:51
@shaopeng-gh
Copy link
Author

  1. I have verified running with plugins don't have those 2 new properties, will not throw any error and will just have those 2 sarif properties not populated.
  2. I found this file lib/puppet-lint/checkplugin.rb has some description, I added the 2 new properties.

In reply to: 930112225

@shaopeng-gh shaopeng-gh marked this pull request as ready for review April 12, 2022 23:40
Copy link

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think my concerns have been addressed. However, I'm not a maintainer on this repository.

@binford2k you may want to give some visibility on this. It could be interesting for developers.


security:

strategy:
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It feels odd to have a matrix here if there's just a single entry. Is that really needed?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Matrix is not needed, I have removed it.

@@ -0,0 +1,39 @@
name: puppet-lint scan
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is an interesting thing. Do you have an example of where this ran so I can see the resulting report?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is just a sample (or sometimes called a starter workflow) that the user of the puppet-lint can add to their own repo, after we got all things done. User can use it to scan their repo and get code scanning alerts of the .pp files in their repo.
GitHub support this and the format used is SARIF format.

this is a run in my fork as example: (it is not intended to run against the puppet-lint repo itself, but the user's repo)
https://github.com/shaopeng-gh/puppet-lint/security/code-scanning

for people don't have permission:
image

elsif PuppetLint.configuration.json
all_problems.each do |problems|
problems.each do |problem|
problem.delete_if { |key, _| [:description, :help_uri].include?(key) }
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure the description must be excluded. The help URI also doesn't hurt IMHO. Perhaps a maintainer can weigh in on that.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps a maintainer can weigh in on that. ---- yes the only reason for this code block is I am trying to maintain the same JSON output as before, maintainer can advise if also want these 2 new properties in JSON and let me know to change accordingly.

@shaopeng-gh shaopeng-gh mentioned this pull request Apr 20, 2022
@ekohl
Copy link

ekohl commented May 21, 2022

At this point I think this looks good, but someone who actually has access on this module needs to step in and do a review. I can't even approve CI to run.

@alexjfisher
Copy link

@binford2k Can I nominate @ekohl for trusted contributor access to this repo? :)

@chelnak
Copy link

chelnak commented May 21, 2022

I've kicked off the CI run 👍

@shaopeng-gh
Copy link
Author

Thanks for looking and triggering the CI! let me know.

(The plan is after the support for SARIF output is added to the tool, I will work on creating a starter workflow in the GitHub code scanner starter workflow repo to make it available as a GitHub code scanner. I have added more information in the description of this PR at the top. )

@chelnak
Copy link

chelnak commented May 31, 2022

@shaopeng-gh This looks fine and it looks like you have addressed all of the comments from @ekohl.

My only question is do we need the scan.yml in this repo? If it is an example, would it be better to include in in the README?

Thanks!

@shaopeng-gh
Copy link
Author

@chelnak your are correct, I have removed this file form the pr. It is just an example I will be submitting it to GitHub code scanner starter workflow repo, and user will be able to use it.
After that is done we can add a few lines in the readme mentioning there is a GitHub starter workflows available.

@shaopeng-gh
Copy link
Author

Thanks, let me know if can be merged.

@shaopeng-gh
Copy link
Author

A gentle ping, after this is merged and a new version created I will work on the GitHub code scanner starter workflow. Thanks!

Copy link
Member

@david22swan david22swan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
Just need's a squash merge

@david22swan david22swan merged commit 97bd8da into puppetlabs:master Jun 14, 2022
@david22swan
Copy link
Member

@shaopeng-gh Thanks for putting in the work :)

@chelnak
Copy link

chelnak commented Jun 14, 2022

@shaopeng-gh I'm really looking forward to seeing what happens with this.

Thank you 🙏

@shaopeng-gh
Copy link
Author

@chelnak
thanks, not familiar with how Ruby Gems are updated, can a new version to be published so that in the workflow I can use below command to install and have the --sarif support:
gem install puppet-lint
https://rubygems.org/gems/puppet-lint/versions I see last version is 2.5.2 - September 14, 2021

@chelnak chelnak added the enhancement New feature or request label Oct 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants