Linter refactor #78
Linter refactor #78
Conversation
cache.js
Outdated
| } else if (fileType === 'python') { | ||
| writeFileCreateDirs(path.join('cache', repoID.toString(), prID.toString(), branchTag, filePath), data) | ||
| } | ||
| const appTag = (fileType === 'go') ? 'gosec' : 'bandit' |
There was a problem hiding this comment.
Should probably start using a const for 'gosec' and 'bandit'. I've seen the strings more than once. Probably from bandit.js and gosec.js would be appropriate.
There was a problem hiding this comment.
I agree but I'd rather tackle that as a follow up.
Opening #103
runner.js
Outdated
| * @param {string} prID | ||
| */ | ||
| async function runLinters (files, repoID, prID) { | ||
| // TODO: Sync with file download location resolution |
There was a problem hiding this comment.
Also in the future, it would be nicer if the linters were pluggable and not hardcoded here. I imagine a linter registration model, that the runner would iterate through the loaded linters.
There was a problem hiding this comment.
I thought the same yes. That would be really cool.
There was a problem hiding this comment.
Yes, this is a rough first draft but it would be nice to have an array of objects and just iterate through it. I'll see what I can do.
There was a problem hiding this comment.
linters/index.js now exports a list of code linters, we might add a utility function to register linters dynamically later
There was a problem hiding this comment.
Note that this requires the report generation rewrite, coming in a followup PR
| * @param {any} results Linter results | ||
| * @returns GitHub checks report | ||
| */ | ||
| generateReport (results) { |
There was a problem hiding this comment.
Looks like both bandit.js and gosec.js have this method which just calls another. Do we anticipate future linters doing other work here?
There was a problem hiding this comment.
For now the report generation logic lives in a separate file for bandit and gosec but it may not be necessary as most of it is similar and could be factored away.
This PR is already large enough so right now I'm taking the simplest approach.
There was a problem hiding this comment.
Also bringing everything in the same file might make it more difficult to test correctly, though I am open to suggestions.
Of course we can export every helper function but then there is not much point in getting rid of the helper files.
There was a problem hiding this comment.
I don't see where do you use bandit/bandit.js and gosec/gosec.js files.
Also there is something important if you ask me in gosec/gosec.js file which is missing when you spawn Gosec:
The reason this is important is that when Gosec fails it throws an exception and the exception usually comes from the fact that the report file doesn't exists and fs.readFileSync throws that exception.
But if you have the logs how Gosec had started it's much more easier for debug as I explain here:
#61
|
@MVrachev Yes I didn't put the logging code back in yet because I wanted to try to use Bunyan (the probot logger) instead of |
The baseline feature is now irrelevant since we rely on GitHub to correctly filter the annotations and only display relevant ones. This is split off from #78 to help trim it down.
|
Ready for review. |
linters/gosec.js
Outdated
| * relative to the working directory | ||
| */ | ||
| get reportPath () { | ||
| return '../gosec.json' |
There was a problem hiding this comment.
Same here as I mentioned before in the linters/bandit.js file
There was a problem hiding this comment.
Again I expected change here.
If you have different opinion I will be glad to hear it.
linters/gosec.js
Outdated
| * relative to the working directory | ||
| */ | ||
| get reportPath () { | ||
| return '../gosec.json' |
There was a problem hiding this comment.
Again I expected change here.
If you have different opinion I will be glad to hear it.
Signed-off-by: Antoine Salon <[email protected]>
Signed-off-by: Antoine Salon <[email protected]>
Signed-off-by: Antoine Salon <[email protected]>
Signed-off-by: Antoine Salon <[email protected]>
Signed-off-by: Antoine Salon <[email protected]>
Signed-off-by: Antoine Salon <[email protected]>
Signed-off-by: Antoine Salon <[email protected]>
Signed-off-by: Antoine Salon <[email protected]>
Signed-off-by: Antoine Salon <[email protected]>
Use 'safe' and 'vulnerable' to describe all instances of test files
Signed-off-by: Antoine Salon <[email protected]>
Signed-off-by: Antoine Salon <[email protected]>
Currently the code that deals with running linters and collecting the results of analysis is scattered around the code base which makes it difficult to change and understand. Additionally, intricacies such as the way gosec interacts with the folder structure have to be accounted in various places which also increases the mental overhead when dealing with simple tasks.
This PR attempts to hide all linter-specific behavior under a common interface
Runnerthat executes the common scanning and reporting logic. Thelintersfolder contains the specifics of each linter runner instance (command line arguments, report parsing logic, ...). I'm not entirely satisfied with the current design (havingnew Bandit()in javascript is quite ugly IMO), i'm open to suggestions to change it.Some other notable changes:
TODO:
Merge report generation code with new linter file?-> Coming in follow up PR