Pester PR Build Pipeline should check for PsScriptAnalyzer errors #1635
Comments
|
Yeah will do, once I get the most pressing issues out of the way, as always :) |
|
Want to assign some of this to me? I have submitted draft PR which can be reviewed for TODO, FIXME. As part of the scans, can probably suppress certain warnings such as Write-Host and changes required to support PesterPreference Global variables. Invoke-ScriptAnalyzer . -Recurse -ExcludeRule PSAvoidUsingWriteHost,PSAvoidGlobalVars,PSUseDeclaredVarsMoreThanAssignmentsThere are probably some scoping bugs in both the Pester code and the PSScriptAnalyzer scans. I purposely avoided the /src folder for now. |
|
Comments to questions made in #1700 .
Output.ps1 contains internal functions, not public. Help not mandatory, at least not a detailed one.
Deprecating |
|
Small first step done in #1745. Not part of CI yet as "style guide" needs to be defined to know which rules to exclude globally vs suppress per function. Would also need to decide search-path to test against. Src is published code and most important. |
fflaten
changed the title
|
Had some fun with this today to see how it could integrate in current azure pipeline since that was preferred. @nohwnd: Any issue with installing https://marketplace.visualstudio.com/items?itemName=sariftools.scans in devops org? If not, then we can run the PSSA-result through ConvertToSARIF + a few modifications and get this report with links directly to source (links only say filename though): Not as fancy (and currently noisy) as github code analysis (below): |
|
I don't see any problem installing it. I also don't see any problem having Github action that would build just to get the analyzer warnings into the output. Might be even easier to remove it later / disable it if it is too overwhelming. AzDo is used here primarily because I can deploy hosted agents that run older versions of powershell. But this task we probably want to run just against ps7, because otherwise we get multiple copies of every warning. |
|
I got both working and don't really have a preference tbh. AzDo integration is more silent/hidden and only there if you want to look at it. The github action workflow would be more in your face. Both in PRs (that's probably a good thing), but also by showing the new 174 security alerts in the repo 😄 If the security alerts didn't scare you, I can submit a PR for github first and should it be a problem then we can move it later. |
|
How many of those alerts are about a variable being unused because it is in defined in BeforeAll, and used in It? :) Or in other words, how much unnecessary pollution we will have to add to the code to drive the alerts to 0, vs how many actual issues it found? (Rough counts of course, is it 50:50, or better?). |
|
No unused variables, but 26 unused parameters. Only scanning src so no noise from tests (unlike vscode). There are "77 *-Objects cmdlets used" (custom rule due to being slow) and 30 plural nouns in function names. Could easily disable some rules if we don't care. |
|
Current state: |
|
These look like good violations to fix, please go ahead and PR the github pipeline 👍 |
Did it two days ago 😁 |
|
You are too fast 😁 |
1. General summary of the issue
Running PSScriptAnalyzer against the repo throws the following warnings.
2. Describe Your Environment
3. Expected Behavior
4.Current Behavior
5. Possible Solution
PSScriptAnalyzer and other tools can be added to the project and builds to improve code quality and protect main branch.
Warnings can be shown yet continue to allow build by using limited exclusions, until they are resolved and can then be used as build breakers.
https://github.com/PowerShell/PSScriptAnalyzer
6. Context
The text was updated successfully, but these errors were encountered: