Add SARIF support #40
Conversation
|
|
|
SARIF format need to have a description of the rule (beside the message that is very specific the the error found which we already have now), I can see in each rule it do have this info but in the comments. let me know if that sounds good?
the above example is not a good example, the message do not have any extra data so it looks like it can be directly used as description as well, but we have rules like this: the rule description we are looking for, is static for a rule. In reply to: 1078242810 |
I have done making this change and updated the PR. fyi the new data will be visible in SARIF viewer UI like below: In reply to: 1082556441 |
| @@ -180,9 +180,8 @@ def report(problems) | |||
| print_github_annotation(message) if configuration.github_actions | |||
| end | |||
| end | |||
| puts JSON.pretty_generate(json) if configuration.json | |||
There was a problem hiding this comment.
This could affect usage via Rake. I don't know if people do this, but there are effectively 2 entry points: the bin file which you already found and Rake:
https://github.com/puppetlabs/puppet-lint/blob/020143b705b023946739eb44e7c7d99fcd087527/lib/puppet-lint/tasks/puppet-lint.rb#L88-L107=
There was a problem hiding this comment.
thanks for all the inputs! I will set the PR as draft for now and look into them.
There was a problem hiding this comment.
I have followed this instruction:
https://github.com/puppetlabs/puppet-lint/blob/master/README.md#testing-with-puppet-lint-as-a-rake-task
then running rake lint seems not having issue and output result normally.
I think running in rake currently only have normal
output does not support json option in the configuration, so the line highlighted will not be run in rake lint command, so should be good.
lib/puppet-lint/bin.rb
Outdated
| report_sarif(all_problems, full_base_path, full_base_path_uri) if PuppetLint.configuration.sarif | ||
|
|
||
| if PuppetLint.configuration.json |
There was a problem hiding this comment.
Should these 2 be mutually exclusive? Either JSON or sarif?
There was a problem hiding this comment.
they should be mutually exclusive, added the if else.
lib/puppet-lint/bin.rb
Outdated
| problems.each do |problem| | ||
| [:description, :help_uri].each { |key| problem.delete(key) } | ||
| end |
There was a problem hiding this comment.
There's also delete_if which is probably cleaner. Or you could be explicit and use Hash.slice and select the entries that are relevant.
There was a problem hiding this comment.
yes, changed to use delete_if
This reverts commit 427333f.
In reply to: 930112225 |
There was a problem hiding this comment.
I think my concerns have been addressed. However, I'm not a maintainer on this repository.
@binford2k you may want to give some visibility on this. It could be interesting for developers.
.github/workflows/scan.yml
Outdated
|
|
||
| security: | ||
|
|
||
| strategy: |
There was a problem hiding this comment.
It feels odd to have a matrix here if there's just a single entry. Is that really needed?
There was a problem hiding this comment.
Matrix is not needed, I have removed it.
.github/workflows/scan.yml
Outdated
| @@ -0,0 +1,39 @@ | |||
| name: puppet-lint scan | |||
There was a problem hiding this comment.
This is an interesting thing. Do you have an example of where this ran so I can see the resulting report?
There was a problem hiding this comment.
This is just a sample (or sometimes called a starter workflow) that the user of the puppet-lint can add to their own repo, after we got all things done. User can use it to scan their repo and get code scanning alerts of the .pp files in their repo.
GitHub support this and the format used is SARIF format.
this is a run in my fork as example: (it is not intended to run against the puppet-lint repo itself, but the user's repo)
https://github.com/shaopeng-gh/puppet-lint/security/code-scanning
for people don't have permission:
| elsif PuppetLint.configuration.json | ||
| all_problems.each do |problems| | ||
| problems.each do |problem| | ||
| problem.delete_if { |key, _| [:description, :help_uri].include?(key) } |
There was a problem hiding this comment.
I'm not sure the description must be excluded. The help URI also doesn't hurt IMHO. Perhaps a maintainer can weigh in on that.
There was a problem hiding this comment.
Perhaps a maintainer can weigh in on that. ---- yes the only reason for this code block is I am trying to maintain the same JSON output as before, maintainer can advise if also want these 2 new properties in JSON and let me know to change accordingly.
|
At this point I think this looks good, but someone who actually has access on this module needs to step in and do a review. I can't even approve CI to run. |
|
@binford2k Can I nominate @ekohl for trusted contributor access to this repo? :) |
|
I've kicked off the CI run 👍 |
|
Thanks for looking and triggering the CI! let me know. (The plan is after the support for SARIF output is added to the tool, I will work on creating a starter workflow in the GitHub code scanner starter workflow repo to make it available as a GitHub code scanner. I have added more information in the description of this PR at the top. ) |
|
@shaopeng-gh This looks fine and it looks like you have addressed all of the comments from @ekohl. My only question is do we need the scan.yml in this repo? If it is an example, would it be better to include in in the README? Thanks! |
|
@chelnak your are correct, I have removed this file form the pr. It is just an example I will be submitting it to GitHub code scanner starter workflow repo, and user will be able to use it. |
|
Thanks, let me know if can be merged. |
|
A gentle ping, after this is merged and a new version created I will work on the GitHub code scanner starter workflow. Thanks! |
|
@shaopeng-gh Thanks for putting in the work :) |
|
@shaopeng-gh I'm really looking forward to seeing what happens with this. Thank you 🙏 |
|
@chelnak |
Add support for output in SARIF format.
Hello! We are interested in adding support for output in the open-standard SARIF format to puppet-lint. SARIF support is required to integrate it in GitHub code scanning. Doing so would make it available to every repo in GitHub and could result in increase in user base.
More about SARIF here:
What is SARIF?
Why SARIF?
After the support for SARIF output is added to the tool and published a new version, we will work on creating a starter workflow to make it available as a GitHub code scanner.