literal-compare: false positive inside strings - conflict with bash code

[ssbarnea]

Simple example that replicates the bug

    - shell:
        cmd: |
              if [ $FOO != false ]; then

It seems that the linter is looking for this piece of code without even knowing if that is a string or a value evaluated by ansible.

This bug makes the entire E601 rule something to add to the skip_list.

[awcrosby]

Since the rule description specifically calls out the use of True/False in when, it might be best to limit this rule 601 (and 602) to check only the when clause instead of all lines as it currently does.

[ssbarnea]

The issue seems to become even worse, another false positive found at https://github.com/kubernetes-sigs/kubespray/blob/a5edd0d709f28507635771cefae43790f4265f20/roles/kubernetes-apps/network_plugin/kube-router/tasks/main.yml#L15 and for this one I have no idea about how to avoid it.

[direvus]

Agreed @awcrosby, the rule should only be evaluated against Jinja2 expressions. I just got hit by this bug on the following task:

- name: "PRELIM | Gather accounts with empty password fields"
  shell: |
    set -o pipefail
    cat /etc/shadow | awk -F: '($2 == "") {j++;print $1;} END {exit j}'
  args:
    executable: bash
  register: empty_password_accounts
  changed_when: false
  check_mode: false

ansible-lint, suddenly developing strong opinions about AWK programs, had this to say:

[602] Don't compare to empty string
roles/RHEL7-CIS/tasks/prelim.yml:13
    cat /etc/shadow | awk -F: '($2 == "") {j++;print $1;} END {exit j}'

Go home, ansible-lint, you're drunk.

There's no way rules 601 or 602 should be inspecting the interior of shell or command free-form argument, unless they are able to correctly distinguish Jinja2 expressions from shell code. I can appreciate there is probably a lot of overhead in parsing out the Jinja2 to check this, so I would be supportive of limiting these rules to examine the when clause only.

@ssbarnea are you able to add E602 to the issue title?

[isuftin]

Seeing similar:

- name: Find empty password fields in /etc/shadow
  shell: 'awk -F: ''($2 == "" ) { print $1 }'' /etc/shadow'
  register: empty_password_fields
  changed_when: empty_password_fields.stdout_lines | length > 0