-
Notifications
You must be signed in to change notification settings - Fork 578
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add opaque rule id for Sarif log #1434
base: master
Are you sure you want to change the base?
Add opaque rule id for Sarif log #1434
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I understand the motivation to set ruleId
explicitly in the XML, however, we need to consider how to support plugins.
Do we need to enforce them to add ruleId
attribute? If so, we need to ask each plugin owner to update.
for reference: SpotBugs has a plugin mechanism, and we have several famous plugins like find-sec-bugs and fb-contrib. Ideally it's better to keep API backward compatible.
String longDescription, String detailText, String bugsUrl, int cweid) { | ||
|
||
this.ruleId = ruleId; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we ask plugins to provide ruleId
attribute certainly, it's better to check null-ness of given value and throw a NullPointerException
with a user-friendly message. Also it's better to annotate the parameter with @NonNull
(even though other existing parameters aren't annotated so :<).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@KengoTODA thank you for pointing out the plugin mechanism, you are right we should keep it backward compatible.
in case plugin doesn't pass rule id we can use the BugPattern type as rule id, which is currently used as rule id. and provide new API interface so plugin owners can add the opaque rule id in future.
@michaelcfanning @eddynaka what do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks.
If we need to follow the definition of 'stable value' and cannot make this attribute optional, it is also possible to release a major version to break compatibility. Of course we need to help plugin authors to migrate, though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ideally, we would break plug-in authors on update so that the opportunity to provide a valid opaque id is very obvious, but also provide a very easy way to fall back to the legacy rule id if they can't stop to make a fix. @yongyan-gh, please go read the SARIF spec on the deprecatedIds
property for SARIF reportingDescriptor
objects. If we are emitting the rules
table to Spotbugs SARIF, this data can be populated. If we do not emit this data, obviously, we can't persist the deprecated ids. Doing this is not a high priority, as I doubt there are SARIF readers out there who consume this information, though. :) People worried about compatibility will just consult the readable name, which maps to the old rule id value.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@KengoTODA in latest change we added an overload constructor to wrap the new constructor and marked with deprecated annotation.
In this way it wont break existing plugins. Plugins call deprecated constructor will get a warning to use new constructor and provide opaque rule id.
Please let me know what do you think?
The broken build has been fixed in the |
@@ -36,6 +37,8 @@ | |||
* @see BugInstance | |||
*/ | |||
public class BugPattern implements Comparable<BugPattern> { | |||
final private String ruleId; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider to add a documentation comment, especially a @see
tag with an anchor tag to http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html#def_rule_id
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added.
@@ -928,6 +928,7 @@ private void loadPluginComponents() | |||
// Create BugPatterns | |||
List<Node> bugPatternNodeList = XMLUtil.selectNodes(pluginDescriptor, "/FindbugsPlugin/BugPattern"); | |||
for (Node bugPatternNode : bugPatternNodeList) { | |||
String ruleId = bugPatternNode.valueOf("@ruleId"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This ruleId
can be an empty string, right? Then I think here we need a consideration for (old) plugins.
Consider to test your implementation with a plugin. You can create distributed files by ./gradlew assemble
. Unpack the generated .tar or .zip and run it in your local.
I suggest you to use find-sec-bugs to run with, but if you need a small project for faster build, you may try findbugs-slf4j instead. It's also possible to create a plugin project by your own.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see the plugins don't init BugPattern class by themselves. Is there anyway to not break current plugins but can remind them to use opaque rule id?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am able to compile and run SpotBugs to anaylze .jar file. But I am not sure how to include other plugins into SpotBugs binaries.
With latest change if ruleId is not provided it will use type as rule id to avoid break plugins.
I tested it locally by removing ruleId of some BugPatterns in FindBugs.xml. In the output Sarif log rule id is set to type as expected.
Fix format violation.
@yongyan-gh sorry but please resolve conflicts later. |
@KengoTODA no problem, merged changes from remote and resolved the conflicts. |
Sorry but again we have a conflict, please merge the latest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry but again we have a conflict, please merge the latest
origin/master
to your topic branch and resolve it.
You also need to updateCHANGELOG.md
to move your changes under## Unreleased
. 🙇
Resolved & merged, updated the change log.
1 thing we can also improve for the opaque rule id: we may divide the ids into couple segments based on bug pattern/rule category etc. so that each segment has spare ids can be assigned to new bug patterns/rules in the future, and don't need to change existing id.
<BugPattern abbrev="TLW" type="TLW_TWO_LOCK_WAIT" category="MT_CORRECTNESS"/> | ||
<BugPattern abbrev="TLW" type="TLW_TWO_LOCK_NOTIFY" category="MT_CORRECTNESS" | ||
deprecated="true" experimental="true"/> | ||
<BugPattern ruleId="SPOT1001" abbrev="JUA" type="JUA_DONT_ASSERT_INSTANCEOF_IN_TESTS" category="BAD_PRACTICE" experimental="true" /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@KengoTODA can you pls advise a proper opaque rule id here since you are one of tool owner?
We have seen the some rule id naming conversions that starts with language name plus numbers:
e.g. C6001, VB7001, CS8001 etc.
or tool name abbv plus numbers:
e.g. FF1001 (Flawfinder)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@KengoTODA any thought about the rule id format?
@@ -928,6 +928,7 @@ private void loadPluginComponents() | |||
// Create BugPatterns | |||
List<Node> bugPatternNodeList = XMLUtil.selectNodes(pluginDescriptor, "/FindbugsPlugin/BugPattern"); | |||
for (Node bugPatternNode : bugPatternNodeList) { | |||
String ruleId = bugPatternNode.valueOf("@ruleId"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see the plugins don't init BugPattern class by themselves. Is there anyway to not break current plugins but can remind them to use opaque rule id?
@@ -36,6 +37,8 @@ | |||
* @see BugInstance | |||
*/ | |||
public class BugPattern implements Comparable<BugPattern> { | |||
final private String ruleId; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added.
@@ -928,6 +928,7 @@ private void loadPluginComponents() | |||
// Create BugPatterns | |||
List<Node> bugPatternNodeList = XMLUtil.selectNodes(pluginDescriptor, "/FindbugsPlugin/BugPattern"); | |||
for (Node bugPatternNode : bugPatternNodeList) { | |||
String ruleId = bugPatternNode.valueOf("@ruleId"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am able to compile and run SpotBugs to anaylze .jar file. But I am not sure how to include other plugins into SpotBugs binaries.
With latest change if ruleId is not provided it will use type as rule id to avoid break plugins.
I tested it locally by removing ruleId of some BugPatterns in FindBugs.xml. In the output Sarif log rule id is set to type as expected.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @yongyan-gh sorry I did not notice that this PR got updated.
I've checked DIFF and changes are LGTM. However, it surely brings a new requirement to plugin, then we need to be accountable and provide enough guides for users. For example, I will list what I can imagine to provide:
- Explain why
type
is not enough stable (so we need a new attribute,ruleId
) - Guide how to design
ruleId
to make it stable and avoid conflict with anotherruleId
associated by other analysis tools - System to confirm that a specific ruleId is not conflict with others
2 and 3 aren't limited to SpotBugs, so it's OK to have document in SARIF web site or other places.
And one more request, add a unit test which verifies that we have no conflict (duplicated value) ruleId
in findbugs.xml
. It will help our project maintenance in future.
To be honest, I'm not so positive for this change. Generally format is not the concern of the rules. When the context of format is visible for rules, it's usually a sign of bad architecture, I believe.
Related to issue #1427
Attached Sarif log generated before/after this change. Please review.
newSarifLog.zip