Add opaque rule id for Sarif log #1434
Conversation
There was a problem hiding this comment.
I understand the motivation to set ruleId explicitly in the XML, however, we need to consider how to support plugins.
Do we need to enforce them to add ruleId attribute? If so, we need to ask each plugin owner to update.
for reference: SpotBugs has a plugin mechanism, and we have several famous plugins like find-sec-bugs and fb-contrib. Ideally it's better to keep API backward compatible.
| String longDescription, String detailText, String bugsUrl, int cweid) { | ||
|
|
||
| this.ruleId = ruleId; |
There was a problem hiding this comment.
If we ask plugins to provide ruleId attribute certainly, it's better to check null-ness of given value and throw a NullPointerException with a user-friendly message. Also it's better to annotate the parameter with @NonNull (even though other existing parameters aren't annotated so :<).
There was a problem hiding this comment.
@KengoTODA thank you for pointing out the plugin mechanism, you are right we should keep it backward compatible.
in case plugin doesn't pass rule id we can use the BugPattern type as rule id, which is currently used as rule id. and provide new API interface so plugin owners can add the opaque rule id in future.
@michaelcfanning @eddynaka what do you think?
There was a problem hiding this comment.
Thanks.
If we need to follow the definition of 'stable value' and cannot make this attribute optional, it is also possible to release a major version to break compatibility. Of course we need to help plugin authors to migrate, though.
There was a problem hiding this comment.
Ideally, we would break plug-in authors on update so that the opportunity to provide a valid opaque id is very obvious, but also provide a very easy way to fall back to the legacy rule id if they can't stop to make a fix. @yongyan-gh, please go read the SARIF spec on the deprecatedIds property for SARIF reportingDescriptor objects. If we are emitting the rules table to Spotbugs SARIF, this data can be populated. If we do not emit this data, obviously, we can't persist the deprecated ids. Doing this is not a high priority, as I doubt there are SARIF readers out there who consume this information, though. :) People worried about compatibility will just consult the readable name, which maps to the old rule id value.
There was a problem hiding this comment.
@KengoTODA in latest change we added an overload constructor to wrap the new constructor and marked with deprecated annotation.
In this way it wont break existing plugins. Plugins call deprecated constructor will get a warning to use new constructor and provide opaque rule id.
Please let me know what do you think?
|
The broken build has been fixed in the |
| @@ -36,6 +37,8 @@ | |||
| * @see BugInstance | |||
| */ | |||
| public class BugPattern implements Comparable<BugPattern> { | |||
| final private String ruleId; | |||
There was a problem hiding this comment.
Consider to add a documentation comment, especially a @see tag with an anchor tag to http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html#def_rule_id
| @@ -928,6 +928,7 @@ private void loadPluginComponents() | |||
| // Create BugPatterns | |||
| List<Node> bugPatternNodeList = XMLUtil.selectNodes(pluginDescriptor, "/FindbugsPlugin/BugPattern"); | |||
| for (Node bugPatternNode : bugPatternNodeList) { | |||
| String ruleId = bugPatternNode.valueOf("@ruleId"); | |||
There was a problem hiding this comment.
This ruleId can be an empty string, right? Then I think here we need a consideration for (old) plugins.
Consider to test your implementation with a plugin. You can create distributed files by ./gradlew assemble. Unpack the generated .tar or .zip and run it in your local.
I suggest you to use find-sec-bugs to run with, but if you need a small project for faster build, you may try findbugs-slf4j instead. It's also possible to create a plugin project by your own.
There was a problem hiding this comment.
I see the plugins don't init BugPattern class by themselves. Is there anyway to not break current plugins but can remind them to use opaque rule id?
There was a problem hiding this comment.
I am able to compile and run SpotBugs to anaylze .jar file. But I am not sure how to include other plugins into SpotBugs binaries.
With latest change if ruleId is not provided it will use type as rule id to avoid break plugins.
I tested it locally by removing ruleId of some BugPatterns in FindBugs.xml. In the output Sarif log rule id is set to type as expected.
Fix format violation.
|
@yongyan-gh sorry but please resolve conflicts later. |
|
@KengoTODA no problem, merged changes from remote and resolved the conflicts. |
|
Sorry but again we have a conflict, please merge the latest |
There was a problem hiding this comment.
Sorry but again we have a conflict, please merge the latest
origin/masterto your topic branch and resolve it.
You also need to updateCHANGELOG.mdto move your changes under## Unreleased. 🙇
Resolved & merged, updated the change log.
1 thing we can also improve for the opaque rule id: we may divide the ids into couple segments based on bug pattern/rule category etc. so that each segment has spare ids can be assigned to new bug patterns/rules in the future, and don't need to change existing id.
| <BugPattern abbrev="TLW" type="TLW_TWO_LOCK_WAIT" category="MT_CORRECTNESS"/> | ||
| <BugPattern abbrev="TLW" type="TLW_TWO_LOCK_NOTIFY" category="MT_CORRECTNESS" | ||
| deprecated="true" experimental="true"/> | ||
| <BugPattern ruleId="SPOT1001" abbrev="JUA" type="JUA_DONT_ASSERT_INSTANCEOF_IN_TESTS" category="BAD_PRACTICE" experimental="true" /> |
There was a problem hiding this comment.
@KengoTODA can you pls advise a proper opaque rule id here since you are one of tool owner?
We have seen the some rule id naming conversions that starts with language name plus numbers:
e.g. C6001, VB7001, CS8001 etc.
or tool name abbv plus numbers:
e.g. FF1001 (Flawfinder)
There was a problem hiding this comment.
@KengoTODA any thought about the rule id format?
| @@ -928,6 +928,7 @@ private void loadPluginComponents() | |||
| // Create BugPatterns | |||
| List<Node> bugPatternNodeList = XMLUtil.selectNodes(pluginDescriptor, "/FindbugsPlugin/BugPattern"); | |||
| for (Node bugPatternNode : bugPatternNodeList) { | |||
| String ruleId = bugPatternNode.valueOf("@ruleId"); | |||
There was a problem hiding this comment.
I see the plugins don't init BugPattern class by themselves. Is there anyway to not break current plugins but can remind them to use opaque rule id?
| @@ -36,6 +37,8 @@ | |||
| * @see BugInstance | |||
| */ | |||
| public class BugPattern implements Comparable<BugPattern> { | |||
| final private String ruleId; | |||
| @@ -928,6 +928,7 @@ private void loadPluginComponents() | |||
| // Create BugPatterns | |||
| List<Node> bugPatternNodeList = XMLUtil.selectNodes(pluginDescriptor, "/FindbugsPlugin/BugPattern"); | |||
| for (Node bugPatternNode : bugPatternNodeList) { | |||
| String ruleId = bugPatternNode.valueOf("@ruleId"); | |||
There was a problem hiding this comment.
I am able to compile and run SpotBugs to anaylze .jar file. But I am not sure how to include other plugins into SpotBugs binaries.
With latest change if ruleId is not provided it will use type as rule id to avoid break plugins.
I tested it locally by removing ruleId of some BugPatterns in FindBugs.xml. In the output Sarif log rule id is set to type as expected.
There was a problem hiding this comment.
Hi @yongyan-gh sorry I did not notice that this PR got updated.
I've checked DIFF and changes are LGTM. However, it surely brings a new requirement to plugin, then we need to be accountable and provide enough guides for users. For example, I will list what I can imagine to provide:
- Explain why
typeis not enough stable (so we need a new attribute,ruleId) - Guide how to design
ruleIdto make it stable and avoid conflict with anotherruleIdassociated by other analysis tools - System to confirm that a specific ruleId is not conflict with others
2 and 3 aren't limited to SpotBugs, so it's OK to have document in SARIF web site or other places.
And one more request, add a unit test which verifies that we have no conflict (duplicated value) ruleId in findbugs.xml. It will help our project maintenance in future.
To be honest, I'm not so positive for this change. Generally format is not the concern of the rules. When the context of format is visible for rules, it's usually a sign of bad architecture, I believe.
Related to issue #1427
Attached Sarif log generated before/after this change. Please review.
newSarifLog.zip