Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

first semgrep sarif codemod for jinja autoescape #687

Merged
merged 5 commits into from
Jul 4, 2024
Merged

first semgrep sarif codemod for jinja autoescape #687

merged 5 commits into from
Jul 4, 2024

Conversation

clavedeluna
Copy link
Contributor

Overview

Add support for OSS semgrep codemod for jinja2 autoescape, along with the necessary code to support semgrep codemods in general

Closes #677

@clavedeluna clavedeluna marked this pull request as ready for review July 1, 2024 20:53
drdavella
drdavella requested changes Jul 2, 2024
View reviewed changes
Copy link
Member

@drdavella drdavella left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, only substantive comment is about the codemod ID.

src/codemodder/codemods/semgrep.py Outdated Show resolved Hide resolved
src/core_codemods/semgrep/semgrep_enable_jinja2_autoescape.py
from core_codemods.semgrep.api import SemgrepCodemod

SemgrepEnableJinja2Autoescape = SemgrepCodemod.from_core_codemod(
name="enable-jinja2-autoescape-semgrep",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we need semgrep in the codemod name since its encoded by the origin.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you're right! Since now only core codemods can be requested by name. The Sonar ones have the id in the name which hinted at that when I wrote this.

drdavella
drdavella reviewed Jul 2, 2024
View reviewed changes
Copy link
Member

@drdavella drdavella left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@clavedeluna I think the new test failure is real since it's asserting on the previous name 😅

@clavedeluna
Copy link
Contributor Author

clavedeluna commented Jul 2, 2024
edited
Loading

@drdavella latest failure actually reminds us that unique codemod names are at least important in docs generation...so need to see how to update that given two same keys

nvm fixed

@clavedeluna
Copy link
Contributor Author

clavedeluna commented Jul 3, 2024
edited
Loading

@drdavella sorry for the churn here, this is the first time we have a codemod with the same name as another so it's causing more test failure and questions than I expected. The latest failure suggests something new, which is that we can't register a codemod with the same name as another here. It just gets skipped. We have two options here

  1. self._codemods_by_name should only ever be used for pixee codemods.
  2. fully deprecate self._codemods_by_name and only use self._codemods_by_id everywhere

Both are easy enough changes I can do it here. LMK what you think works best in terms of customer usability / backward compat. I personally would just go for #2 and nuke the idea of codemod name if we can, to avoid future confusion.

edit: I guess another option just to get this PR thru is to just add -semgrep again to the name and then ticket this for later.

@drdavella
Copy link
Member

@clavedeluna I like solution #1 for the short term if it gets us over the hump for this PR. I think we were implicitly doing that anyway (or at least that was my personal assumption). #2 might not be a bad idea to ticket for the longer term.

@clavedeluna
Copy link
Contributor Author

offline we've agreed to just add -semgrep to the name and work on the options mentioned above in a separate ticket

@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Jul 3, 2024

Quality Gate Passed Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@clavedeluna
Copy link
Contributor Author

See #697

@clavedeluna clavedeluna added this pull request to the merge queue Jul 4, 2024
Merged via the queue into main with commit 592cb9c Jul 4, 2024
13 checks passed
@clavedeluna clavedeluna deleted the semgrep-jinja branch July 4, 2024 11:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@drdavella drdavella drdavella approved these changes

@andrecsilva andrecsilva