Skip to content

Commit

Permalink
reviewdog: upgrade from grep based to fnmatch based, add per-repo set…
Browse files Browse the repository at this point in the history
…ting

Signed-off-by: Andrea Brancaleoni <abc@pompel.me>
  • Loading branch information
thypon committed Mar 19, 2024
1 parent 27836d2 commit 03f6424
Show file tree
Hide file tree
Showing 3 changed files with 47 additions and 8 deletions.
1 change: 1 addition & 0 deletions Gemfile.lock
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ GEM

PLATFORMS
arm64-darwin-22
arm64-darwin-23
x86_64-linux

DEPENDENCIES
Expand Down
49 changes: 45 additions & 4 deletions assets/cleaner.rb
Original file line number Diff line number Diff line change
@@ -1,20 +1,61 @@
#!/usr/bin/env ruby
require 'optparse'

options = {}
DEFAULT_MATCHER_FILENAME = ".github/security-action-blocklist.txt"

class Matcher
def initialize(*blocklist_files)
@blocklist = []
blocklist_files.each do |blf|
next unless File.exist?(blf)

blocklist = File.read(blf).split("\n")
# remove empty lines and comments
blocklist.reject! { |r| r.empty? || r.start_with?('#') }

# remove all matching lines and report
blocklist.reject! do |r|
ret = r =~ /^[*@]+$/
STDERR.puts "Warning: #{blf} contains a line with only asterisks/at, which will match everything" if ret
ret
end

@blocklist += blocklist
end
@blocklist = File.read(options[:blocklist_file]).split("\n")
end

def match?(line)
@blocklist.each do |r|
return true if File.fnmatch?("*#{r}*", line)
end
false
end
end

options = {
matcher: Matcher.new(DEFAULT_MATCHER_FILENAME)
}
OptionParser.new do |opts|
opts.banner = "Usage: reviewdog-adapter.rb [options]"

opts.on("--svgo", "Add SVGO String") do |v|
options[:svgo] = true
options[:matcher] = Matcher.new(DEFAULT_MATCHER_FILENAME, "#{ENV["SCRIPTPATH"]}/dtd/blocklist.txt")
end

opts.on("--assignees", "Add SVGO String") do |v|
opts.on("--assignees", "Add Assignees String") do |v|
options[:assignees] = true
end

opts.on("--sveltegrep", "Remove Extracted Script Extension") do |v|
opts.on("--sveltegrep", "Remove Extracted Script Extension, and use semgrep blocklist") do |v|
options[:sveltegrep] = true
options[:matcher] = Matcher.new(DEFAULT_MATCHER_FILENAME, "#{ENV["SCRIPTPATH"]}/semgrep_rules/blocklist.txt")
end

opts.on("--semgrep", "Use semgrep blocklist") do |v|
options[:semgrep] = true
options[:matcher] = Matcher.new(DEFAULT_MATCHER_FILENAME, "#{ENV["SCRIPTPATH"]}/semgrep_rules/blocklist.txt")
end
end.parse!

Expand All @@ -39,5 +80,5 @@
l.gsub!(/$/, "<br>Cc #{ENV['ASSIGNEES']}")
end

puts l
puts l unless options[:matcher].match?(l)
end
5 changes: 1 addition & 4 deletions assets/reviewdog/reviewdog.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,7 @@ runner:
$([ -n "${GITHUB_BASE_REF+set}" ] && echo "--baseline-commit origin/${GITHUB_BASE_REF:-main}") \
--json \
| jq -r '.results[] | "\(.extra.severity[0:1]):\(.path):\(.end.line) \(.extra.message | sub("\n";"<br/>";"g"))<br><br>Source: \(.extra.metadata.source)<br><br>,\(if .extra.metadata.assignees then .extra.metadata.assignees else "null" end | sub("\n";" ";"g"))"' \
| grep -f $SCRIPTPATH/semgrep_rules/blocklist.txt -v \
| $SCRIPTPATH/cleaner.rb --assignees) 2> reviewdog.semgrep.stderr.log
| $SCRIPTPATH/cleaner.rb --semgrep --assignees) 2> reviewdog.semgrep.stderr.log
errorformat:
- "%t:%f:%l %m"
sveltegrep:
Expand Down Expand Up @@ -46,7 +45,6 @@ runner:
'--include=*.extractedscript.html' \
./ \
| jq -r '.results[] | "\(.extra.severity[0:1]):\(.path):\(.end.line) \(.extra.message | sub("\n";"<br/>";"g"))<br><br>Source: \(.extra.metadata.source)<br><br>,\(if .extra.metadata.assignees then .extra.metadata.assignees else "null" end | sub("\n";" ";"g"))"' \
| grep -f $SCRIPTPATH/semgrep_rules/blocklist.txt -v \
| $SCRIPTPATH/cleaner.rb --assignees --sveltegrep && \
find . -type f -name '*.extractedscript.*' -delete) 2> reviewdog.sveltegrep.stderr.log
errorformat:
Expand All @@ -56,7 +54,6 @@ runner:
cmd: |
set -e
(xargs -0 -n1 -a $SCRIPTPATH/all_changed_files.txt $SCRIPTPATH/xmllint.sh \
| egrep -f $SCRIPTPATH/dtd/blocklist.txt -v \
| $SCRIPTPATH/cleaner.rb --svgo) 2> reviewdog.safesvg.stderr.log
errorformat:
- "%f:%l: %m"
Expand Down

0 comments on commit 03f6424

Please sign in to comment.