Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow nominator for CI checks on banned calls #143

Merged
merged 2 commits into from
Nov 18, 2020
Merged

Allow nominator for CI checks on banned calls #143

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5491ad7
Allow nominator for CI checks on banned calls
Nov 17, 2020
765d90b
Update tests/nopanic.ci
lukehinds Nov 18, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 12 additions & 10 deletions tests/nopanic.ci
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
#!/usr/bin/env python3

'''
To prevent CI failing for approved instance of banned words, add a comment: #[allow_ci]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, the more I think about it, it may be more readable to call this something like #[allow_panic].

'''

import os

banned = ["unwrap(", "panic!("]
Expand All @@ -9,14 +13,12 @@ print("Files to check: %s" % srcs)

failed = False
for f in srcs:
print("Checking file %s" % f)
contents = open("src/%s" % f, "r").read().split("#[cfg(test)]")[0]
for b in banned:
if b not in contents:
continue

failed = True
print("File %s calls banned function: %s)" % (f, b))
pass

with open("src/" + f) as src_file:
for line_no, line in enumerate(src_file):
for b in banned:
if b not in line or "#[allow_ci]" in line:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this would need to check for #[allow_ci] in the previous line, unless I am misreading this.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, this seems to work well:

https://github.com/keylime/rust-keylime/runs/1413393155?check_suite_focus=true

The previous line is just to go over the banned dict , I think this could likely be optimized a bit better using regexp, but we don't need to worry about performance too much

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it looks like it was not even working before (it was allowing a load of unwraps).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, yeah, that's a lot of unwraps - it's good to have this as an improvement.

I am seeing the line numbers reported as one off from where the unwrap() is called, though, ex. File crypto.rs on line number 200 calls banned function: unwrap() while I see the unwrap() on 201: https://github.com/keylime/rust-keylime/blob/master/src/crypto.rs#L201. Not a big deal but easy to change.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My concern is more about the #[allow_ci] being placed on the previous line from panic! or unwrap() - would that be caught here?

Copy link
Member Author

@lukehinds lukehinds Nov 18, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see now, so I planned to have it on the same line as the instance of panic! / unwrap. This is how we do it on the bandit project

https://github.com/PyCQA/bandit/blob/9b4cf91e51b2cea6754bbb80f85bf968c92d4201/doc/source/config.rst#suppressing-individual-lines

key.unwrap() #[allow_ci]

Here is an example of it working:

image

(Note, this is before you're change to increment the line by +1 so it records the correct line number).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, this makes much more sense now. Thanks for the clarification!

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no worries. what you would you like to do around the naming convention? I went with allow_ci rather than a mention of panics (as it also covers unwraps as well)? I am open to suggestions here.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think allow_ci is fine for now; if we end up allowing more types of banned calls, we may want to differentiate later. Alternatively allow_banned is possibly a little more descriptive.

continue
failed = True
print("File %s on line number %s calls banned function: %s)" % (f, line_no + 1, b))
pass
exit(failed)