fix(cli): execute YAML pattern analyzers during analysis#231
Merged
Conversation
RunCheckers loaded built-in and custom YAML pattern checkers into a patternCheckers map but never passed them to analysis.RunAnalyzers, so no YAML-defined rule ever produced a finding. Only Go-based analyzers were being executed end-to-end. Flatten patternCheckers into a slice of *Analyzer and run them through the same path used for Go analyzers. Preserve Severity and Category on the resulting issues by looking up the originating analyzer by name. Add a regression test that exercises RunCheckers with a custom YAML checker and asserts a finding is produced.
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
RunCheckersinpkg/cli/cli.goloads built-in and custom YAML pattern checkers into apatternCheckersmap, but the map is never passed toanalysis.RunAnalyzers. Only Go-based analyzers (fromLoadGoCheckers()and the custom Go stub) are executed end-to-end.The result: every YAML-defined rule — whether built-in under
checkers/**/*.ymlor custom under.globstar/*.yml— silently produces zero findings. This is the follow-up bug noted in #230: after that PR fixed the YAML loader, loaded checkers still weren't reaching the analyzer runtime.Reproduced against master with a trivial custom YAML rule and matching Go fixture: 0 issues reported. Same symptom for built-in YAML rules (e.g.
go_des_weak_crypto) against obviously-violating source.Fix
After the Go analyzer pass, flatten
patternCheckersinto[]*analysis.Analyzerand callanalysis.RunAnalyzerswith the same file filter used for Go analyzers. PreserveSeverity/Categoryon the resulting issues by looking up the originating analyzer by name (the runtime populatesIssue.IdfromAnalyzer.Namebut does not copy severity/category).Minimal change, no refactor — the
fileFilterclosure is hoisted once so both runs share it.Tests
TestRunCheckers_ExecutesCustomYamlCheckersinpkg/cli/cli_test.gowrites a YAML rule to a temp.globstar, writes a matching Go file, constructs aCli, invokesRunCheckers(false, true), and asserts a finding is produced. Verified this test fails on master (0 issues) and passes with the fix.go test ./...— the two pre-existing failures (checkers/gohas YAML test fixtures that confuse the Go toolchain,checkers/discover/custom_analyzer_stubis a template requiring generated symbols) are present on clean master and unrelated to this change../globstar check --checkers=localagainst a minimal custom rule: 1 issue reported, exit 1../globstar check --checkers=builtinagainst ades.NewCiphercall: built-ingo_des_weak_cryptofires correctly.