flatt-security / shisho Goto Github PK
View Code? Open in Web Editor NEWLightweight static analyzer for several programming languages
Home Page: https://docs.shisho.dev
License: GNU Affero General Public License v3.0
Lightweight static analyzer for several programming languages
Home Page: https://docs.shisho.dev
License: GNU Affero General Public License v3.0
Code Formation allows us to define infrastructures with YAML and JSON. It may be enough for almost all developers with YAML support #53, so I'll re-consider about CFn support after the issue closed.
tree-sitter grammar is here.
Handling of comment
nodes looks unstable. Here are some examples:
N/A
N/A
N/A
Some Google products (Firebase for example) rely on Common Expression Language (CEL), although there's no public implementation of tree-sitter grammar. It would be helpful if we had one and could define custom code policies for codes in CEL.
Shisho currently exits with 1 when there's one or more violations against the given rule. This behaviour prevents us from using Shisho in CI environments with no hack.
We can introduce a new CLI flag like --exit-zero
ton control exit code of Shisho.
N/A
Currently Shisho reports suggested changes, but it can't replace files with the changes automatically.
It'd be great if we could overwrite files automatically with --overwrite
option, for example.
# example
shisho find "len(:[X])" --lang=go --rewrite "len(f(:[X]))" --overwrite
Shisho may suggest multiple changes for a single file when different rules match for a single file. This behaviour may cause some implementation challenges.
tree-sitter grammar is here.
Now a rule includes only one pattern and one rewrite pattern, though it's natural that multiple patterns could be transformed into a rewrite pattern, and vice versa.
Suppose we'd like to transform both of f(:[X], :[Y])
and g(:[X], :[Y])
into either of a(:[X], :[Y])
or b(:[X], :[Y])
. We need something like:
version: "1"
rules:
- id: demo
language: go
message: ""
patterns:
- "f(:[X], :[Y])"
- "g(:[X], :[Y])"
rewrite-options:
- "a(:[X], :[Y])"
- "b(:[X], :[Y])"
N/A
Metavariables like :[X]
should match just one expression or just one statement, but the following test cases (written in Rust) will fail.
{
let tree = Tree::<Go>::try_from(
r#"if err := nil; true == false { a := 2; b := 3 } else { c := 4 }"#,
)
.unwrap();
let ptree = tree.to_partial();
let query = Query::<Go>::try_from(r#"if :[X] { :[...] }"#).unwrap();
let session = ptree.matches(&query);
let c = session.collect();
assert_eq!(c.len(), 0);
}
Run cargo test
, and you'll see language::go::tests::test_if
fails.
language::go::tests::test_if
succeeds.
N/A
tree-sitter grammar is here. We need to resolve some formatting issues though.
Current SHISHO pattern language can't describe the pattern like the following for the sake of autofix.
:[X] + 1
where X
does not include the call of len()
function"More generally, the language cant describe the following:
Now I'm thinking about the best way to describe them. A possible solution is introducing pattern constraint concepts for rules. Here's an intuitive example with the policy describing (P), with help of a pattern constraint, without a limit on autofix features:
rules:
- id: aaa
language: go
message: test
pattern: |
:[X] + 1
constraints:
- target: X
should: not-match
pattern:
len(:[...])
https://play.shisho.dev/p/2fy0PTMPYWGF
This example should cause no alerts.
tree-sitter grammar for YAML is here. It would be helpful to validate YAML quickly.
When one uses Shisho in GitHub Actions, they need to handle console outputs somehow by themselves. It's a bad experience for developers.
It would be nice if Shisho had a feature to generate reports in SARIF or some other formats familiar with reviewdog.
N/A
There are a lot of Dockerfile anti-patterns.
It'd be great if we could support Dockerfile with Shisho.
N/A
Ellipsis operators can match to zero or more expressions / statements. When an ellipsis metavariable operator matches to zero expression / statement, code transformation with the ellipsis metavariable causes error: metavariable not found
.
echo 'if a {}' | shisho find "if :[X] { :[...Y] } " --rewrite 'if :[X] { :[Y] }' --lang=go
Code transformation succeeds.
N/A
tree-sitter grammar is here.
No documentation on the core implementation of Shisho exists, resulting in the difficulty of getting into the details of it.
Put design docs as possible. At least we need a guide to support a new language in Shisho.
N/A
tree-sitter grammar is here.
There's a huge hurdle for developers with a little interest to try Shisho.
Host an online playground page like The Go Playground and more.
Hosting would not cost too much and implementation would be easy, I guess.
One needs to define rules by theirselves even though the rules look common among many teams.
Host a server to collect rules from anyone and distribute rules for everyone.
N/A
I'd like to detect exposure of API tokens (e.g.
"xoxp-blahblah") with Shisho, while Shisho can't do that as of now.
If we could use pattern matching syntax inside string literals, Shisho could resolve the problem.
"xoxp-:[X]"
N/A
tree-sitter grammar is here.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.