Code Formation allows us to define infrastructures with YAML and JSON. It may be enough for almost all developers with YAML support #53, so I'll re-consider about CFn support after the issue closed.

tree-sitter grammar is here.

Description

Handling of comment nodes looks unstable. Here are some examples:

1. Good example: https://play.shisho.dev/p/7aQZRqcINA3t
2. Bad example: https://play.shisho.dev/p/6aMZNF90GODK
3. Bad example: https://play.shisho.dev/p/12YfSVqdzFBd

Problem

N/A

Possible Solutions

N/A

Additional Notes

N/A

Some Google products (Firebase for example) rely on Common Expression Language (CEL), although there's no public implementation of tree-sitter grammar. It would be helpful if we had one and could define custom code policies for codes in CEL.

Problem

Shisho currently exits with 1 when there's one or more violations against the given rule. This behaviour prevents us from using Shisho in CI environments with no hack.

Possible Solutions

We can introduce a new CLI flag like --exit-zero ton control exit code of Shisho.

Additional Notes

N/A

Problem

Currently Shisho reports suggested changes, but it can't replace files with the changes automatically.

Possible Solutions

It'd be great if we could overwrite files automatically with --overwrite option, for example.

# example
shisho find "len(:[X])" --lang=go --rewrite "len(f(:[X]))" --overwrite

Additional Notes

Shisho may suggest multiple changes for a single file when different rules match for a single file. This behaviour may cause some implementation challenges.

tree-sitter grammar is here.

Problem

Now a rule includes only one pattern and one rewrite pattern, though it's natural that multiple patterns could be transformed into a rewrite pattern, and vice versa.

Possible Solutions

Suppose we'd like to transform both of f(:[X], :[Y]) and g(:[X], :[Y]) into either of a(:[X], :[Y]) or b(:[X], :[Y]). We need something like:

version: "1"
rules:
  - id: demo
    language: go
    message: ""
    patterns: 
      - "f(:[X], :[Y])"
      - "g(:[X], :[Y])"
    rewrite-options: 
      - "a(:[X], :[Y])"
      - "b(:[X], :[Y])"

Additional Notes

N/A

Description of the bug

Metavariables like :[X] should match just one expression or just one statement, but the following test cases (written in Rust) will fail.

{
            let tree = Tree::<Go>::try_from(
                r#"if err := nil; true == false { a := 2; b := 3 } else { c := 4 }"#,
            )
            .unwrap();
            let ptree = tree.to_partial();
            let query = Query::<Go>::try_from(r#"if :[X] { :[...] }"#).unwrap();
            let session = ptree.matches(&query);

            let c = session.collect();
            assert_eq!(c.len(), 0);
}

Steps to Reproduce

Run cargo test, and you'll see language::go::tests::test_if fails.

Expected Behaviour

language::go::tests::test_if succeeds.

Additional Materials

N/A

tree-sitter grammar is here. We need to resolve some formatting issues though.

Problem

Current SHISHO pattern language can't describe the pattern like the following for the sake of autofix.

• (P) "there's no :[X] + 1 where X does not include the call of len() function"

More generally, the language cant describe the following:

• negation
• deep expression #8

Possible Feature / Solution

Now I'm thinking about the best way to describe them. A possible solution is introducing pattern constraint concepts for rules. Here's an intuitive example with the policy describing (P), with help of a pattern constraint, without a limit on autofix features:

rules:
  - id: aaa
    language: go
    message: test
    pattern: |
      :[X] + 1
    constraints:
      - target: X
        should: not-match
        pattern:
          len(:[...])

Playground URL

https://play.shisho.dev/p/2fy0PTMPYWGF

Description

This example should cause no alerts.

tree-sitter grammar for YAML is here. It would be helpful to validate YAML quickly.

Problem

When one uses Shisho in GitHub Actions, they need to handle console outputs somehow by themselves. It's a bad experience for developers.

Possible Solutions

It would be nice if Shisho had a feature to generate reports in SARIF or some other formats familiar with reviewdog.

Additional Notes

N/A

Problem

There are a lot of Dockerfile anti-patterns.

Possible Solutions

It'd be great if we could support Dockerfile with Shisho.

Additional Notes

N/A

Description of the bug

Ellipsis operators can match to zero or more expressions / statements. When an ellipsis metavariable operator matches to zero expression / statement, code transformation with the ellipsis metavariable causes error: metavariable not found.

Steps to Reproduce

echo 'if a {}' | shisho find "if :[X] { :[...Y] } " --rewrite 'if :[X] { :[Y] }' --lang=go

Expected Behaviour

Code transformation succeeds.

Additional Materials

N/A

tree-sitter grammar is here.

Problem

No documentation on the core implementation of Shisho exists, resulting in the difficulty of getting into the details of it.

Possible Solutions

Put design docs as possible. At least we need a guide to support a new language in Shisho.

Additional Notes

N/A

tree-sitter grammar is here.

Problem

There's a huge hurdle for developers with a little interest to try Shisho.

Possible Solutions

Host an online playground page like The Go Playground and more.

Additional Notes

Hosting would not cost too much and implementation would be easy, I guess.

Problem

One needs to define rules by theirselves even though the rules look common among many teams.

Possible Solutions

Host a server to collect rules from anyone and distribute rules for everyone.

Additional Notes

N/A

Problem

I'd like to detect exposure of API tokens (e.g. "xoxp-blahblah") with Shisho, while Shisho can't do that as of now.

Possible Solutions

If we could use pattern matching syntax inside string literals, Shisho could resolve the problem.

"xoxp-:[X]"

Additional Notes

N/A

tree-sitter grammar is here.