This Project has Moved to https://github.com/microsoft/devskim.
microsoft / devskim-vscode-plugin Goto Github PK
View Code? Open in Web Editor NEWDevSkim plugin for VS Code.
DevSkim plugin for VS Code.
This Project has Moved to https://github.com/microsoft/devskim.
Hi,
in some piece of code using LLVM libs:
if (const auto constExpr = dyn_cast<ConstantExpr>(value)) {
if (constExpr->getOpcode() == Instruction::BitCast)
return getAlignment(constExpr->getOperand(0));
// This is not a rand() call: ^~~~
}
I get the rand
part of the getOperand()
call to be highlighted telling me:
[Devskim: Finding DS148264]
Do not use weak/non-cryptographic random number generators
Severity: [Important]
Apparently, this is not a rand()
call at all. I guess the engine is doing a substring match only, not a full word match...
ciao,
Mario
As we convert to Github actions we should produce the NPM package
Suppress Issue Permanently is spell wrong in the context menu
I'm using the VS Code DevSkim extension. When I recently updated to VSCode Insiders 1.34, this extension is causing the editor text cursor to jump around.
Basically, if DevSkim finds anything to report, it places all the issues into the Problems Pane.
In this case, I was editing a PowerShell script file. When I attempt to edit a function which has issues reported by DevSkim, the cursor automatically jumps to the line containing the function declaration after every key press. Infuriating. I disabled DevSkim in one Visual Studio Code window and the issue went away, while it persists in the window where the window has not been reloaded to pick up the fact that I had disabled the extension.
Here's some relevant information you probably need:
Visual Studio Code Insiders Info
Version: 1.34.0-insider (user setup)
Commit: 0ab39f4148f242e7b0802330385fc99b4845aa31
Date: 2019-04-08T05:19:58.162Z
Electron: 3.1.8
Chrome: 66.0.3359.181
Node.js: 10.2.0
V8: 6.6.346.32
OS: Windows_NT x64 10.0.17763
PowerShell Extension version: 1.12.0
DevSkim Version: 0.2.2
On Visual Studio Code, installing DevSkim crashes the extension engine and you can not use any other extension.
VSCode Insider-build 1.21.0
When a single line contains both a finding that can be suppressed (i.e a finding of severity crit, important, etc.) and a finding that gets marked as reviewed (severity "manual-review"), choosing to mark one as reviewed and the other as suppressed causes the two comments to overlap slightly e.g.
//DevSkim: reviewed DS123456 on 2016-//DevSkim: ignore DS1357924 until 2017-01-2112-21
the suppression above is being inserted in the middle of the date instead of at the end of the line as expected
When a finding-region is specified for a condition the plugin doesn't search the region
When a finding-region is matched with regex the values are strings. On the line below a string is added to an integer resulting in a string.
finding-region(-5,5)
and the rule match is on line 16
findingRange.start.line + regionMatch[1]
16 + "-5" === "16-5"
So "16-5"
is passed into GetDocumentPosition()
"16-5"++
is NaN which causes problems with the rest of the function
Similar behavior for endPos
findingRange.end.line + regionMatch[2] + 1
16 + "5" + 1 === "1651"
While the NaN bug doesn't occur the line number is inaccurate
Use unary operators to cast the finding-range values to integers
xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"
xmlns:d="http://schemas.microsoft.com/expression/blend/2008"
I'm getting a warning in the form of a wavy purple line under the http text and an DS137138 error message in the output window in xaml files.
Show potential Fixes, has a 'surpress permanently' but it does nothing.
I don't see any obvious way to turn this off. I've read the guidance on this, but simply ignoring it is not acceptable. Also it only works for file that are open in the VS editor, closed files are ignored.
I personally wouldn't use this tool if I can't manage/get rid of these messages, but I do like the concept of this tool so I'm hoping you can fix this up for the v1.
The console.log right now is super verbose, which is helpful for debugging but not necessary for everyday users. The console.log should be behind a debug settings flag of some form, so it can be enabled selectively should a user want it
Running DevSkim commands in vscode via Cmd+Shift+P, results in an error message:
command 'devskim.scanWorkspace' not found
This occurs in any workspace, except the workspace which was open when I originally installed the DevSkim extension. In the workspace which was open when I originally installed the DevSkim extension, the commands work correctly.
Here are my vscode User settings:
{
"workbench.colorTheme": "Material Theme Darker High Contrast",
"workbench.iconTheme": "eq-material-theme-icons-darker",
"terminal.integrated.rightClickBehavior": "copyPaste",
"editor.minimap.enabled": false,
"terminal.integrated.fontWeight": "600",
"breadcrumbs.enabled": true,
"window.zoomLevel": 0,
"eslint.provideLintTask": true,
"eslint.alwaysShowStatus": true,
"eslint.validate": [
"javascript",
"javascriptreact"
],
"editor.tokenColorCustomizations": {
"comments": "#a8a790"
},
"java.configuration.checkProjectSettingsExclusions": false,
"javascript.updateImportsOnFileMove.enabled": "always",
"editor.suggestSelection": "first",
"vsintellicode.modify.editor.suggestSelection": "automaticallyOverrodeDefaultValue",
"workbench.panel.defaultLocation": "right",
"workbench.startupEditor": "newUntitledFile",
"extensions.autoUpdate": false,
"explorer.confirmDragAndDrop": false,
"devskim.enableBestPracticeRules": true,
"devskim.enableManualReviewRules": true,
"devskim.manualReviewerName": "mojave"
}
It appears that DevSkim doesn't clear it's output from the "Problems" pane when an active file is closed, leading to duplicate problem reports and general overwhelming spamming of the problems pane over the course of a day. ๐คข
Matched rules with conditions highlight the wrong text
When DevSkimWorker.MatchesConditionPattern()
returns true
MatchesConditions()
returns false
This causes the problem to be pushed as suppressed finding
Invert the logic so the function is returning false when there are no matches
if(!DevSkimWorker.MatchesConditionPattern(condition, documentContents, findingRange, langID))
trying to install it with ext install vscode-devskim and there is no extension of that name in the marketplace
As we port our pipeline to GitHub actions, we should have it do the .vsix production
I just tried the plug-in on my project, and it's giving me 251 errors in the auto-generated yarn.lock
.
file: 'file:///c%3A/Users/tim-m/projects/naming/synonymgraph/yarn.lock'
severity: 'Error'
message: '
Severity: [Important]
A token or key was found in source code. If this represents a secret, it should be moved somewhere else.
More Info:
https://github.com/Microsoft/DevSkim/blob/master/guidance/DS173237.md'
at: '7,74'
source: 'Devskim:Do not store tokens or keys in source code.'
Because it's auto-generated it can't be modified to disable a lint error, and so if DevSkim is enabled I have a huge number of "errors" that I can't eliminate in any way (that I can find in the docs).
My workaround is just to disable DevSkim. Let me know if there's a better way.
After #47 we should then run that NPM against the code (note, should exclude the rules directory)
As we convert to Github actions we should set up our unit test runner to execute
When running the DevSkim CLI against large files (10 MB+), progress is extremely slow. Since it's a bit less likely that these large files will contain interesting results, I think we should cap file sizes to analyze around maybe 100k or so, with the ability for the user to change if they want.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.