Closed vermegi closed 2 months ago
WindUp does not have the same level of features when it comes to YAML. There are several opened JIRA issues on this topic:
The WINDUP-3420 is the one about the issues we face:
It must be possible to traverse yaml/yml files, with the same degree of precision as XML files. Hence provide the equivalent capability of the XPATH to navigate to specific property values.
I've left a comment in the JIRA.
Until finding a better way, the WindUp team has disabled the YAML file extension. See https://github.com/windup/windup-rulesets/pull/1018
I have been testing with spring petclinic microservices, and specifically for the config repo used there, I was expecting certain rules to trigger, but they don't. I think this has to do with the definition of the rule being like this:
(https://github.com/Azure/appcat-rulesets/blob/d60c16ddefee1139f64322d9e42442c129e7ed14/rules/rules-reviewed/azure/azure-database-config.windup.xml#L24)
While in the config repo for petclinic the definition is like this:
datasource: url: jdbc:mysql://localhost:3306/petclinic?useSSL=false
Because of the different way of defining this property, this rule will not trigger.
The rule did trigger on jdbc:
(https://github.com/Azure/appcat-rulesets/blob/d60c16ddefee1139f64322d9e42442c129e7ed14/rules/rules-reviewed/azure/azure-database-config.windup.xml#L23C76-L23C76)
Similarly, none of the port definitions in these YAML files got reported on. For instance admin-server.yml has the following property definition:
server: port: 9090
while the rule (https://github.com/Azure/appcat-rulesets/blob/main/rules/rules-reviewed/azure/springboot/spring-boot-to-azure-port.windup.xml) uses
This will not detect the newline.