search

microsoft / DevSkim

DevSkim is a set of IDE plugins, language analyzers, and rules that provide security "linting" capabilities.
MIT License
910 stars 116 forks source link

Support Suppressions for file types without comments #594

Open gfs opened 11 months ago

gfs commented 11 months ago

Is your feature request related to a problem? Please describe. Some file types (in particular JSON) do not support comments and so it is not feasible to include suppressions directly in the files.

Describe the solution you'd like A mechanism to specify suppressions for those files using an additional file. This can either be a new suppressions file either globally for the project or for each file or additional options either via options-json or via a second suppressions-json argument.

Additional Context One possible implementation is with a json ignore format like this, which could either be added to options-json or as a separate suppressions-json argument.

{
    "ignore": [
        {
            "path": "relative/path/to/file.json",
            "issue_id": ["DS173237"],
            "description": "This ignores all the issues DS173237 in the file relative/path/to/file.json"
        },
        {
            "path": "relative/path/to/some/other/file.cc",
            "line": 10,
            "issue_id": ["DS173237"],
            "description": "This ignores all the issues DS173237 in the file relative/path/to/some/other/file.cc at line 10"
        },
        {
            "path": "relative/path/dir",
            "issue_id": ["DS173237"],
            "description": "This ignores all the issues DS173237 in the directory relative/path/dir"
        }
    ]
}

Additional considerations When running the suppress command it would be nice (but is not essential for this) to be able to either generate the new entries to be added to this config file or to directly update it. To detect if issues are already suppressed, the suppression file should also be an argument to the suppress command.

Primary implementation would be in the CLI, but ideally can add an option for the IDE to specify a suppressions file. If the IDE is configured to use a suppressions file, perhaps new suppressions should be written into it, or have an option to put new suppressions into it.

gfs commented 11 months ago

Suggestion Received from Denis: Support placing a suppressions file with a known name - for example .devskim.suppressions.json in the top level of a repo to be automatically picked up if running DevSkim from a pipeline across multiple repos where it would be preferable not to modify the devskim command itself.