search

stackmuncher / stm_app

This software engineer profile builder turns your code into a detailed list of skills for an online directory of software developers.
https://stackmuncher.com
GNU Affero General Public License v3.0
22 stars 1 forks source link

Rust muncher limitations + sensitive info leakage #1

Open rimutaka opened 3 years ago

rimutaka commented 3 years ago

Limitations

The Rust Muncher should be a bit more detailed and accurate. The initial implementation cut a few corners.

  1. for X in Y {...} - make this a single construct in keywords as opposed to separate for and in
  2. Add documentation block comments as a separate trackable structure. We can only track block comments that don't show as docs. /// and //! are tracked as docs, but /** ... **/ is not.
  3. Reliably parsing use is too hard because it can be nested and multiline. Skipped for now.
  4. Cargo.toml regex picks up lines with version and edition from [package] section because we can't look only in a certain part of the file. I couldn't construct a regex to exclude those two.

Potential sensitive data leakage

Local libs are included in the report. E.g. stackmuncher_lib = { version = "0.2", path = "../../stm_app/stackmuncher_lib" } includes stackmuncher_lib.

This probably affects other languages. The problem here is in the parent path. It should be logged as a separate issue.

Feilkin commented 3 years ago

why are you using regex to parse rust files?

rimutaka commented 3 years ago

@Feilkin , I'm trying to keep it simple and generic / language agnostic for now. How would you approach it?

rimutaka commented 2 years ago

Relates to #8 . The regex approach is a big limitation in solving this.