fileignoreconfig at the end of scan is displaying a wrong checksum

thoughtworks / talisman

Using a pre-commit hook, Talisman validates the outgoing changeset for things that look suspicious — such as tokens, passwords, and private keys.

https://thoughtworks.github.io/talisman/

MIT License

1.89k stars 241 forks source link

fileignoreconfig at the end of scan is displaying a wrong checksum #359

Closed brunovasconcelostw closed 2 years ago

brunovasconcelostw commented 2 years ago

Describe the bug

The checksum presented at the end of a scan is not the same as running the checksum command. The fileignoreconfig logged at the end of the scan is ignoring the file (because it is wrong)

To Reproduce Steps to reproduce the behavior:

Install any library using npm
Run as CLI: {TALISMAN_PATH} -- --githook pre-commit
Run as CLI: {TALISMAN_PATH} -- --checksum package-lock.json
See that the suggested fileignoreconfig is different for them

Expected behavior When running the {TALISMAN_PATH} -- --githook [pre-commit|pre-push] it displays the right checksum for the issued files.

Screenshots Screen Shot 2022-03-22 at 12 23 38

Desktop (please complete the following information):

OS: MacOS Monterey 12.3

Additional information I'm using node-talisman to run as a npm script

svishwanath-tw commented 2 years ago

Hi @brunovasconcelostw : Have you considered using scopes to ignore package-lock.json totally https://thoughtworks.github.io/talisman/docs/configuring-talisman/ignoring/#ignoring-files-by-specifying-language-scope ?

The checksum command and the pre-commit command look for staged version of the file (ie: version you see after git add)

I see that both pre-commit hook and the checksum command give the same output. Example:

brunovasconcelostw commented 2 years ago

That's nice! I didn't use the scopeconfig because I was not sure about what it does and what type of files it ignores. So I preferred to run without this and ignore the files manually.

Is something else the node scope ignores beside the package-lock.json?

brunovasconcelostw commented 2 years ago

And about the issue. I noticed it gives the same result for most of the files. But for an unknown reason, when trying to run on package-lock.json (it might be related to the size of the file) it gives a different result, as showed in the screenshot.

note: all the files during the execution were staged.

svishwanath-tw commented 2 years ago

That's nice! I didn't use the scopeconfig because I was not sure about what it does and what type of files it ignores. So I preferred to run without this and ignore the files manually.

Is something else the node scope ignores beside the package-lock.json?

The node scope specifically ignores package-lock.json, yarn.lock and node_modules/ folder.

Full details of files/folders ignored in a scope is visible in talismanrc/scopes.go