Replace Sarif JSON structs with owenrumney/go-sarif/sarif

zegl / kube-score

Kubernetes object analysis with recommendations for improved reliability and security. kube-score actively prevents downtime and bugs in your Kubernetes YAML and Charts. Static code analysis for Kubernetes.

https://kube-score.com

MIT License

2.68k stars 175 forks source link

Replace Sarif JSON structs with owenrumney/go-sarif/sarif #460

Open atombrella opened 2 years ago

atombrella commented 2 years ago

RELNOTE: Replace Sarif JSON structs with owenrumney/go-sarif/sarif

This addresses #447 It doesn't seem to require more than simply replacing the import, and deleting the go file with the structs. The library in favor contains a more elaborate definition of the structs for the Sarif standard.

Note that I haven't checked the code coverage for the --output-format sarif flag.

zegl commented 2 years ago

Looks like the code doesn't compile anymore, I'm guessing that we need to make some alterations to our sarif.go to make it fit how the library is supposed to be used.

# github.com/zegl/kube-score/renderer/sarif
renderer/sarif/sarif.go:15: undefined: sarif.Results
renderer/sarif/sarif.go:16: undefined: sarif.Rules
renderer/sarif/sarif.go:25: undefined: sarif.Rules
renderer/sarif/sarif.go:50: undefined: sarif.Results
renderer/sarif/sarif.go:79: undefined: sarif.Driver
renderer/sarif/sarif.go:86: undefined: sarif.Sarif

atombrella commented 2 years ago

Looks like the code doesn't compile anymore, I'm guessing that we need to make some alterations to our sarif.go to make it fit how the library is supposed to be used.
# github.com/zegl/kube-score/renderer/sarif
renderer/sarif/sarif.go:15: undefined: sarif.Results
renderer/sarif/sarif.go:16: undefined: sarif.Rules
renderer/sarif/sarif.go:25: undefined: sarif.Rules
renderer/sarif/sarif.go:50: undefined: sarif.Results
renderer/sarif/sarif.go:79: undefined: sarif.Driver
renderer/sarif/sarif.go:86: undefined: sarif.Sarif

Yes. I'll have a look during the weekend to fix it. I've been a bit occupied the last few days to fix everything, and should have waited to open the PR.

zegl commented 2 years ago

Ah, ok, no worries! :-D

atombrella commented 2 years ago

I have something working locally :tada: https://sarifweb.azurewebsites.net/Validation complains that the output doesn't contain the version property. Is this available somehow? Note the addition of the URL for the tool :+1:

https://gist.github.com/atombrella/8371135f661e48b465d666a01801a31d is the generated output. I used

./kube-score score --output-format=sarif score/testdata/pod-probes-all-missing.yaml > errors.sarif

Looking at this, it'd be nice to include some tests for the generated output, but perhaps it's a bit out of scope for this PR. It also looks a bit funky with the line numbers that appear to be always 1.

atombrella commented 2 years ago

@zegl Do you have time to give some feedback? There's an unanswered question for v.FileLocation.Line. Tests can be added if needed.

Regarding bors, I think it'd be nice to add use_squash_merge = true to the config-file to avoid loads of intermediate commits for this work. I can also squash before you merge.