Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Specify error code #573

Merged
merged 4 commits into from
Dec 11, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 15 additions & 10 deletions crates/bins/src/bin/datadog-static-analyzer-git-hook.rs
Original file line number Diff line number Diff line change
@@ -1,6 +1,11 @@
use anyhow::{Context, Result};
use cli::config_file::get_config;
use cli::constants::{DEFAULT_MAX_CPUS, DEFAULT_MAX_FILE_SIZE_KB};
use cli::constants::{
DEFAULT_MAX_CPUS, DEFAULT_MAX_FILE_SIZE_KB, EXIT_CODE_GITHOOK_FAILED,
EXIT_CODE_INVALID_CONFIGURATION, EXIT_CODE_INVALID_DIRECTORY, EXIT_CODE_NO_DIRECTORY,
EXIT_CODE_NO_SECRET_OR_STATIC_ANALYSIS, EXIT_CODE_RULE_CHECKSUM_INVALID,
EXIT_CODE_SHA_OR_DEFAULT_BRANCH,
};
use cli::datadog_utils::{get_all_default_rulesets, get_rules_from_rulesets, get_secrets_rules};
use cli::file_utils::{
filter_files_by_size, filter_files_for_language, get_files, read_files_from_gitignore,
@@ -211,21 +216,21 @@ fn main() -> Result<()> {
if directory_to_analyze_option.is_none() {
eprintln!("no directory passed, specify a directory with option -i");
print_usage(&program, opts);
exit(1)
exit(EXIT_CODE_NO_DIRECTORY)
}

let directory_to_analyze = directory_to_analyze_option.unwrap();
let directory_path = std::path::Path::new(&directory_to_analyze);

if !directory_path.is_dir() {
eprintln!("directory to analyze is not correct");
exit(1)
exit(EXIT_CODE_INVALID_DIRECTORY)
}

if !static_analysis_enabled && !secrets_enabled {
eprintln!("either --static-analysis or --secrets should be specified");
print_usage(&program, opts);
exit(1)
exit(EXIT_CODE_NO_SECRET_OR_STATIC_ANALYSIS)
}

let configuration_file_and_method = get_config(directory_to_analyze.as_str(), use_debug);
@@ -241,7 +246,7 @@ fn main() -> Result<()> {
"Error reading configuration file from {}:\n {}",
directory_to_analyze, err
);
exit(1)
exit(EXIT_CODE_INVALID_CONFIGURATION)
}
};
let mut rules: Vec<Rule> = Vec::new();
@@ -356,7 +361,7 @@ fn main() -> Result<()> {
if should_verify_checksum {
if let Err(e) = check_rules_checksum(configuration.rules.as_slice()) {
eprintln!("error when checking rules checksum: {e}");
exit(1)
exit(EXIT_CODE_RULE_CHECKSUM_INVALID)
}
}

@@ -379,7 +384,7 @@ fn main() -> Result<()> {
eprintln!(
"incompatible options: cannot use --sha-start --sha-end and --default-branch"
);
exit(1);
exit(EXIT_CODE_SHA_OR_DEFAULT_BRANCH);
}
// user specified the default branch
(Some(default_branch), None, None) => {
@@ -396,7 +401,7 @@ fn main() -> Result<()> {
eprintln!(
"Cannot find the default branch, use --default-branch to force the default branch"
);
exit(1);
exit(EXIT_CODE_SHA_OR_DEFAULT_BRANCH);
});

if configuration.use_debug {
@@ -631,10 +636,10 @@ fn main() -> Result<()> {
if user_override() {
exit(0)
} else {
exit(1)
exit(EXIT_CODE_GITHOOK_FAILED)
}
} else {
exit(1)
exit(EXIT_CODE_GITHOOK_FAILED)
}
}
exit(0)
23 changes: 14 additions & 9 deletions crates/bins/src/bin/datadog-static-analyzer.rs
Original file line number Diff line number Diff line change
@@ -12,7 +12,12 @@ use std::time::{Duration, Instant, SystemTime};
use std::{env, fs};

use cli::config_file::get_config;
use cli::constants::{DEFAULT_MAX_CPUS, DEFAULT_MAX_FILE_SIZE_KB};
use cli::constants::{
DEFAULT_MAX_CPUS, DEFAULT_MAX_FILE_SIZE_KB, EXIT_CODE_FAIL_ON_VIOLATION,
EXIT_CODE_INVALID_CONFIGURATION, EXIT_CODE_INVALID_DIRECTORY, EXIT_CODE_NO_DIRECTORY,
EXIT_CODE_NO_OUTPUT, EXIT_CODE_RULE_CHECKSUM_INVALID, EXIT_CODE_RULE_FILE_WITH_CONFIGURATION,
EXIT_CODE_UNSAFE_SUBDIRECTORIES,
};
use cli::csv;
use cli::datadog_utils::{
get_all_default_rulesets, get_diff_aware_information, get_rules_from_rulesets,
@@ -163,7 +168,7 @@ fn main() -> Result<()> {
if !matches.opt_present("o") {
eprintln!("output file not specified");
print_usage(&program, opts);
exit(1);
exit(EXIT_CODE_NO_OUTPUT);
}

let should_verify_checksum = !matches.opt_present("b");
@@ -215,20 +220,20 @@ fn main() -> Result<()> {
if directory_to_analyze_option.is_none() {
eprintln!("no directory passed, specify a directory with option -i");
print_usage(&program, opts);
exit(1)
exit(EXIT_CODE_NO_DIRECTORY)
}

let directory_to_analyze = directory_to_analyze_option.unwrap();
let directory_path = std::path::Path::new(&directory_to_analyze);

if !directory_path.is_dir() {
eprintln!("directory to analyze is not correct");
exit(1)
exit(EXIT_CODE_INVALID_DIRECTORY)
}

if !are_subdirectories_safe(directory_path, &subdirectories_to_analyze) {
eprintln!("sub-directories are not safe and point outside of the repository");
exit(1)
exit(EXIT_CODE_UNSAFE_SUBDIRECTORIES)
}

let configuration_file_and_method = get_config(directory_to_analyze.as_str(), use_debug);
@@ -244,7 +249,7 @@ fn main() -> Result<()> {
"Error reading configuration file from {}:\n {}",
directory_to_analyze, err
);
exit(1)
exit(EXIT_CODE_INVALID_CONFIGURATION)
}
};

@@ -264,7 +269,7 @@ fn main() -> Result<()> {
ignore_gitignore = conf.ignore_gitignore.unwrap_or(false);
if rules_file.is_some() {
eprintln!("a rule file cannot be specified when a configuration file is present.");
exit(1);
exit(EXIT_CODE_RULE_FILE_WITH_CONFIGURATION);
}

let rulesets = conf.rulesets.keys().cloned().collect_vec();
@@ -395,7 +400,7 @@ fn main() -> Result<()> {
if should_verify_checksum {
if let Err(e) = check_rules_checksum(configuration.rules.as_slice()) {
eprintln!("error when checking rules checksum: {e}");
exit(1)
exit(EXIT_CODE_RULE_CHECKSUM_INVALID)
}
}

@@ -847,7 +852,7 @@ fn main() -> Result<()> {

// if there is any violation at all and --fail-on-any-violation is passed, we exit 1
if fail_on_violations {
exit(1);
exit(EXIT_CODE_FAIL_ON_VIOLATION);
}

Ok(())
15 changes: 15 additions & 0 deletions crates/cli/src/constants.rs
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need that many exit statuses; just two: one for "the error is in the data" and another for "the error is in the program". More codes just make it more complicated.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Anything more than 50 is user, lower is specific to the program itself

Original file line number Diff line number Diff line change
@@ -12,3 +12,18 @@ pub static DEFAULT_MAX_FILE_SIZE_KB: u64 = 200;
// See https://docs.gitlab.com/ee/ci/variables/predefined_variables.html
pub static GITLAB_ENVIRONMENT_VARIABLE_COMMIT_BRANCH: &str = "CI_COMMIT_BRANCH";
pub static GIT_HEAD: &str = "HEAD";

// application error: greater or equal to 10 and less than 50
pub static EXIT_CODE_FAIL_ON_VIOLATION: i32 = 10;
pub static EXIT_CODE_GITHOOK_FAILED: i32 = 11;
pub static EXIT_CODE_RULE_CHECKSUM_INVALID: i32 = 12;

// user errors, all more than 50
pub static EXIT_CODE_INVALID_CONFIGURATION: i32 = 50;
pub static EXIT_CODE_SHA_OR_DEFAULT_BRANCH: i32 = 51;
pub static EXIT_CODE_NO_SECRET_OR_STATIC_ANALYSIS: i32 = 52;
pub static EXIT_CODE_RULE_FILE_WITH_CONFIGURATION: i32 = 53;
pub static EXIT_CODE_NO_OUTPUT: i32 = 54;
pub static EXIT_CODE_NO_DIRECTORY: i32 = 55;
pub static EXIT_CODE_INVALID_DIRECTORY: i32 = 56;
pub static EXIT_CODE_UNSAFE_SUBDIRECTORIES: i32 = 57;
20 changes: 10 additions & 10 deletions misc/integration-git-hooks.sh
Original file line number Diff line number Diff line change
@@ -31,10 +31,10 @@ SHA2=$(cd $REPO_DIR && git rev-parse HEAD)
echo "Starting test: secrets should be found using the default branch"

./target/release-dev/datadog-static-analyzer-git-hook --repository "${REPO_DIR}" --secrets --debug yes --default-branch main --output /tmp/git-hook.sarif >/tmp/plop 2>&1

if [ $? -ne 1 ]; then
ret=$?
if [ $ret -ne 11 ]; then
cat /tmp/plop
echo "secrets should have been found"
echo "secrets should have been found - invalid return code (1) - got $ret"
exit 1
fi

@@ -45,7 +45,7 @@ NB_OCCURRENCES=$(grep "secret found on file foobar" /tmp/plop | wc -l)
echo "Found ${NB_OCCURRENCES} secret"
if [ "${NB_OCCURRENCES}" -ne "1" ]; then
cat /tmp/plop
echo "secrets should have been found"
echo "secrets should have been found - invalid number of occurrences (1)"
exit 1
fi

@@ -61,10 +61,10 @@ fi
echo "Starting test: secrets should be found using two sha"

./target/release-dev/datadog-static-analyzer-git-hook --repository "${REPO_DIR}" --secrets --debug yes --sha-start $SHA1 --sha-end $SHA2 >/tmp/plop 2>&1

if [ $? -ne 1 ]; then
ret=$?
if [ $ret -ne 11 ]; then
cat /tmp/plop
echo "secrets should have been found"
echo "secrets should have been found - invalid return code (2) - got $ret"
exit 1
fi

@@ -74,7 +74,7 @@ cat /tmp/plop
NB_OCCURRENCES=$(grep "secret found on file foobar" /tmp/plop | wc -l)
echo "Found ${NB_OCCURRENCES} secret"
if [ "${NB_OCCURRENCES}" -ne "1" ]; then
echo "secrets should have been found"
echo "secrets should have been found - invalid number of occurrences (2)"
cat /tmp/plop
exit 1
fi
@@ -97,7 +97,7 @@ echo "starting analyzer between $SHA2 and $SHA3"

./target/release-dev/datadog-static-analyzer-git-hook --repository "${REPO_DIR}" --static-analysis --secrets --debug yes --sha-start $SHA2 --sha-end $SHA3 >/tmp/plop 2>&1

if [ $? -ne 1 ]; then
if [ $? -ne 11 ]; then
echo "static analysis issues should have been found"
cat /tmp/plop
exit 1
@@ -144,7 +144,7 @@ echo "Starting test: error when not specifying --static-analysis or --secret"

./target/release-dev/datadog-static-analyzer-git-hook --repository "${REPO_DIR}" --debug yes --default-branch mainwefwef >/tmp/plop 2>&1

if [ $? -ne 1 ]; then
if [ $? -ne 52 ]; then
cat /tmp/plop
echo "program should return an error if --static-analysis or --secrets are not passed"
exit 1