Skip to content
This repository has been archived by the owner on Sep 6, 2021. It is now read-only.

[New feature] Add more info links to the output #17

Closed
MVrachev opened this issue Mar 22, 2019 · 5 comments
Closed

[New feature] Add more info links to the output #17

MVrachev opened this issue Mar 22, 2019 · 5 comments

Comments

@MVrachev
Copy link

MVrachev commented Mar 22, 2019
edited
Loading

It will be really useful to have "more info about the issue" field in the output.

Maybe you don't want to overwhelm the default human-readable output of TSLint but maybe you can add this into the JSON output?

I see that the JSON output provides a lot of information then more info information will be really cool.

You already have good documentation about every rule so it won't be hard to do.

PS: I have seen a few linters that do that - Bandit for Python is one example and I am helping with the Gosec for golang to do just that.
webschik added a commit that referenced this issue Apr 13, 2019
@webschik
[feat] added metadata for the each rule (#17)
29f61fb
@webschik
Copy link
Owner

webschik commented Apr 13, 2019
edited
Loading

From v1.16.0 each rule contains a property metadata, e.g. https://github.com/webschik/tslint-config-security/blob/master/src/rules/tsrDetectBufferNoassertRule.ts#L39

@MVrachev
Copy link
Author

I don't see the "descriptionDetails" property or "description" property.
What I get in normal output is:
image

I thought that I will have this in the JSON output but I don't:

[  
   {  
      "endPosition":{  
         "character":40,
         "line":11,
         "position":307
      },
      "failure":"eval with argument of type BinaryExpression",
      "name":"test/fixtures/typescript/vulnerable.js",
      "ruleName":"tsr-detect-eval-with-expression",
      "ruleSeverity":"ERROR",
      "startPosition":{  
         "character":9,
         "line":11,
         "position":276
      }
   },
   {  
      "endPosition":{  
         "character":11,
         "line":17,
         "position":465
      },
      "failure":"Found fs.open with non-literal argument at index 0",
      "name":"test/fixtures/typescript/vulnerable.js",
      "ruleName":"tsr-detect-non-literal-fs-filename",
      "ruleSeverity":"ERROR",
      "startPosition":{  
         "character":4,
         "line":17,
         "position":458
      }
   },
   {  
      "endPosition":{  
         "character":58,
         "line":5,
         "position":172
      },
      "failure":"Found possible SQL injection",
      "name":"test/fixtures/typescript/vulnerable.js",
      "ruleName":"tsr-detect-sql-literal-injection",
      "ruleSeverity":"ERROR",
      "startPosition":{  
         "character":16,
         "line":5,
         "position":130
      }
   }
]

Where do I access and see that data?

@webschik
Copy link
Owner

webschik commented Apr 15, 2019
edited
Loading

Hi @MVrachev ,

My mistake, metadata property is used only to generate documentation - https://palantir.github.io/tslint/develop/docs/

To the JSON output https://palantir.github.io/tslint/formatters/json/ I can pass only a failure string or the fix object (TSLint API)

@MVrachev
Copy link
Author

MVrachev commented Apr 15, 2019
edited
Loading

So, that means that still, we can't access the "descriptionDetails" property from the command line?

One solution I think will be to pass "descriptionDetails" string into the failure string.

@webschik
Copy link
Owner

Yes

This was referenced Apr 15, 2019
Merged
Merged
mergify bot pushed a commit to securesauce/precaution-beta that referenced this issue Apr 26, 2019
@MVrachev @mergify
Add support for TSLint reference links
9b7fd27 
Because TSLint doesn't provide us with reference links and doesn't have
an API for such metadata as explained by the developer of
tslint-config-security: webschik/tslint-config-security#17

All rules are documented as part of the README for
tslint-config-security on GitHub, therefore we can use this
documentation to provide reference links.

When we have documentation of JavaScript/TypeScript issues
will educate our users on how to prevent future mistakes again.

Signed-off-by: Martin Vrachev <[email protected]>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@webschik @MVrachev