Fix for #32

gretard · gr · commit 3121113a1e4b · 2023-12-08T20:31:14.000+02:00
diff --git a/src/sonar-sql-plugin/pom.xml b/src/sonar-sql-plugin/pom.xml
@@ -1,4 +1,6 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<groupId>org.sonar.plugins</groupId>
@@ -70,6 +72,14 @@
 			<version>4.13.2</version>
 			<scope>test</scope>
 		</dependency>
+		<!-- https://mvnrepository.com/artifact/org.assertj/assertj-core -->
+		<dependency>
+			<groupId>org.assertj</groupId>
+			<artifactId>assertj-core</artifactId>
+			<version>3.24.2</version>
+			<scope>test</scope>
+		</dependency>
+
 		<dependency>
 			<groupId>commons-cli</groupId>
 			<artifactId>commons-cli</artifactId>
@@ -110,10 +120,12 @@
 				<artifactId>spotless-maven-plugin</artifactId>
 				<version>2.27.1</version>
 				<configuration>
-					<!-- optional: limit format enforcement to just the files changed by this feature branch -->
+					<!-- optional: limit format enforcement to just the files
+					changed by this feature branch -->
 
 					<formats>
-						<!-- you can define as many formats as you want, each is independent -->
+						<!-- you can define as many formats as you want, each is
+						independent -->
 						<format>
 							<!-- define the files to apply to -->
 							<includes>
@@ -132,9 +144,11 @@
 					</formats>
 					<!-- define a language-specific format -->
 					<java>
-						<!-- no need to specify files, inferred automatically, but you can if you want -->
+						<!-- no need to specify files, inferred automatically,
+						but you can if you want -->
 
-						<!-- apply a specific flavor of google-java-format and reflow long strings -->
+						<!-- apply a specific flavor of google-java-format and
+						reflow long strings -->
 						<googleJavaFormat>
 							<style>AOSP</style>
 							<reflowLongStrings>true</reflowLongStrings>
diff --git a/src/sonar-sql-plugin/src/main/java/org/sonar/plugins/sql/sensors/sqlcheck/SQLCheckIssuesReader.java b/src/sonar-sql-plugin/src/main/java/org/sonar/plugins/sql/sensors/sqlcheck/SQLCheckIssuesReader.java
@@ -3,7 +3,7 @@
 import java.io.File;
 import java.io.IOException;
 import java.nio.file.Files;
-import java.util.List;
+import java.util.regex.Pattern;
 
 import org.sonar.api.utils.log.Logger;
 import org.sonar.api.utils.log.Loggers;
@@ -12,87 +12,56 @@
 import org.sonar.plugins.sql.issues.SqlIssuesList;
 
 public class SQLCheckIssuesReader {
-    private static final Logger LOGGER = Loggers.get(SQLCheckIssuesReader.class);
+	private static final Logger LOGGER = Loggers.get(SQLCheckIssuesReader.class);
 
-    public SqlIssuesList read(String inputFile, File file) throws IOException {
-        SqlIssuesList list = new SqlIssuesList();
-        List<String> lines = Files.readAllLines(file.toPath());
+	private static final Pattern issueDescriptionPattern = Pattern.compile("●\\s+(.*):?\\r?\\n([^●]+)");
+	private static final Pattern riskPattern = Pattern.compile("\\[([^\\]]+)\\]:\\s+(\\(.+\\))\\s+(\\(.+\\))\\s+(.+)");
 
-        for (int i = 0; i < lines.size(); i++) {
-            String line = lines.get(i);
-            if (!line.startsWith("SQL Statement: ")) {
-                continue;
-            }
-            String severityDescription = lines.get(i + 1).trim();
-            for (int j = i + 2; j < lines.size(); j++) {
-                String issueName = lines.get(j).trim();
-                ;
-                if (issueName.isEmpty()) {
-                    continue;
-                }
+	public SqlIssuesList read(String inputFile, File file) throws IOException {
+		var list = new SqlIssuesList();
+		try {
+			var txt = Files.readString(file.toPath());
+			var matcher = riskPattern.matcher(txt);
 
-                if (lines.get(j).startsWith("------") || lines.get(j).startsWith("SQL Statement")) {
-                    break;
-                }
-                if (issueName.startsWith("● ")) {
-                    try {
-                        StringBuilder descriptionSb = new StringBuilder();
-                        for (int z = j + 1; z < lines.size(); z++) {
-                            String tempLine = lines.get(z).trim();
-                            if (tempLine.startsWith("● ") || tempLine.isEmpty()
-                                    || tempLine.startsWith("SQL Statement")) {
-                                break;
-                            }
-                            if (tempLine.equalsIgnoreCase("Problems:")) {
-                                continue;
-                            }
+			var matchResults = matcher.results().toList();
+			for (int i = 0; i < matchResults.size(); i++) {
 
-                            descriptionSb.append(tempLine);
-                        }
-                        if (descriptionSb.length() == 0 || severityDescription.isEmpty() || issueName.isEmpty()) {
-                            continue;
-                        }
-                        SqlIssue issue = new SqlIssue();
-                        issue.description = descriptionSb.toString().trim();
-                        issue.fileName = inputFile;
-                        issue.severity = extractSeverity(severityDescription);
-                        issue.message = extractMessage(severityDescription);
-                        issue.name = extractName(issueName);
-                        issue.repo = Constants.SQL_SQLCHECK_ENGINEID;
-                        issue.isAdhoc = true;
-                        issue.isExternal = true;
-                        issue.key = extractName(issueName);
-                        list.addIssue(issue);
-                    } catch (Exception e) {
-                        LOGGER.info("Unexpected error reading: {}. Exception was: {}", line, e);
-                    }
-                }
+				var matchResult = matchResults.get(i);
 
-            }
+				var risk = matchResult.group(2).replace("(", "").replace(")", "");
+				var patternName = matchResult.group(4);
 
-        }
+				var startIndex = matchResult.end();
+				var endIndex = i == matchResults.size() - 1 ? txt.length() : matchResults.get(i + 1).start();
 
-        return list;
-    }
+				var descriptionSearchString = txt.substring(startIndex, endIndex);
+				var descriptionsMatcher = issueDescriptionPattern.matcher(descriptionSearchString);
+				descriptionsMatcher.results().forEach(dm -> {
 
-    private String extractName(String issueName) {
-        return issueName.replace("● ", "");
-    }
+					var problem = dm.group(1).trim();
+					if (problem.endsWith(":")) {
+						problem = problem.substring(0, problem.length() - 1);
+					}
 
-    private String extractMessage(String severityDescription) {
-        String[] data = severityDescription.split("\\)", 3);
-        if (data.length < 3) {
-            return "Unknown";
-        }
-        return data[2].trim();
-    }
+					var description = dm.group(2).trim().split("==================== Summary ===================")[0];
+
+					var issue = new SqlIssue();
+					issue.description = description;
+					issue.fileName = inputFile;
+					issue.severity = risk;
+					issue.message = String.format("[%s] %s", patternName, problem);
+					issue.name = String.format("[%s] %s", patternName, problem);
+					issue.repo = Constants.SQL_SQLCHECK_ENGINEID;
+					issue.isAdhoc = true;
+					issue.isExternal = true;
+					issue.key = String.format("[%s] %s", patternName, problem);
+					list.addIssue(issue);
+				});
+			}
+		} catch (Exception e) {
+			LOGGER.warn("Unexpected error parsing file", e);
+		}
+		return list;
+	}
 
-    private String extractSeverity(String severityDescription) {
-        String[] data = severityDescription.split("\\(", 3);
-        if (data.length < 3) {
-            return "HIGH RISK";
-        }
-        String severity = data[1].replace("(", "").replace(")", "").trim();
-        return severity;
-    }
 }
diff --git a/src/sonar-sql-plugin/src/test/java/org/sonar/plugins/sql/sensors/sqlcheck/SQLCheckIssuesReaderTest.java b/src/sonar-sql-plugin/src/test/java/org/sonar/plugins/sql/sensors/sqlcheck/SQLCheckIssuesReaderTest.java
@@ -1,34 +1,85 @@
 package org.sonar.plugins.sql.sensors.sqlcheck;
 
+import static org.assertj.core.api.Assertions.assertThat;
+
 import java.io.File;
 import java.io.IOException;
 
 import org.apache.commons.io.FileUtils;
-import org.junit.Assert;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.TemporaryFolder;
 import org.sonar.api.impl.utils.JUnitTempFolder;
-import org.sonar.plugins.sql.issues.SqlIssuesList;
+import org.sonar.plugins.sql.issues.SqlIssue;
 
 public class SQLCheckIssuesReaderTest {
-    @Rule
-    public TemporaryFolder folder = new TemporaryFolder();
+	@Rule
+	public TemporaryFolder folder = new TemporaryFolder();
+
+	@org.junit.Rule
+	public JUnitTempFolder temp = new org.sonar.api.impl.utils.JUnitTempFolder();
+	private final SQLCheckIssuesReader sut = new SQLCheckIssuesReader();
+
+	@Test
+	public void testSqlCheckResultsParsingPriorV1_3() throws IOException {
+
+		File baseFile = folder.newFile("results.txt");
+		FileUtils.copyURLToFile(getClass().getResource("/external/sqlcheck.txt"), baseFile);
+
+		var results = sut.read("sqlCheckv1_2.sql", baseFile).getaLLIssues();
+
+		var expected = getExpectedIssueImplicitColumnUsage();
+
+		assertThat(results).hasSize(4).filteredOn(x -> x.key, expected.key).element(0).usingRecursiveComparison()
+				.ignoringFields("description").isEqualTo(expected);
+
+	}
+
+	@Test
+	public void testSqlCheckResultsParsingV1_3() throws IOException {
+
+		File baseFile = folder.newFile("results.txt");
+		FileUtils.copyURLToFile(getClass().getResource("/external/sqlCheck1.3.txt"), baseFile);
+
+		var results = sut.read("sqlCheckv1_3.sql", baseFile).getaLLIssues();
 
-    @org.junit.Rule
-    public JUnitTempFolder temp = new org.sonar.api.impl.utils.JUnitTempFolder();
+		var expected = getExpectedIssueForSelectStar();
+		assertThat(results).hasSize(4).filteredOn(x -> x.key, expected.key).element(0).usingRecursiveComparison()
+				.ignoringFields("description").isEqualTo(expected);
 
-    @Test
-    public void test() throws IOException {
+	}
 
-        File baseFile = folder.newFile("results.txt");
-        FileUtils.copyURLToFile(getClass().getResource("/external/sqlcheck.txt"), baseFile);
+	private static SqlIssue getExpectedIssueImplicitColumnUsage() {
+		var issue = new SqlIssue();
+		issue.fileName = "sqlCheckv1_2.sql";
+		issue.isAdhoc = true;
+		issue.repo = "sqlcheck";
+		issue.name = "[Implicit Column Usage] Explicitly name columns";
+		issue.key = "[Implicit Column Usage] Explicitly name columns";
+		issue.message = "[Implicit Column Usage] Explicitly name columns";
+		issue.severity = "LOW RISK";
+		issue.description = "Although using wildcards and unnamed columns satisfies the goal of less typing,this habit creates several hazards. This can break application refactoring andcan harm performance. Always spell out all the columns you need, instead ofrelying on wild-cards or implicit column lists.[Matching Expression: insert into test values]";
+		return issue;
 
-        SQLCheckIssuesReader sut = new SQLCheckIssuesReader();
-        SqlIssuesList results = sut.read("-", baseFile);
+	}
 
-        Assert.assertEquals(4, results.getaLLIssues().size());
+	private static SqlIssue getExpectedIssueForSelectStar() {
+		var issue = new SqlIssue();
+		issue.fileName = "sqlCheckv1_3.sql";
+		issue.isAdhoc = true;
+		issue.repo = "sqlcheck";
+		issue.name = "[SELECT *] Inefficiency in moving data to the consumer";
+		issue.key = "[SELECT *] Inefficiency in moving data to the consumer";
+		issue.message = "[SELECT *] Inefficiency in moving data to the consumer";
+		issue.severity = "HIGH RISK";
+		issue.description = "When you SELECT *, you're often retrieving more columns from the database than\r\n"
+				+ "your application really needs to function. This causes more data to move from\r\n"
+				+ "the database server to the client, slowing access and increasing load on your\r\n"
+				+ "machines, as well as taking more time to travel across the network. This is\r\n"
+				+ "especially true when someone adds new columns to underlying tables that didn't\r\n"
+				+ "exist and weren't needed when the original consumers coded their data access.";
+		return issue;
 
-    }
+	}
 
 }
diff --git a/src/sonar-sql-plugin/src/test/resources/external/sqlCheck1.3.txt b/src/sonar-sql-plugin/src/test/resources/external/sqlCheck1.3.txt
@@ -0,0 +1,84 @@
++-------------------------------------------------+
+|                   SQLCHECK                      |
++-------------------------------------------------+
+> RISK LEVEL    :: ALL ANTI-PATTERNS
+> SQL FILE NAME :: top_mutexes.sql
+> COLOR MODE    :: DISABLED
+> VERBOSE MODE  :: ENABLED
+> DELIMITER     :: ;
+-------------------------------------------------
+==================== Results ===================
+
+-------------------------------------------------
+SQL Statement at line 1: with top_mutexes as ( select--+ leading(t1 s1 v1 v2 t2 s2) use_hash(s1)
+use_nl(v1) use_hash(s2) materialize t1.hsecs ,s1.* ,s2.sleeps as end_sleeps
+,s2.wait_time as end_wait_time ,s2.sleeps-s1.sleeps as delta_sleeps ,t2.hsecs -
+t1.hsecs as delta_hsecs --,s2.* from v$timer t1 ,v$mutex_sleep s1 ,(select/*+
+no_merge */ sum(level) a from dual connect by level<=1e6) v1 ,v$timer t2
+,v$mutex_sleep s2 where s1.mutex_type=s2.mutex_type and s1.location=s2.location
+) select * from top_mutexes order by delta_sleeps desc;
+[top_mutexes.sql]: (HIGH RISK) (QUERY ANTI-PATTERN) SELECT *
+● Inefficiency in moving data to the consumer:
+When you SELECT *, you're often retrieving more columns from the database than
+your application really needs to function. This causes more data to move from
+the database server to the client, slowing access and increasing load on your
+machines, as well as taking more time to travel across the network. This is
+especially true when someone adds new columns to underlying tables that didn't
+exist and weren't needed when the original consumers coded their data access.
+
+
+● Indexing issues:
+Consider a scenario where you want to tune a query to a high level of
+performance. If you were to use *, and it returned more columns than you
+actually needed, the server would often have to perform more expensive methods
+to retrieve your data than it otherwise might. For example, you wouldn't be able
+to create an index which simply covered the columns in your SELECT list, and
+even if you did (including all columns [shudder]), the next guy who came around
+and added a column to the underlying table would cause the optimizer to ignore
+your optimized covering index, and you'd likely find that the performance of
+your query would drop substantially for no readily apparent reason.
+
+● Binding
+Problems:
+When you SELECT *, it's possible to retrieve two columns of the same name from
+two different tables. This can often crash your data consumer. Imagine a query
+that joins two tables, both of which contain a column called "ID". How would a
+consumer know which was which? SELECT * can also confuse views (at least in some
+versions SQL Server) when underlying table structures change -- the view is not
+rebuilt, and the data which comes back can be nonsense. And the worst part of it
+is that you can take care to name your columns whatever you want, but the next
+guy who comes along might have no way of knowing that he has to worry about
+adding a column which will collide with your already-developed names.
+[Matching Expression: select * at line 18]
+
+[top_mutexes.sql]: (LOW RISK) (QUERY ANTI-PATTERN) Spaghetti Query Alert
+● Split up a complex spaghetti query into several simpler queries:
+SQL is a very expressive language—you can accomplish a lot in a single query
+or statement. But that doesn't mean it's mandatory or even a good idea to
+approach every task with the assumption it has to be done in one line of code.
+One common unintended consequence of producing all your results in one query is
+a Cartesian product. This happens when two of the tables in the query have no
+condition restricting their relationship. Without such a restriction, the join
+of two tables pairs each row in the first table to every row in the other table.
+Each such pairing becomes a row of the result set, and you end up with many more
+rows than you expect. It's important to consider that these queries are simply
+hard to write, hard to modify, and hard to debug. You should expect to get
+regular requests for incremental enhancements to your database applications.
+Managers want more complex reports and more fields in a user interface. If you
+design intricate, monolithic SQL queries, it's more costly and time-consuming to
+make enhancements to them. Your time is worth something, both to you and to your
+project. Split up a complex spaghetti query into several simpler queries. When
+you split up a complex SQL query, the result may be many similar queries,
+perhaps varying slightly depending on data values. Writing these queries is a
+chore, so it's a good application of SQL code generation. Although SQL makes it
+seem possible to solve a complex problem in a single line of code, don't be
+tempted to build a house of cards.
+[Matching Expression: c at lines 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 3, 3, 3, 3, 3, 3, 3, 3, 3, 4, 4, 4, 4, 4, 4, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 9, 9, 9, 9, 9, 9, 9, 9, 9, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 17, 18, 18, 18, 18, 18, 18, 18, 18, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20]
+
+
+==================== Summary ===================
+All Anti-Patterns and Hints  :: 2
+>  High Risk   :: 1
+>  Medium Risk :: 0
+>  Low Risk    :: 1
+>  Hints       :: 0
